If your WordPress site is hacked – what do you do?. First things first, are you (or your web designer) up for the challenge? Security is a specialized field that can require a different perspective and skill set. If you are not comfortable with browsing through code and don’t know your way around
.htaccess, other configuration files and phpadmin, consider using a service that will clean up your site for you. Whether you get help or not, it helps to be familiar with the issues and remediation steps. Here’s my take on what you need do.
wp-config.phpfile with them. Doing this will invalidate any outstanding login session with your WordPress admin. I was seeing malicious files show up after deleting them. Once I regenerated and uploaded my secret keys, that stopped. This link is a API link that generates new keys for you. And here is the WordPress Codex information on Security Keys.
index.phpfiles were infected (there are several in different directories), as well as
registration.phpin the wp-includes directory.
.htmlfiles in add on domains that were hosting non WordPress sites. This infection was also enclosed in script tags and using a function called createCSS(). The code stood out to me because it included a long string of numbers. Other code to look for is base64_decode. Once you have identified the type of infection, you will need to search through all your files for the malicious code.
Identifying and cleaning the infected files is one thing, but do you know how your site was compromised in the first place? The usual suspects are weak, easily guessed passwords and compromised plugins. It’s possible the backdoor was installed on your website a while ago which means that just removing the infection you see or restoring to a recent backup isn’t enough.
In my case I didn’t identify the source of the inflection until later, so I took the cautious approach. Here is what I did:
If Google has identified you as an attack site, visitors will see a scary red image warning them away (see picture above). You want that to go away as soon as possible so you will need to ask Google for reconsideration. I did this as soon as I had reinstalled WordPress (step 1 above). If your website is already set up in Google Webmasters Tools just log in and request a malware review. My website had already been flagged by Google so it was pretty obvious how to request a review. The review took about a business day at which point the red attack page stopped appearing. I even got an email from Google warning me about the malware although by then I had already taken action.
webenso.com was infected by a trojan that infected my PC laptop when I clicked on a zip file in a email message purporting to be from DHL. Coincidentally I had been waiting on some real estate documents that were to be emailed to me otherwise I would have never open that zip. My virus scanner caught and quarantined it but it didn’t not catch two files that lodged themselves into my browser’s temporary files folder. When I logged into WordPress to write a post, they uploaded and created a way for the hacker to get into my site. When I ran a full scan, Avast found the two files. Moral of the story, always run a full scan immediately after your virus scanner detects a problem.
Kathy Alice Brown is a SEO expert specializing in Technical SEO and Content. In her spare time she loves to get outside.