Being hacked is something that no developer or site owner wants to deal with. While WordPress is considered a secure platform, it’s also a target due to its popularity. If a client’s site is hacked, it can compromise users’ personal information, infect their devices with viruses, or even result in you losing your client.
While being hacked is a serious situation, it doesn’t mean that your client’s website is a lost cause. It is possible to recognize the signs of a hacked site, and even recover it if you know what to do. By acting quickly, you can prevent further damage and hopefully thwart additional attempts.
In this article, we’ll share some signs that a site may have been hacked. Then we’ll show you how to recover your WordPress website in five steps. Let’s get started!
Identifying when a site has been hacked
The signs of a hacked website can be glaringly obvious or more subtle, so it’s essential to learn how to recognize them. It might also help if you educate your clients on what to look for, so they can alert you to any suspicious activity.
If you’re unable to log in to the WordPress admin dashboard, it’s possible that the site has been hacked and the password changed. In that case, it’s likely that you’ll need to restore the site from a backup to be able to access it again.
The presence of spammy links on a website can also signal a problem. These links will often send users to dangerous or possibly offensive websites that can damage your client’s reputation.
If your website’s URL is redirecting to a different site, that’s a pretty sure sign that it’s been compromised. You may not notice this right away, as it’s possible that not every page will redirect.
Google may mark a website as insecure before you realize there’s a problem. If you see that this has happened, you’ll want to investigate further to try and identify the issue:
Finally, if you see users you don’t recognize, you may want to be sure they’re legitimate. This is especially true for new users with the ‘admin’ role.
How to recover a hacked WordPress site (in 5 steps)
If you do see that a site has been hacked, you’ll want to get to work right away to recover and secure it. Here is a five-step process you can follow to do that.
1. Restore the site from a backup
Having a recent backup at the ready can save you from having to rebuild your site from scratch. Creating a backup with ManageWP is quick and easy, so you may want to make one now while you’re thinking about it.
To do so, hover over the site in your ManageWP dashboard and click on the View Backups button:
From this screen, you can immediately back up the site by selecting Backup now:
If you have a backup, you can use it to restore the site to an earlier state. You can do this by clicking on Restore backup:
However, restoring the site isn’t enough to prevent it from being re-accessed by the same hacker. Once you’ve completed this task, there are a few more steps to follow.
2. Put the site in maintenance mode
Your website won’t be available to users while you’re working on it, so you may want to put it into maintenance mode. To do this, hover over the site and click on Open website dashboard:
Next, in the menu at the left, click on More Tools and then on Maintenance Mode. On this screen, you’ll be able to select which template you’d like to use:
You can even edit the HTML to customize the maintenance mode screen further.
3. Change your password
It’s always a good idea to change your passwords often, but this is particularly crucial if you have reason to believe your current password has been compromised. You can change it in the WordPress admin dashboard by navigating to Users > All Users:
Next, you can click on your username to access your profile. Scroll down to the Account Management section and click on Set New Password. WordPress will generate a password for you, or you can set your own:
Finally, be sure to click on Update Profile to make your changes permanent.
When you’re coming up with a new password, keep these best practices in mind:
- Don’t use the same password for multiple accounts or client sites.
- Aim for a password that’s long and complex, but still possible for you to remember.
- Use a combination of letters, numbers, and symbols.
It’s important to realize that changing your password alone isn’t enough to protect the site, as the hacker may have installed a backdoor.
4. Remove potential malware and unrecognized users
Now it’s time to do a bit of housecleaning. You may want to start by deleting any themes or plugins you’re not using, as these are places a backdoor could be hiding.
You can then check for malware using Sucuri Security Check. To run the security check, navigate to the site’s dashboard in ManageWP. Then you can click on the Security tab in the menu to the left:
Next, hit Run Security Check. Within a few minutes, you should have your security report:
Malicious code could be in themes, plugins, or files such as wp-config.php, wp-includes directory, and .htaccess. If you know what you’re doing, you can remove this code yourself. Otherwise, you might want to reach out to the experts at Sucuri. You can also simply replace infected tools with fresh installations.
Hackers may access a site by creating additional users with admin privileges, which you’ll want to remove. Start from the WordPress dashboard and navigate to Users > All Users. Next, scroll through the site’s users, paying particular attention to any with admin privileges.
To remove an unauthorized user, you can click on the red Delete link below their name, and then choose Confirm Deletion:
If the user has content attributed to them, you can choose to delete that content or attribute it to another user.
5. Change your security keys and password
WordPress security keys, also called SALT keys, store your password in an encrypted form, so you don’t always have to type it in. This is convenient, but if a hacker accesses your security key, they may be able to decipher your password, even if you’ve just changed it.
You may want to change your security keys periodically, but it’s vital after a site has been hacked. You can do this by editing the wp-config file. You might access this file through your host’s cPanel or via your preferred FTP client.
Once you have the file, go ahead and open it in your text editor. Then, scroll down until you see these lines:
These are your current SALT keys, which you can replace with new ones. On this site you’ll see a list of new security keys, which you can copy and paste into your wp-config file. After you’ve replaced your old keys with the new ones, you can save your file. Once you’ve completed this entire process, it’s a good idea to change your password one more time.
Discovering that a site has been hacked isn’t pleasant, but you’re not powerless in this situation. Once you know there’s a problem, you can take action to try and resolve it.
We recommend following these five steps:
- Restore the site from a backup.
- Put the site in maintenance mode.
- Change your password.
- Remove potential malware and unrecognized users.
- Change your security keys and password.
Do you still have questions about recovering a hacked WordPress website? Ask us in the comments section below!
Image credit: Markus Spiske.