Home / Marketing Videos / WordPress Hacked? Ten Steps to Repair Your Blog
WordPress-broken

WordPress Hacked? Ten Steps to Repair Your Blog

A good friend of mine recently got his WordPress blog hacked. It was quite a malicious attack that could have an impact on his search ranking and, of course, his momentum in traffic. It’s one of the reasons why I advice large companies to utilize a corporate blogging platform like Compendium – where there’s a monitoring team looking out for you. (Disclosure: I’m a shareholder)

Companies don’t understand why they would pay for a platform like Compendium… until they hire me to work all night at repairing their free WordPress blog! (FYI: WordPress also offers a VIP version and Typepad also offers a business version. )

For those of you that can’t afford a blogging platform with the services they offer, here’s my advice for what to do if WordPress gets hacked:

  1. Stay Calm! Don’t start deleting things and installing all kinds of crap that promises to clean your installation up. You don’t know who wrote it and whether or not it’s simply adding more malicious crap to your blog. Take a deep breath, lookup this blog post, and slowly and deliberately go down the checklist.
  2. Take down the blog. Immediately. The easiest way to do this with WordPress is to rename your index.php file in your root directory. It’s not enough to just put up an index.html page… you need to halt all traffic to any page of your blog. In placement of your index.php page, upload a text file that says you’re offline for maintenance and will be back soon. The reason you need to take down the blog is because most of these hacks aren’t done by hand, they’re done through malicious scripts that attach themselves to every writeable file in your installation. Someone visiting an internal page of your blog can reinfect the files you’re working to repair.
  3. Backup your blog. Don’t just backup your files, also backup your database. Store it somewhere special in the event you need to refer to some of the files or information.
  4. Remove all themes. Themes are an easy means for a hacker to script and insert code into your blog. Most themes are also written poorly by designers that don’t understand the nuances of securing your pages, your code, or your database.
  5. Remove all plugins. Plugins are the easiest means for a hacker to script and insert code into your blog. Most plugins are written poorly by hack developers that don’t understand the nuances of securing your pages, your code, or your database. Once a hacker finds a file with a gateway, they simply deploy crawlers that search other sites for those files.
  6. Reinstall WordPress. When I say reinstall WordPress, I mean it – including your theme. Don’t forget wp-config.php, a file that’s not overwritten when you copy over WordPress. In this blog, I found the malicious script was written in Base 64 so it just looked like a blob of text and it was inserted in the header of every single page, including wp-config.php.
  7. Review your Database. You’ll want to review your options table and your posts table especially – looking for any strange external references or content. If you’ve never looked at your database before, be prepared to find PHPMyAdmin or another database query manager within your host’s management panel. It’s not fun – but it’s a must.
  8. Startup WordPress with a default theme and no plugins installed. If your content appears and you don’t see any automated redirects to malicious sites, you’re probably okay. If you get a redirect to a malicious site, you’ll probably want to clear your cache to ensure you’re working from the latest copy of the page. You may need to go through your database record by record to try to locate whatever content might be there that’s paving the way into your blog. Chances are your database is clean… but you never know!
  9. Install Your Theme. If the malicious code replicated, you’re probably going to have an infected theme. You may need to go line by line through your theme to ensure there’s no malicious code. You may be better off just starting out fresh. Open the blog up to a post and see if you’re still infected.
  10. Install Your Plugins. You may want to use a plugin, first, such as Clean Options first, to remove any additional options from plugins you’re no longer using or wanting. Don’t go crazy though, this plugin is not the best… it often displays and allows you to delete settings you want to hang on to. Download all your plugins from WordPress. Run your blog again!

If you see the issue come back, chances are that you’ve reinstalled a plugin or theme that’s vulnerable. If the issue never leaves, you’ve probably tried to take a couple shortcuts in troubleshooting these issues. Don’t take a shortcut.

These hackers are nasty folks! Not understanding every plugin and theme file puts us all at risk, so be vigilant. Install plugins that have great ratings, plenty of installations, and a great record of downloads. Read the comments folks have associated with them.

About Douglas Karr

Douglas Karr is the founder of The Marketing Technology Blog. Doug is the CMO of CircuPress and CEO of DK New Media, an agency specializing in assisting marketing technology companies with their inbound marketing - leveraging social media, blogging, search engine optimization, pay per click and public relations. Their clients include Angie's List, GoDaddy, Mindjet and many more. Douglas is also the author of Corporate Blogging for Dummies.

Check Also

WordPress-broken

Don’t Blame WordPress

90,000 hackers are trying to get into your WordPress installation right now. That’s a ridiculous ...

18 comments

  1. Thanks for the tips you mentioned here. I want to ask what if the hacker just alters the password of your site. You can’t even connect to the wordpress folder via FTP.

  2. Hi Tech,

    I’ve had this happen before as well. The easiest way to handle it is to open the database and edit your admin email address. Change the email address back to your address and then do a password reset. The admin reset will then be sent to your email address rather than the hackers – and then you can lock them out for good.

    Doug

  3. Good stuff. This just recently happened to a friend of mine. He could have used your advice.

  4. Doug, did you happen to figure out which plugin was used to break in?

  5. Hi,

    I just got your blog while searching to fix my site hacking issue. My site – http://www.namaskarkolkata.com. suddenly today morning i noticed my site Palestine Hacker – !! HacKed By T3eS !! . can you please take a look – how i can fix it. They changed my WordPress administrator username and password and also while i am trying to recovering through my email is – it’s also gone. I am feeling helpless. Please guide me.

    Many Thanks,

    Bidyut

    • Bidyut,

      There’s actually an easy way to assume back control. Utilizing a program like phpMyAdmin which is loaded on most sites, you can go to the wp_users table and change the email address of the admin back to you. At which point you can do a ‘forgot password’ at the login screen and reset the password.

      Doug

      • Hi Doug – thanks for this quick fix… wish I knew about it 2 weeks ago when one of my sites got hacked… hosting support was next to useless and I had to scrap the whole site & start again! Thanks to you I won’t have to go through that pain again on my latest site that’s been hacked. Any suggestions for hacker protection? – gratefully, Dee

      • Hi Doug – thanks for this quick fix… wish I knew about it 2 weeks ago when one of my sites got hacked… hosting support was next to useless and I had to scrap the whole site & start again! Thanks to you I won’t have to go through that pain again on my latest site that’s been hacked. Any suggestions for hacker protection? – gratefully, Dee

  6. Hi there, thanks for your post. My site has been hacked, and so far all that has happened is they added WP users and posted three blog posts. My web host thinks it was just a “bot” breaching my WP password, but I am a bit worried. I changed all my passwords, added password protection under the .htaccess editor, backed up my WP files, my theme settings and my databases and put the site under maintenance- All in preparation to reinstall WP and my theme. Still, this is tough stuff for a newbie. I am a bit confused on how to cleanly reinstall WP and my theme- so that no old files remain on my ftp server. I am also confused about reviewing my databases, looking at all my tables in phpMYadmin- How would I even recognize malicious code? most troubling is that I keep all my plug ins and WP up to date, on a weekly basis. Thank you for help clarifying all of this!

    • Most of the time, it’s files in wp-content that are typically hacked. Your wp-config.php file has your credentials and your wp-content folder has your theme and plugins. I would try downloading a new WordPress install and copying over everything but the wp-content directory. Then you’ll want to set the credentials in the new wp-config.php file (I would not use the old one). I would then be very cautious using the same theme and plugins… if one of them is hacked, they could spread the issue to all of them.

      Malicious code is typically copied into every file and uses terms like eval or base64_decode… they encrypt the code and use those functions to decode it.

      Once your site is all back up, you can also install a scan plugin that will detect if any root files are changed, like: http://wordpress.org/extend/plugins/wp-security-scan/

  7. Hi Doug! I think my blog has been hacked. I have control over it but if I want to share a post url on LinkedIn the title displays buy z…. (a drug) and I don’t know what to do or how to fix it. I definitely feel a bit uneasy about taking down my whole blog… it’s huge!!! What happens if I install wordpress new on another directory and then add the theme, test it and test the plugins and then move all of the content and delete the original directory? Would this work? my blog url is hispanic-marketing.com (in case you want to take a look at it) thank you sooo much!!!

  8. WordPress VIP has this type of support but it’s meant for huge industries. But they also have a product called VaultPress that’s not too expensive and has support. There is no such thing as “WordPress” tech support. My advice would be to host your site at WPEngine – http://www.marketingtechblog.com/wpe – they have outstanding support, automated backups, security monitoring, etc. And they’re super fast! We’re an affiliate and our site is hosted on them!

  9. Hey Douglas, I would like to add to your list as a #11. You also need to re-submit the website in Google Webmaster tools so that they can re-crawl it and give it the all clear. This usually takes only 24 hours now, which is a lot shorter than before. In which it took a week to re-crawl.

Leave a Reply