I will show you how to restore a hacked wordpress website.
This post is for people with a self-hosted wordpress site and their own domain. It’s also for people who have small, fairly simple sites that they’ve set up themselves with free or out-of-the-box purchased themes and plugins.
I’m an author and I’m thinking author websites, but any other sites whose function is to give you a presence on the web and maybe display a few articles or portfolio pages are also suitable.
This post is not for people with complex sites or for people who paid a developer to set up their site, because some steps in this process are guaranteed to break custom-made setups.
So. You’ve got a hacked wordpress site. Join the club!
Estimates go that around 30% of websites get hacked annually.
Yet, hacked is a big and scary word that conjures up visions of ransomware and illegal activities. In reality, many people are not even aware that they have a hacked wordpress website. The hackers are so sneaky that you notice nothing when you visit your own site. Or the hackers may simply “borrow” your disk space to do nefarious things, like sell “pharmaceuticals” or send tons of junk mail.
It might only show up when people google you, or not at all. Your site might just be very slow.
Alternatively, you could be locked out of the wordpress dashboard.
The good news is that to restore a hacked wordpress website yourself is not terribly difficult.
Before you start reading the rest of this article, I would like you to defer making a decision (or indeed doing anything) until you’ve read “The Nuclear Option” below. It’s fast, it’s clean and it’s ruthless.
The key: ALWAYS KEEP BACKUPS! Of everything. Your site, your purchased themes and plugins (if any), and your mySQL database.
Make sure you have access to the back end of your website: your ISP login. If you have this, you can fix everything. Absolutely everything. If you’ve lost this, contact your ISP. Change your password and set up 2FA.
Next, download a copy of WordPress from WordPress.org. Unzip the file. Poke around the directories a bit to make yourself familiar with them.
Log into your ISP’s cpanel and make a backup of your site, including the database.
Let’s get you back into the site
The following few steps will restore your access to the wordpress dashboard.
You may skip them if you can still log in, but since the two files we’ll be restoring are key operators in your access to the wordpress backend, and they are very frequently targeted by hackers (in other words: they are highly likely to have some weird crud in them), I recommend that you replace them with clean copies. Even if you choose to do it later, you’ll have to come back here to check how to do it.
Still in the cpanel, open up the File Manager and find WordPress. It will probably be in the public_html directory. Find a file in this directory that’s called wp-config.php. Open it in the editor and copy the code inside to a safe place. I use the Notes app. You will notice that this file has your database password. Up until today you probably didn’t know this database (and the password!) existed. It lives under the mySQL tab in your ISP’s cpanel. Keep the password for the time being, but you will want to change it later.
The image below is from my public_html directory:
Go to your downloaded copy of WordPress and find the same file and open it. A section of it will look like the code below. The lines in blue for example where it says ‘database_name_here’ will have to be replaced with the corresponding text from the file you just copied off your website. Only touch the lines shown in this image below. Follow the instructions. Save the old file as wpconfig-old.php and the new file as wp-config.php in the public_html directory.
Find the file called .htaccess in your public_html directory. You will need to turn hidden files on (you can do that under “settings”). Give it another name by adding an underscore at the end, or something else, like -old. If the .htaccess file doesn’t exist, then there is part of your problem, but don’t panic (note: it also won’t exist in the WordPress copy you’ve downloaded, because it doesn’t exist in virgin wordpress installs). We’re going to make one.
Google “Wordpress .htaccess”. From the official WordPress site (WordPress.org), copy the code for your relevant install. Most likely this is the first option, but if you run multisite, you will have to choose one of the other options. Save this code in a note, too, in case you screw up and have to do it again. (If you don’t know what multisite is, you’re not running it and ignore the comment about it).
Make a new file in your public_html directory, call it .htaccess and copy the code from the WordPress website into it. It looks like this stuff in the grey box (really, that’s all!):
With those files recreated and saved in your public_html directory, try to log into your website by typing yourdomain.com/wp-admin in your browser’s URL bar (obviously replacing yourdomain with the proper URL of your website.
I betcha it will bring up the wordpress login screen. Halleluja!
But, in case it doesn’t… or it does, but login fails…
Go to the directory called wp-content/plugins. Rename it plugins-old. Try again.
Do the same with wp-content/themes.
Open up your downloaded copy of WordPress, pick up the directories wp-admin and wp-includes and drop them over the old ones. Note: keep away from wp-content. Because it —uhm—has your content.
At some point during all this, you will regain access to the wordpress login screen. Log in, go to “users” immediately and change your password. Also, delete any other user accounts that don’t need to be there, even if they are also yours.
P.S. If you ended up renaming the plugin and themes directories, don’t forget to name them back. If the issue resurfaces, then there is your problem!
Next: Scan your website for malicious code.
Get a security plugin like Sucuri or Wordfence and run a website scan. The free versions of both those plugins let you do this.
The plugin will spit out a list of files it doesn’t like (fewer if you already replaced the wp-admin and wp-includes directories), which it has compared against the standard wordpress install. The plugin could either object because they’re unknown files or modified files. Hackers often put code in weird php files in your root public_html directory, or will modify existing files, especially in themes and plugins.
If there are unknown files, check for the presence of the file in your clean WordPress download.
Is the file not in the equivalent place in the equivalent directory in your clean downloaded copy? Google the name of the file. It could be that it’s related to a plugin you’re using. If the file belongs to a plugin but the flag reason is “modified” and the modification is recent, it’s probably best to delete the file (if this breaks the plugin, you can restore that later). If the file is “unknown” or “not a core wordpress file” and you didn’t put it there, delete it. This happens sometimes with legit log files, but in that case the offending plugin just makes a new one.
Do this for all errors.
Check if the site works as previous. If plugins don’t work, go to the ISP’s File Manager, find the directory wp-content/plugins, open it and rename the directory related to that plugin -old. Then go back to your wordpress back end and re-install a fresh copy of the plugin from the official wordpress plugin directory. Check that it works, and then delete the -old plugin directory from the server.
Then go and change all your passwords, including your mySQL database password. You probably don’t know how to do this, but your ISP’s help files can tell you. Otherwise Google it and follow the instructions.
There you go. Those are the basic steps to restore a hacked wordpress website.
Now what about that nuclear option?
Before you do any of the above, you might consider if the nuclear option is for you. It’s quick, clean, hassle-free and not terribly hard. If it isn’t for you at this point in time, you might consider setting up your website so that it can become an option.
Because we’re authors and have better things to do than stuffing around with our websites.
OK, here goes:
If you have a backup of your pre-hacked wordpress site and/or needed to redo it anyway…
Or your site is small with only a few pages and a few simple plugins…
That are easily recreated and/or you have backups of your content in another way…
You can also go to your ISP’s cpanel and tell it to uninstall and re-install wordpress in the root public_html directory. It will overwrite everything that’s there. Re-install the theme and the plugins, upload the backup. Done. You don’t even have to worry about a new database and login passwords, because you’ll have a new database and will be prompted to create new passwords.
WordPress is extremely structured and the vast majority of operational files are standard and not affected by your use of the website. The main files that affect your interaction with the software are .htaccess and wpconfig.php and restoring them by replacing broken code with default files is highly likely to restore at least some safe access to your website. If you still have trouble, copy files from a clean wordpress instance. Then grab a security plugin to fix the rest.
Also, if you want more detailed instructions, Google totally is your friend. There are many articles on how to restore a hacked wordpress website, and some will go into a lot more detail.
We’re authors and like detail, but we like to expend detail on our writing, and like our websites to simply work properly.
Next of course you’ll want to know how to prevent your site being hacked again. I’ll write about that later.
The comments on this blog are closed, but this post is syndicated to my Facebook page, where you can comment and ask further questions.