How to Fix a Hacked WordPress Website [5 Easy Steps]

Author
Zee Ahmed
President/CEO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Has your WordPress website been hacked? Don’t worry! This comprehensive guide will help you to fix your site; if not, we can help you.

Did you know?

Cybercrime costs 6 trillion dollars per year to companies. Businesses still don’t take WordPress security seriously until their websites get hacked.

Money Lost due to cybercrime

Table of Content

  • Why WordPress Gets Hacked?
  • What Do WordPress Hacked Websites Look Like?
  • 5 Steps to Fix a Hacked WordPress Website

Why WordPress Gets Hacked?

It’s common among hackers to target the software with the vast majority of market share.

Of course, it makes more financial sense for hackers to target Windows than Linux.

The same is the case with WordPress having a market share of more than 38%. Being open-source in nature, it opens doors for hackers.

Here are the top reasons WordPress gets hacked:

1. Insecure Web Hosting

Many people always opt for cheap hosting that becomes the number one cause for being hacked.

Most cheap hosting companies don’t help people. They don’t care if your website gets hacked or goes down for hours.

You get what you pay for.

Whatever web host you use, check the reviews on the internet.

Look for the bad reviews regarding hacked WordPress sites.

I recommended you must check the overall rating of the hosting company before you purchase any plan.

Check the overall rating of a hosting company

Then find out the reviews to see how the company dealt with the hacked site.

Hostgator Hacked website deal

It clearly indicates that Hostgator isn’t a good company.

Many hosting companies have a long track of being hacked due to using outdated security standards.

Hosting accounts hacked

At One Smart Sheep, we host our clients’ websites on ultra-high-speed servers and provide free maintenance, fixes, repairs, and much more at an affordable monthly price.

2. Using Weak Passwords

If your WordPress website has a weak password, hackers don’t need to even attack your network to compromise it.

Before you set a password for:

  • Users
  • FTP
  • WordPress login

Use haveibeenpwned.com that scans your password among thousands of data breaches.

Is your password pwned Check before you make a WordPress password

Hackers download leaked password databases consisting of thousands of gigabytes of data and attack a WordPress website with brute-force.

A brute-force attack consists of an attacker submitting many passwords in the expectation of ultimately guessing correctly.

The best practice is to change your password frequently once a month of your important accounts.

Don’t forget to use Google Alert if your hosting gets hacked; you can immediately secure your website.

Google Alert to get notifications if your hosting gets hacked

3. Not Updating WordPress, Plugins, or Themes

Most WordPress updates are related to security patches that fix a potential vulnerability.

Did you know that WordPress has introduced auto-updates features in the latest version? It means users can set their plugins and themes to update automatically, and security patches are applied without the user’s consent.

After installing the latest version of WordPress, go to Installed Plugins, and enable auto-updates.

Auto updates WordPress

To enable auto-updates for themes, go to Appearance>Themes. Select the WordPress theme, and hit Enable Auto-Updates.

auto updates for WordPress themes

Keep in mind that the themes you purchase from the marketplace, like ThemeForest, may not offer auto-update features.

4. Nulled Themes and Plugins

People love free stuff, so is the case with nulled themes and plugins that can be downloaded for free on the internet.

Avada nulled themes

The primary issue with nulled stuff is that they contain dangerous viruses and malware.

Hackers install dangerous scripts in plugins and themes that later help them access the entire website without any registration, and you may have no idea what’s going on behind the scenes.

The key takeaway? If you’ve installed any nulled thing, you should immediately delete it from your WordPress.

5. Playing Wrong with FTP

Most users play with different settings with FileZilla and cPanel that end up making their websites being hacked.

How does it happen?

Suppose a user had an image upload issue, and he made the wp-admin folder publicly available by watching a tutorial on Youtube.

file permission hacking cause

But he is happy as he has fixed the issue, but actually, he made a blunder. Hackers can take complete control of the website.

Don’t make such a mistake.

How to Check If Your Website Is Really Hacked?

It’s critical to check either your website is really hacked or your mind is just making you scared.

Here are the top 4 ways:

1. View “Security Issues” in Google Search Console

Google doesn’t only help you rank higher on Google, but also detect malicious files on your blog.

Even if you had not installed Google Console when your site was hacked, Google Console could show the malware files instantly after installing it.

Google Console Security Issues

2. High CPU Usage

Modern malware programs are smart. They may not harm your site directly but may use CPU to make money, primarily through cryptocurrencies.

Furthermore, high CPU consumption indicates the malware program is active on your website and performing different suspicious tasks ranging from encrypting your essential files and downloading secrets data.

You can use several ways to identify if your WordPress is consuming a high CPU.

Log in to your cPanel, and locate Resource Usage that falls under Metrics.

Resource Usage

Scroll down a little, and you’ll see the simple graph. The green line indicates the average usage of your CPU.

Average CPU Usage

If you see the average usage percentage above 70% to 90%, it means your website in hot water and should be investigated which processes are taking most of the CPU.

If you’re using a cloud hosting like DigitalOcean, you can quickly check CPU usage in the Metrics section.

Digital Ocean CPU Usage

And when you log in to the terminal, it clearly shows how much RAM, CPU, and disk space is being consumed.

Digital Ocean Usage

And if you want to see which processes are consuming the most resources, type top in the terminal (SSH), you’ll see this complicated box.

CPU Usage processes

You can remove the process that is taking much of your CPU resources by typing the below line:

kill -15 16330

Change from 16330 to your PID of that process.

3. Use Google’s Safe Browsing tool.

Google’s Safe Browsing technology checks millions of URLs daily and hunts unsafe websites.

To check your website, go to Safe Browsing site status, type your website to discover either it’s been hacked or not.

Safe Browsing

4. Check Search Results on Google

It’s the most potent tip that demonstrates how much hackers have damaged your site.

Type site:yourwebsitename.com on Google.

Typically, your website will look like this:

Google Search Results to check for hacking results

If  it’s hacked, you’ll find the Japanese search results like this:

JapaneseKeywordHackExampleSearch

After reading the article, I’m sure you’ll be able to fix your hacked WordPress site in 80% of the cases.

If you think you can’t do it, we at One Smart Sheep provide you with all the services related to WordPress development, maintenance, repairing, and hacking fix for a low cost.

5. Spam Ads

Are you noticing suspicious activities on your blog? It’s highly likely your website has been hacked, and a hacker is trying to earn money through pop ads.

Several ads companies don’t need manual approval, and hackers take advantage of such pop-up and notification ads to earn money.

pasted image 0

A few hackers may also attempt to hack the site to place a backlink to rank their websites higher on Google, especially on the government and educational websites worth more in Google’s eyes.

5 Steps to Fix a Hacked WordPress Website

Fixing a hacked WordPress website is a step by step process. Follow the steps:

Step 1: Stay calm

Most people get panic attacks when their websites get hacked.

Being scared would hinder the mental and emotional system of your brain.

Take deep breaths to get more oxygen since breathing is the most effective technique for reducing anxiety quickly.

Challenge your thoughts by questioning and answering:

  • Will I lose money? Yes, you’ll lose some money, but it’s temporary. You can recover from it.
  • What is the worst that could happen? If domain and hosting are on your name, you don’t need to worry about it.
  • Does my hosting provide support? If your hosting takes daily backups and offers a free hack-fix guarantee, just send them a message.

Step 2: Change Passwords and Salt Changes

If a hacker has compromised WordPress, you should immediately change all your passwords of:

a) cPanel

Go to your cPanel and search for Password and Security to change the password.

Password and Security

b) Hosting Account

You should also change the password of your hosting company.

Change hosting password

c) Domain registrar

It’s also crucial to change your registrar’s password since you might have used the same password for all accounts.

Domain registrar password change

d) WordPress Users

Changing the password of all users is critical to secure your site. To change the password, go to All Users and click Edit. Scroll down to click the Generate Password button.

Change password

e) Changing Salt Keys

You should change Salt Keys if the hacker still has access to your site, which forces them to log out of your WordPress account immediately.

The fastest way to change Salt Keys is with the plugin called Salt Shaker.

Salt Shaker

Go to Settings, chose Salt Keys daily, and hit Change Now.

Change Salt Keys daily

Step 3: Scan Your Site

Scanning your website with different tools can help you to identify the potential malware living on your site.

Malware and viruses are getting smarter each passing day thanks to machine learning, and tools are adopting the same technology to fight against them.

I’ll show you different methods from basics to advanced.

a) Sucuri Scanner (Crawler)

Sucuri has a powerful tool that scans all the WordPress files and identifies the potential malware within a few seconds.

It’s not always accurate, but can help you to figure most malware files.

Go to Sucuri Scanner and type your website.

OneSmartSheeps Scanner

If any malware file is found, Sucuri shows the file’s location so that you can immediately delete it.

b) Isithacked Scanner (Crawler)

IsItHacked is another online tool that scans your website and reports malware if found.

is It hacked online tool

It also checks your website through different user-agents since hackers show the users’ real content but reveal different content to the search engines bot.

c) VirusTotal Scanner (Crawler)

VirusTotal is an extremely powerful scanner that uses 70 antivirus software applications to scan the files you upload.

To take full advantage of VirusTotal, compress the essential files into a zip of your website and upload it to VirusTotal instead of just putting the URL that is not accurate.

To make a zip, sign in to cPanel and click File Manager.

cPanel File Manager

Go to the folder where your blog is installed. Select all the folder and files and click Compress.

Compress

Keep in mind that VirusTotal has an upload limit of 530MB. The Upload folder in the WordPress directory takes the majority of the space. You can ignore that folder.

COmpressed result

You’ll get this success message once your zip file is compressed. You need to download the file.

The file to download for checking malware

You can use any software to download the file.

Download the zip

Because this file is uploaded in the root directory, the URL will become like this:

https://yourwebsite.com/uploadedfile.zip

Download the file

Once downloaded, upload to VirusTotal.

Virus in the theme

When you upload the file, you may get surprised like this. It shows the zip has malware and something is wrong with your website.

You might be thinking, why I didn’t put the URL instead of the enormous size zip file?

The reason is that VirusTotal is not powerful enough to download the zip file and scan it.

Here is what happened when I put the URL into the VirusTotal field, no virus in the classic.zip.

No Virus in VirusTotal

d) Defender Malware Scanner (Plugin)

I found the Defender plugin to be the best malware scanner for plugins. I downloaded a virus file from the internet and uploaded it to the WordPress blog.

Defender plugin

cPanel rejected the malware file, so I installed the File Manager plugin to upload the file.

Did you know? Wordfence and other plugins didn’t detect the virus, but Defender did.

Defender Scanner

e) Wordfence Scanner (Plugin)

Wordfence is known as the best plugin when it comes to WordPress security. It has a built-in scanner that identifies malicious files and can delete them.

Type Wordfence, install the first plugin that appears.

Wordfence plugin

Go to Scan and start scanning your website.

Scan Report

Depending on your website’s size, it may take some time and provide additional information about the critical issues.

If you find a malware file through Wordfence, you must immediately delete the file.

f) Malcare Scanner (Plugin)

Malware Scanner is another excellent addition to the malware scanner for WordPress.

It doesn’t slow down your WordPress since it runs on the cloud: faster and better.

Install the plugin from Plugins and activate it; it starts scanning once you hit scan now.

Malcare Scanner Plugin

Once your site is scanned, it provides you with the report.

Malcare Scanner to remove malware on WordPress

Step 3: Check Recently Modified Files

So, you have scanned your WordPress website, now what?

You need to delete the files found suspicious and check the CPU usage by restarting your hosting server.

If the CPU usage is still high, it means the malware is still active on your blog.

I’ll show you two ways:

a) cPanel

To check the recently modified files, go to the folder where your WordPress is installed.

Last Modified Files

The files modified in the last 7 days should be taken into account.

Download the original WordPress zip from the official website.

Download WordPress

And extract it.

WordPress extracted folder installation

Install and run Microsoft Visual Studio Code. Go to File and open the folder that we extracted.

Open the folder

Once you open the WordPress extracted folder, it lists all the files and folders.

WordPress folder in Visual Studio Code

Paste the modified file that you downloaded from cPanel into the WordPress folder; I picked wp-config in my case.

Paste wp config

Select two files of the same nature using the Ctrl button (Control in Mac) and click COMPARE SELECTED.

Compare

VS Code will show you all the changes that have been made in the files.

Modified files in Visual Code Studio to find malware

If you have a little programming language experience, you can quickly identify the malware pattern. Keep the SSH section to learn more about the pattern.

b) SSH

If you’re using DigitalOcean or any cloud hosting service, you can easily find all the files with a command that has been modified recently.

Open your SSH (also known as Console access)

And open the below command to enter the directory where your WordPress is installed.

cd /var/www/html

go to the directory where your website is installed

And now enter the below command:

find . -type f -name ‘*.php’ -ctime -7

SSH recently modified php files

It will provide you with all the PHP files that were modified in the last 7 days.

List of all the files

If you want to see the JS files that have been modified, try the below command:

find. -type f -name ‘*.js’ -ctime -7

.js indicates the javascript and -ctime -7 shows the; modified files in the last 7 days. You can enter any number, for example -ctime -1.

And if you want to list all the files modified in the last 10 days, you need to type the below command:

find ./ -type f -mtime -15

All the files

Some functions that are very commonly used in backdoors and obfuscated malware are

  • eval()
  • base64_decode()
  • gzinflate()
  • str_rot13()
  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

Note: Some plugins might use the above functions, test your site after you remove the functions; otherwise, you may break your website.

To locate such files, open your SSH terminal and run the following command:

find . -type f -name ‘*.php’ | xargs egrep -i “(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *(”

no match with the malware files

On my website, there is no such file; I got an unmatched error.

Step 4: Delete the Malware Files

Clean the following malware files:

  • Suspicious files are shown by malware scanners like Defender, Wordfence, and Sucuri.
  • Removing malware files that you found by harmful patterns and functions explained in Step 3.

Once you’ve deleted, restart the server if you’re using cloud hosting or talk to your hosting provider.

When you see low CPU usage, and everything is working as expected, go to Google Console and click REQUEST REVIEW.

Google Console Hacked WordPress file review

Note: Make sure you’ve deleted all the URLs and folder mentioned in the Sample URLs.

Once you’ve requested the Review button, and you don’t get any warning in return, it means you’ve successfully made your WordPress website clean from all types of malware and viruses.

Step 5: Create Backups

Create a backup of your complete WordPress blog before you celebrate the win against the hackers.

How do you make a backup? Install All in One Migration plugin and activate it.

All in one migration

Go to All in One Migration, and click Backup.

Creating Backup

Depending on your WordPress site’s size, it may take a few minutes to create a backup.

Once completed, you’ll get this message. You can download it and store it on your laptop.

Download the backup

If you want to import in the future, just go to Import and upload the file.

All in One migration import

Let Us Protect Your WordPress Site For a Lifetime

One Smart Sheep doesn’t only fix hacked WordPress but also builds custom websites, hosts, markets, and maintains for a budget-friendly price each month.

You don’t need to worry about your WordPress site ever. You’ll focus on growing your business—some part of SEO for free— and we keep your WordPress website healthy, safe, & secure.