How to recover your Hacked WordPress Site (Part-1)

So, you think that your WP Site got hacked, what is the first thing you should do?

There are quite literally several dozen things that you should do, but each case is different.  I will try to highlight the most important points below.  The reason that there are so many steps is that there are so many different ways to approach this dilemma.  The most immediate decision for you is are you going to adopt a hands-off approach of hiring a security consultant to clean it for you, or are you going to go the DIY route like I chose to do.  Even then, there are so many different ways that people prefer to do things.  Overall, this process involves a lot of smaller steps, but there is one step to the whole process that is really big, regardless of whether you DIY or hire someone to do the cleanup.  It may be the single most important aspect of this entire process: and that is changing your mindset on about how you approach security.  And that folks, is a massive undertaking, because changing the way your mind operates may also be the single hardest step in this entire how-to guide.

The following are all recommendations on my part, suggestions that you need to discard or accept, but in my opinion they make up a fairly logical progression on how to deal with such issues should you ever find yourself in this situation.   You can of course choose to perform these steps in a different order, but I believe that they will be most effective in the order I present them.  I hope they will at least be a helpful aid to you in your time of need, allowing you to recover as much of your website as is possible.   Cleaning any hack is going to take some time and effort, so you really need to think about whether you want to tackle this on your own.   In the end, I think you’ll be happy that you chose to do it yourself.  As with any such DIY process, you assume all risk and responsibility for any and all actions and outcomes, and obviously your mileage may vary.  No matter which direction you decide to go, I’ll wish you the very best of luck in your cleaning endeavors!

Stage 1: Regaining the Upper Hand.

Once your website is compromised, you may find that you or your users are locked out, or your content itself may have been changed without your permission.  So the best first step is to regain control of your Domain/Hosting Provider account if you have one.  You can worry about the pending battle for your website later.  And please don’t mistake the situation, this is indeed a battle, but it needn’t be an uphill battle.  So take a moment and think about what you plan on doing.  If it helps, you could look at this process as a game of chess.  Doing some basic strategizing at this juncture will go a long ways towards getting you to your goal quickly and more efficiently than just rushing-in without a plan.

Review your options and Hardening Strategies: I first investigated other hardening tactics available from my Hosting Provider before I started retaking my website, such as only allowing verified IP Addresses to access my Account and make changes.  Other options that might be available to you may include multi-factor authentication, which means that you have not just one method of authentication like a password, but maybe a unique token or other key that helps prove you are who you say you are.  Configure those options that you feel comfortable with, but do not enable them quite yet.

Another Hardening option that I chose to begin around that time was to start using a password Manager Program to manage all of my passwords, for both applications and websites.  My choice in this case was LastPass, which I will detail towards the end of the article.   I bring it up here because the random password generator was a big help to me in getting through this entire “take back” process.  Luckily, I had been using the service for a few days when I had discovered that I had been hacked, so this wasn’t too hard to fold in to my overall strategy.  Having this part setup and ready to go before you start will likewise help your chances of succeeding quickly.

Lockdown your Hosting Provider: This involves ensuring that you have control of the horizontal and the vertical, like the old Outer Limits show’s intro goes.   In this case, if you have a custom domain, then you have a Hosting Provider Master Account that you need to secure first.  Best to presume that the account has been compromised in some fashion and work with your Host Provider staff.  My Hosting company deals with all interactions online, so I merely logged into my account to make sure that nothing had been changed recently.  Thankfully, in my case I was able to log in. The hackers hadn’t wrangled access to that point yet.  If they had, I likely would not have been able to log into that account.  The first thing I did was change the account password.   And I didn’t just choose any password, I chose a complex passphrase over 18 characters long, randomly generated by LastPass.  Unfortunately, if you find yourself locked-out, then you’ll need to contact your Hosting company directly to request help.  Your Domain/Hosting Provider will likely want to verify that you are indeed the owner of the account and website, and then hopefully they will allow a password reset to your main Account.

Once you’re back in control of your Host Account, then you want to Enable those additional Hardening options that you had configured at the end of the “Review your options and Hardening Strategies” section above.   Then proceed to the next strategy below immediately.  The original hackers might begin to suspect that you are retaking control of your account, and may begin fighting back at any time.  The sooner you can complete this process, the better off you will be in this little war.  If you complete the entire process without them even noticing, then that’s the best possible outcome.  So don’t lollygag!

Lock the website down: The best thing to do next is attempt to access your infected/hacked website itself and lock it down as well.  If you are lucky enough to login, do not change your password just yet, instead perform a quick audit on just who has ADMIN Access.   After all, what good does it do you to change your password if the Hacker has an account with Admin access too?   If you find a user that you don’t know or trust as being an Admin, presume that they are a hacker and disable that account by changing them to a subscriber.  Remove everyone else’s Admin access the same way, even for those who should have Admin access that you absolutely trust.  This is intended to be a temporary status only.  You should accomplish this by going to Users > Administrators and selecting everyone who is an Admin besides yourself and change them using the “Change Role to” option to change everyone at once.

Please note that since this process will send an e-mail to each of the impacted users, if the method of infiltration was through a compromised account, then the odds are good that the hacker may get that e-mail notification and may suddenly become aware of your attempt to retake the website.

After confirming that you are the only Admin, knowing that no one else can sneak in behind you and reset your password: now you can change your password.  Again, I recommend changing it from a password to a passphrase.  Easier to remember, and much harder to crack.  Or better yet, use the LastPass random password generator to provide you with a new 18-character (or more!) password that it will also remember for you!


Stage 2: Determine how they got in.

You’ll need some help to get this part of the job done, so grab the right tools for the job, and be sure you’ve downloaded and installed them prior to starting this process.  I had decided on downloading a few plugins that are both free, powerful, and small, so I purposely began their download after I had changed my password above.  I also chose more than one because each has an area of specialty, and even if there is some duplication of services, it’s always better to have more than program in place to confirm the health of your website.  Think of it as having multiple doctors to go to for a diagnosis.  Having a second opinion can be a great thing.   Installing these plugins will help you immensely, making your job a lot easier.

Now for the hardest part.  Before you go trying to skip to step 3 to begin cleaning your site, you have to know HOW they got in to your site in the first place.   What vulnerability did they use against you?   Once you figure out what that vulnerability is, fix it so that they cannot use that method again.   In my case, I was using a theme that utilized the Tim Thumb function.  So I decided to use a different theme entirely.   Problem fixed.

Download and install the “WordFence” Plugin: This program acts like a perimeter fence, like the name implies.  It helps keep your website safe by scanning it using different methodologies.  For the purposes of cleaning your system, run the Wordfence scan function to identify which plugin, theme, or core files might be corrupted.   For example, while your site was compromised, a hacker may have edited one of your configuration files to add an additional control file that was to be his or her eyes and ears on your system.   Wordfence will find those files and alert you to their presence, allowing you to delete them as needed.   But don’t delete them just yet.  Instead, look at the Wordfence > Live Traffic > to see who is accessing these files.  This will help you identify who is hijacking your website, and what files you need to look out for.

Stay tuned for Part-2, where we’ll cover Stages 3, 4, & 5 (“Let the Sanitizing begin”, “Begin Monitoring your Website traffic”, and “Raising the bar on your Existing Security Practices”).

Bookmark the permalink.

Leave a Reply