How to recover your Hacked WordPress Site (Part-2)


Have you read How to recover your Hacked WordPress Site (Part-1) yet?

Stage 3: Let the Sanitizing begin.

Once you’ve identified the “vector” or angle that the hackers used to compromise your website, you can now get to work plugging the holes.  Wordfence keeps a massive Archive collection of every known WordPress Theme and Plugin.  For those legitimate configuration files that might have simply been compromised along the way, you can re-download a known-good version of the file from the Wordfence archives.  Delete the ones that don’t belong on your website.  Just keep fixing those files which are infected, and deleting those that don’t belong until your site is once again clean.  If your hacker wasn’t aware of your attempt to take back your Account and Website, they will probably begin to realize it soon.  Keep moving!

Download and install the “BPS Security” Plugin:  To continue the Perimeter Fence analogy I alluded to previously, BPS Security (Bullet Proof Security) acts like a guard dog walking along the inside of your perimeter fence, keeping out all the hackers who would like to try to subvert your content without your permission.  One of the key concepts to the today’s websites is that the file system protocol uses special files called htaccess, which reside in each directory.  They designate which programs and users are allowed to access a given folder/directory or subfolder/subdirectory.   Leaving these files with default settings can be just the vulnerability that a hacker is hoping to find and abuse.   BPS Security semi-automatically locks these files down, which in turn locks down the folders and directory structure of your website.

Download and install the “Online Backup” Plugin: I will presume that you are keeping a backup on your computer of all the blog entries that you have ever created.   You are backing them up, right?   Anyways, this program will create a full or partial backup of your website in it’s entirety, and store it to the cloud.   This way, if your website is corrupted in the future, and your backup on the computer can’t be found to restore your website, this extra little insurance policy will come in handy.  Obviously, you should only bother backing-up your website AFTER you have completely cleaned it of all known vulnerabilities.

Now your website should be fairly clean (if not entirely clean) by the time you are finished with installing WordFence and performing however many rescans you need to come up with a clean bill of health.

Download and install the “Sucuri Free” plugin:  This is the proverbial Second Opinion that will help you confirm that your site is malware-free.  This company will also clean your malware infection for a subscription fee.  Identifying whether or not you are still infected is a free service though, which is why I selected them as the second opinion.


Stage 4: Begin monitoring your incoming traffic.

With Wordfence installed and your website now clean, it’s time to start blocking the hackers from being able to readily access your site in the future.  This isn’t a guaranteed process, because a hacker by their very nature are a stubborn breed.  Respect your opponent.  The intent here is not to anger them, just to make your website as unappealing to them as possible.  There will always be other websites that will be easier for them to go after once you’ve hardened/secured your website.  So if they determine that they’ve been kicked-out of your website, and then determine that previous vulnerabilities patched, or even better find that they are blocked from accessing your site in the first place, then hopefully they will move on to more fertile fields.

To start this particular strategy, go to your Admin menu and hover over Wordfence, and select Live Traffic > Logins and Logouts.  This will list all of the IP Addresses that have accessed your website and what usernames they are attempting to use to access your website.  When you see someone from Russia trying to access your Login, and you live in Miami Florida, then it’s safe to presume that this is a hacker.  Block them by clicking on the Block link.  Sadly, this is only a temporary fix that will last for only 5 minutes.  This will allow you enough time to have blocked between five and ten of the IPs, before you should then click on Wordfence > Blocked IPs, then click on the Block Permanently link.  Repeat as many times as needed to block those that keep trying to use forged credentials or known bad accounts.  Bear in mind, the hacker need only pickup their laptop and walk to the nearest coffee shop to pickup a new IP Address, so choose your battles carefully.  If you have reset your password to a highly complex passphrase, then it becomes very hard if not impossible for them to crack it.  Most hackers will give up after about 24 to 48 hours.


Stage 5: Raising the bar on your existing Security Practices

Now that your website is mostly restored back to normal, we have some time to go back and address some additional security aspects that you’ll need to consider.

A really big step in this direction is to remove any default usernames like “Admin” or “Administrator”.  As you can see from the Wordfence > Live Traffic > Logins and Logouts, these are the two most common guesses by hackers as to what your admin account name is.  Let’s tweak the Wordfence configuration to be a little more pro-active on Security.

Once the default admin accounts are removed, drill down in Wordfence > Options and go to the section Login Security Options and Enable the option Immediately block the IP of users who try to sign in as these usernames.  Add the default usernames of Admin and Administrator to the text field, as well as any forged account names that you found in your Admin audit above. Be sure to select the Save Changes button when you are done.

Next, I noticed that the Wordfence e-mail notifications were advising me that the hackers were trying an Admin account that didn’t exist with many different guessed passwords before they were being locked-out (Lock out after how many login failures).  So we can reduce the number of guesses before the hacker is booted.   I dropped the number from 20 down to 3.   You can make this a temporary change to an artificially low number (3) and then raise it again after the initial round of attacks trend back down so as not to punish the average user.   After the threat is resolved, you can raise it back up to something like 6 or 8 if you’d like.

I also adjusted the period of time over which the login failures should be measured (Count failures over what time period).   If it’s something small (e.g. 5), then if the hacker spreads her attacks across a wider spread of time (e.g 60 min), then they can potentially fit more attacks (10-12) into each hour.   If the number is bigger, then that likewise contributes to reducing their attack window.  Along the same lines, you can impact the hacker most significantly by choosing a time-frame that is the most conducive to forcing them to go elsewhere with the option (Amount of time a user is locked out).  The default is I believe 5 or 10 minutes.  I chose 2 days, which might be harsh for a regular user who falls into this particular trap, but this was most likely to impact only the hackers, but you will know your userbase the best, so make your decision accordingly.

Now that the site is hopefully mostly cleaned-up, this is also the time to re-enable those staff accounts that are legitimate which you had originally disabled.  And don’t just re-enable them automatically.   Have a look at the contents of each profile, making sure to check their accounts carefully to ensure that all of the details of each (e.g. the e-mail address) is correct based on any supporting records and the best of your recollection, etc.  Then change their password too.  Use this opportunity to communicate with them through alternate channels the fact that their account password was changed, and that they are required to pick a passphrase instead of a password, etc.  This way, you can confirm that your alternate methods of communication (Mobile Tel#, Twitter DM, Skype, etc) are diverse enough to survive another emergency.  If you can’t get ahold of them, then you need to consider adding additional methods of communications…

Limit the number of Admins to as few as you can safely operate with.  Having too many Admin accounts means that someone could slip-up and leave their system open, or worse, give out their admin password, leaving the door wide-open for a future attack.  Limiting the number of Admins ensures that you have the freedom to access and manage your accounts easily, yet still retain some significant security policies to keep the hackers out.

After they have logged-in and changed their password, then you can discuss exactly what level of responsibility they want.  Some folks, when confronted with the additional responsibility of being an Admin suddenly decide that they are perfectly content being an Editor, or just a Contributor, etc.


Stay tuned for Part-3, where we’ll cover Stage 6 “Getting back to (almost) business as usual.”, the final stage in our “How to recover your Hacked WordPress Site” series.

Bookmark the permalink.