Cleaning a hacked WordPress site

Recently we were asked to work on a hacked website. A short summary of our work and suggestions follows.

First of all, if you suspect that your website was hacked, make sure to create a backup of you site immediately. Hosting providers are likely to delete the whole site as soon as they are informed about the hack. While this might seem surprising, they have to be extremely cautious with these things. Especially when it comes to shared hosting.

Wordfence and Sucuri are two security giants in the WordPress ecosystem. Both provide security plugins that are capable of running automated scans on your website and the results are promising, but not always sufficient.

Our approach for the security scanning was the following:

1. Checked with the hosting provider if they experienced anything unusual or hacks from other sites on the same shared hosting
2. Examined the server logs
3. Searched the folder structure for suspicious files
4. Searched the database for suspicious content
5. Analyzed which files were modified recently
6. Checked the users and permissions
7. Searched for backdoors

As it turns out, the attackers were able to hack the website due to a security issue with an outdated plugin. While the developers of the plugin fixed the issue and released an update, the site’s maintainer failed to apply them.

And that is why you should always make sure that the WordPress core and your plugins and themes are up to date. But this is not always as easy as it sounds. Compatibility issues are common and an update can easily break your site. Our maintenance packages take care of the updates, backups and security scanning so you can focus on your business. Be sure to check them here.

After a thorough investigation we removed the infected files and migrated the assets and data to a clean WordPress installation. While this requires additional effort, this way we could ensure that the site is secure.