It can be scary and stressful when your website is hacked, but it needn’t be a disaster.
If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, sometimes a website can get hacked more severely, meaning a “one-click” fix is not possible.
Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While we can possibly fix some already hacked files after a plan is bought, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to.
This article will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks.
How to tell if your site has been hacked
The first step is confirming that your site has really been hacked, and isn’t just experiencing a more easily resolved error. The following issues are a good indication that your site has been hacked:
- Your site is redirecting to another website with malicious or spammy content
- Your site contains links to spam sites, which you did not add, and you can’t remove them
- You find pages on your site that you don’t recognize via a Google search
- Google shows warnings for your site, such as “This site may be hacked,” “Deceptive site ahead,” “The site ahead contains malware,” etc.
- You scan your site with a tool such as Jetpack Scan, and it detects security threats which can’t be resolved automatically
- You can check if Google currently lists your site as unsafe with their Safe Browsing Site Status tool
Cleaning a hacked site
If you’re sure your site has been hacked, you can follow these steps to resolve the issue:
1. Contact your hosting provider
Your host should be the first port of call, as they may be aware of a wider issue, especially if you are on shared hosting. In most cases, your host may be able to deal with the issue for you, saving you a lot of work.
2. Restore from a backup
If you have a backup of your site from before it was hacked, either from your host or with a dedicated backup service like Jetpack Backup, then restoring to that point may do the trick.
However, if the hack lies within files that aren’t included in the backup, then the issue may remain even after restoring the site.
It’s also worth noting that you could lose content added after the point you’re restoring to, so this may not be an ideal option and should be a last resort.
3. Cleaning hacked files
If your host is unable to assist, and restoring the site is not an option, then it’s time to do some detective work to find the source of the problem. Make sure you have a full backup of your site before starting this, as removing/editing your site’s files can make for even more work if something goes wrong.
First, check the results of any malware plugins or services you’re using. They may provide a list of suspicious files, which is a good starting point.
WordPress core files
If the affected file(s) are part of WordPress core, you can compare the code to a clean download from WordPress.org and remove any code that doesn’t belong there.
Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now.’ It sounds scary, but this will only replace the files at the very core of WordPress and will not remove or replace any of your content, media, themes, or plugins.
If the infection is a part of a theme, you can install a fresh copy if you’re using it or uninstall the theme completely if you’re not using it. If you’re unable to clear the threat through this method, you should contact your theme’s developer for guidance.
If the problem lies within a plugin, you can also install a fresh copy or delete it if you’re not using it as with the theme process above. For advanced users, you can determine if a plugin installed or downloaded from the WordPress.org Plugin Repository has a threat in it by following these instructions:
- Check which file is affected
- Click “Edit this file” to see that plugin’s code
- Copy the URL slug of plugin (e.g. “code-snippets”)
- Search for that plugin’s slug on WordPress.org
- Go to Plugin > Development > Browse the code
- Find “Tags”
- Open tag matching your installed plugin version
- Locate the correct file and download it
- Open the file in a text editor
- Use “Find” and copy/paste the entire code from step 2 and search
- If the code matches the plugin’s code from the WordPress.org Plugin Repository, you have a false positive and the plugin is working as intended! If not, we recommend consulting with an expert who can clean the site safely.
If the plugin is not in the Repository, you can contact the plugin’s developer and have them check the code identified as malicious by Jetpack Scan.
Not sure what the file is?
If you don’t understand the purpose of the affected files, you may need to consult an expert who can help you clean the site safely.
If you want to explore further and learn how to clean up various types of hacks, Google has an in-depth guide to cleaning hacked sites.
Tightening security after cleaning your hacked site
Once your site is free from malware, it’s important to follow these steps to secure your site, as failing to do so may leave your site open to another hack from the same point of vulnerability.
1. Make sure WordPress and all of your themes and plugins are kept updated
Outdated plugins, themes, and WordPress files are an extremely common source of vulnerability. Keeping them all updated to the latest version is one of the best ways to protect your site and keep it running efficiently. Also, be sure to fully uninstall any themes or plugins you are not using.
2. Reset all passwords
In case any of your passwords have been compromised, you should change your password for everything you can think of, including your:
- Hosting account
- Email accounts
- Website’s admin accounts
- FTP/SFTP/SSH credentials
- Database passwords
- The password to unlock any device you’ve edited your site with
Make sure you use a strong and unique password for each site, device, or program to avoid a domino effect if one is ever compromised.
3. Audit your site’s user accounts
Check your user list via Users > All Users inside your site’s dashboard and make sure there aren’t any administrator accounts that you don’t recognize. Remove any suspicious user accounts.
4. Update your WordPress secret keys
Your site’s wp-config.php file contains secret keys/”salts” which are used for encryption. You should generate new secret keys and replace the old ones in that file. Your webhost may have an automatic tool on their side to do this.
5. Scan your site regularly
The measures above will help keep your site safe, but nothing is 100% guaranteed, so you should use an automated scanning service such as Jetpack Scan to make sure you are alerted of any future security threats so you can deal with them quickly.
Removing your site from “unsafe” lists
If your site is listed as unsafe by Google or McAfee, then you will likely still see warnings on your site even after the hacked files have been cleaned or even removed.