Restoring Your WordPress Website After It Got Hacked
So Your WordPress Website Got Hacked!
Hopefully you implemented our essential WordPress security tips before your site was hacked. But just in case you are reading this post after the fact we don’t want you to give up hope. In most cases your WordPress site can be restored after it was compromised. It may take a little time and may cost money to hire a professional to help you. But it can be done.
Restoring Your WordPress Website
The first step in restoring your WordPress website is to realize that your site was actually compromised. While certain hacks are easy to spot immediately other signs that your WordPress site was compromised are harder to spot. In some cases you will actually not even notice anything wrong as a logged-in user, but your website visitors will certainly notice.
7 Signs Your WordPress Site Has Been Hacked
Most WordPress sites face hacking attempts over time. And in most cases, you will notice right away that your site was compromised. But there are instances when you may not realize it for quite some time. If you are not sure if your WordPress site was hacked, you should look for these 7 telltale signs:
1 – You Are Unable to Login
This is a pretty obvious sign, unless you completely forgot both your username and password. If you are no longer able to login to your WordPress admin dashboard, it means you’ve been hacked. There can be many reasons for this, but usually the main reason this happened is because of a weak user name and/or password.
2 – You Receive a Ransom Request
In 2019 ransomware is frequently the result of a compromised website. The hacker inserts code that prevents you from accessing your website information and requests a payment before your content will be restored. Most often this type of ransom involves untraceable bitcoin payments.
3 – A Sudden Drop in Website Traffic
A frequent reason for hackers to target your website is to redirect your website traffic to other websites. Most often these are low quality or spam sites. For this reason, Google penalizes and blacklists sites that contain spammy links or direct to spammy web sites.
4 – Your Website Looks Different
Another obvious sign your website got hacked is a change in appearance. It may simply be some inappropriate content or images on your home page, or a simple note that you have been hacked. Some spammers hack sites simply to feed their own ego. The results in this case are usually more short term rather than long-lasting damage.
5 – You Content Has Changed
In some cases, hackers add new, and most often inappropriate, content to your website pages, or create new pages. A very common example is finding porn on your website. Other forms of malicious content include fake comments or reviews, products or services you don’t actually offer, and changed business info such as your contact info or business location.
This usually leads your visitors to spam websites, which not only damages your website and impacts your website traffic, but also your online reputation.
6 – New Pop Ups and Other Unwanted Ads
This is a particularly nasty form of hacking a WordPress site. Even worse, this type of compromise usually does not involve a hacker, but an automated attack that penetrated your WordPress core system either through a weakly protected theme or an insecure plugin. This can make it almost impossible to notice that your site has been hacked.
Most often website simply notice their site has become very slow, or even completely unresponsive. The ads won’t show up for logged in users or users who are able to access your site directly. Instead, the malicious content only shows up for those visitors who come to your site via Google or another referral site or direct link.
7 – Unusual Activity in Your Server Logs
Sometimes hackers gain access to your WordPress site not to hurt your business or demand ransom. Instead they want to user your WordPress website for other purposes. Common examples include botnets, where your site is being used to spam other sites, and even certain forms of bitcoin mining.
Most website owners notice this type of compromise simply by looking at your server logs. Server logs are located in your cPanel, which can be accessed by logging in to your hosting account. In cPanel, under statistics, you’ll find two kinds of logs:
- Access Logs: these logs show you who accessed your WordPress through which IP.
- Error Logs: these logs show you what errors occurred during modification of your WordPress system files.
Using this information, you can tell if your WordPress website was hacked. You can also use this information to blacklist or block those IPs which are not from your location or are unknown.
3 Ways to Restore Your WordPress Website After It Got Hacked
Once again, hopefully you followed our essential WordPress security tips before your WordPress site or e-commerce store was compromised or hacked. If you are reading this after the fact there are certain steps you can take to recover your site.
If your WordPress website got hacked, don’t panic and follow the steps below to bring it back to normal.
Restoring your WordPress Website From a Backup
In our essential WordPress security tips we mentioned the importance of regular backups. This is by far the most effective and fastest way to restore your WordPress website after it has been hacked.
The first step is to locate your most recent backup. You should never keep the actual backup files on your website. They will either be gone, or corrupted, when you need them most. Instead you should always store your backups at a remote location. Here are the three most common options:
Inside your WordPress Backup Plugin
If you’ve installed a WordPress backup plugin, chances are they’ve stored a backup of your site on their own cloud service or on a cloud service like Google Drive or Dropbox.
In Your Own Cloud Backup Account
Check out your Google Drive, Dropbox or other cloud services if you have a manual backup of your website you might have put there by yourself.
With your WordPress Hosting Provider
If you didn’t invest in a WordPress backup plugin or were too lazy to manually backup your website, your last bet is to contact your hosting provider since it’s highly likely that they also regularly create a backup of your website on their server.
Once you locate a recent backup from one of these places, you’re good to go. All you have to do is restore your website either manually or using the same plugins where you created the backup, or by requesting your hosting provider to do so.
Restoring Your WordPress Website Without a Backup
OK, so you don’t have an existing WordPress backup. While that is not exactly great you can still restore your WordPress website; it will simply require a few extra steps.
If You Can Access Your WordPress Admin Dashboard
The first step in restoring your WordPress website without a backup is to determine if you can still log-in to your WordPress dashboard. If you are able to gain access to your WordPress website, you are one big step closer to restoring it.
Removing Infected Files
The next step in restoring your WordPress website is to remove any infected files. In some instances, Google or your WordPress web host will let you know when you’ve been hacked and provide you with a list of hacked and infected files.
If you do not know which of your WordPress files actually got infected, you can run a scan of your website using Wordfence or Sucuri, which will provide you with the info you need to clean and disinfect your WordPress site and install.
Once you know which files have been corrupted or infected the final step in restoring your WordPress website is removing the affected files.
In some cases, you will actually need to update your entire WordPress installation. This is actually easier than it sounds.
In your WordPress admin dashboard go to “Updates.” You will notice the current version of WordPress installed on your site. Below that is a button to “Re-Install WordPress.” That will reinstall the most recent version of WordPress on your site.
Replacing Infected Themes and Plugins
The final step in restoring your WordPress website is to replace infected themes and plugins with new fresh copies as well. Let’s start with your WordPress theme. You should always have at least two WordPress themes installed, your active theme, and a backup theme.
We recommend using the latest WordPress theme, which currently is the Twenty-Nineteen WP Theme. Delete the version you have on your website as it may be infected as well and download and activate a fresh copy.
Since you can not update an active theme make your backup theme active. This will enable you to delete your potentially infected WordPress theme. Then you simply need to install and activate a fresh copy of your primary theme. If you purchased it yourself from a trusted WordPress theme repository you can locate and download a fresh copy there. Otherwise you need to ask your web developer or agency for a fresh copy.
To replace your plugins, you must first deactivate and delete any exiting plugin from your WordPress site. Once you have done that you can download and activate fresh copies of each plugin.
And this will complete your WordPress website restoration if you can still access your admin area. If not, things get a bit more difficult.
Restoring Your WordPress Website if You Are Locked Out
If you are not able to access your site at all restoring your WordPress website will be a much more complicated process. It is still possible, of course, but you may want to ask your WordPress web designer or agency for help at this point. We certainly don’t want to scare you, but things can get tricky here.
Determine Which Files Were Infected
If you already have a list of infected or corrupted files you can skip this step. Otherwise please read on.
If your web host did not already provide you with a list of infected or corrupted files you need to contact your WordPress hosting provider. In some cases, they may not be willing to provide you with the info you need for restoring your WordPress website. This is most often the case with low-cost hosting providers, which is why we recommend reputable WordPress hosting. But you need to be both persistent and polite, and you will eventually receive the info you need to proceed.
Replacing Infected or Corrupted Files
Once you know which files you need to replace you can begin the process of doing so. In most cases all you have to do is login into your cPanel and access your File Manager. Once you are there you can simply delete the infected files.
We do have to warn you that this step in restoring your WordPress website may require you to delete entire plugins, and even your WordPress themes. But don’t be overly concerned. As described above you can always replace themes and plugins, so this should not be a huge problem.
Restoring WordPress Core Files
Most likely restoring your WordPress website after it got hacked will require deleting a few WordPress core files as well. Unfortunately, there is no way around that in most cases. This means you will need to replace these files as well. Be careful that any core files you have to replace are from the same version of WordPress as your WordPress site. Otherwise you will simply break your site!
Rebuilding Your WordPress Website
Once you regain access to your WordPress admin dashboard the next step in restoring your WordPress site may involve rebuilding some or all of your WordPress website. The first thing you need to do is to check if your WordPress site is still fully functional. Make sure that your navigation menu is functional, you have a working contact form, and all your pages are visible and accessible.
If you have an e-commerce site, you also need to check that your shop pages are working correctly. This includes your shop page as well as individual product pages, product categories, your shopping cart and payment gateway, and any other e-commerce options such as related products, wishlists, etc.
Be sure to check everything carefully, rather than simply looking for missing items. Especially plugins may contain malicious code, which is why we highly recommend replacing them as part of your WordPress restoration efforts. You may lose some data, at least initially, but that is a relatively small price to pay for getting your site back to normal.
Replacing Your WordPress Content
In some cases, hackers will replace your existing website content with everything from links to spammy websites, false or misleading text content or product descriptions and reviews, to images depicting pornography. Therefore, it is essential that you make sure to check all your web content as part of your WordPress restoration. Replace anything that appears different with your original images and text. And be sure to check all links actually point to the intended sites and pages.
After Restoring Your WordPress Website You Must Do This!
Once you completed restoring your WordPress website there are a few more things you need to do. If you have been blacklisted by search engines or your WordPress host, you need to contact them to be removed from these lists.
Be sure to change all of your login info to more secure versions as outlined in our essential WordPress security tips. After going through the effort, not to mention headache, of restoring your WordPress website after it got hacked, we are certain you don’t want to go through all that again.
And here are a few things we recommend to add an extra layer of protection to your WordPress site moving forward.
Update all Usernames and Passwords
Once you restore your WordPress website you must update your WordPress username and password. The restore includes the same info your hacker used to gain access to your site in the first place! If your WordPress site was recently hacked, doing this is a good idea since it’s the best way to protect yourself from future attacks.
Another way you can protect your website from being attacked again is by hiding the ‘wp-admin’ directory and by limiting the number of login attempts which can be made to enter your WordPress.
Remove Unused or Outdated WordPress Themes and Plugins
It pays to repeat this again: WordPress themes and plugins are the easiest way hackers gain access to your website. Therefore, after you successfully restore your WordPress site the next step in our WordPress security tips is to carefully review all themes and plugins on your WordPress site. Here is what you should look for.
Unnecessary and unused WordPress themes and plugins leave your website vulnerable to further attacks. The first thing you want to do is browse the list of plugins and themes you have and delete the ones you haven’t used in a long time, especially the deactivated ones. Even a deactivated plugin can provide easy access for hackers.
You should also check if your plugins have been recently updated, and how many sites are actually using them. A plugin that is used by 100,000+ sites and was updated two weeks ago is usually not a big security risk. But if the plugin was last updated over 6 months ago it may no longer be supported by the developer, which means it is not prepared for more recent vulnerabilities.
A Warning About Free WordPress Themes and Plugins
Part of our WordPress security tips is to warn you once again about using free themes. Yes, we understand that free is very appealing to especially small business owners. But keep in mind that you get what you pay for! And free themes are hardly ever supported or updated and present a very significant WordPress security risk. If you’re using a free WordPress theme, consider upgrading to its paid version or another paid theme as those provide better security for your WordPress site.
Update All WordPress Themes and Plugins
Next on our WordPress security tips list is to make sure that you update all your WordPress themes and plugins. If your WordPress website was compromised because of a recent security flaw, chances are the theme or plugin developer has released an update including a security patch.
Make a Full Backup of Your Restored WordPress Site
This tip is frequently overlooked! Which is why we wanted to make sure to remind you as part of our WordPress security tips. Once you restored your hacked WordPress site and followed all the above recommendations be sure to make a new complete backup. That way you have a all updates and WordPress security fixes, just in case something goes wrong again.
Securing Your WordPress Site from Further Attacks
4 Bonus WordPress Security Tips
We want to round out our essential WordPress security tips to help you protect your WordPress website even more. By following all of our above recommendations you already have created a secure WordPress site. But here are a few bonus WordPress security tips to make your WordPress website extra secure.
Tip # 1: Enable Two-Factor Authentication.
If you’ve shared the password to your WordPress backend with multiple people, you should enable two-factor authentication for each one of them (including yourself).
Two-factor authentication ensures that even if your WordPress login details get leaked by someone, no hacker is able to enter your dashboard without you knowing an attempt was made.
Tip # 2: Use a Reputed WordPress Hosting Provider
Another one of our bonus WordPress security tips is not to skimp on your WordPress hosting. Security vulnerabilities on hosting providers cause a significant number of hacked websites. Therefore, make sure you host your WordPress website with one of the best WordPress hosting providers for 2019.
Unfortunately many hosting providers fail to provide the high level of security need to keep your site safe. Most WordPress websites were hacked due to a security vulnerability on the platform where the site was hosted.
Tip # 3: Install an SSL Certificate
Not only is this a Google requirement in 2019; SSL Certificates also add an additional layer of trust and transparency to your WordPress website or e-commerce store. Most WordPress hosting providers provide and install free SSL Certificates.
Tip # 4: Invest in a Firewall Solution
A firewall will block any suspicious network traffic from getting inside your WordPress website. For that reason, most WordPress hosting providers include it. If you are not sure ask your service provider.
Final Thoughts on Restoring your WordPress Website
Hopefully you will never have to restore your WordPress website. If you follow some basic WordPress security tips your online presence should be sufficiently protected from online threats. But do not be lulled into a false sense of security here. WordPress attacks can and do happen.
Therefore we recommend that you keep our tips for restoring your WordPress website handy, just in case! If your WordPress website or e-commerce store does get hacked, you can rest assured that you will be able to quickly restore your online presence to complete functionality and appearance.
But we do need to caution you. WordPress security needs to be an ongoing concern and effort of yours, not a one-time task. For this reason, we recommend that you keep best practices in mind as you work on and update your site over time. You may never completely keep intruders at bay. But at least you will make penetrating your WordPress site much harder for them. We are here to help.
Did Your WordPress Website Get Hacked?
Did you suffer from a recent attack on your WordPress website? Was your WordPress site hacked, infected with malware, or experienced another form of website intrusion? If so, how did you restore your WordPress website? And how did that go for you? Or do you have any other WordPress security questions or concerns? Please feel free to let us know so our audience can benefit as well, and grab our feed so you don’t miss our next post! And feel free to share these essential WordPress security tips with your audience!
Thank you! We appreciate your help to end bad business websites, one pixel at a time!
Espresso Digital Blog