How to recover WordPress after your site has been Hacked

May 5, 2016

unhack-wordpressIt’s one of the worst calls you can get: “I’m sorry but your website has been hacked…”. Just a few years ago websites rarely had these kinds of problems as they were mostly simple HTML pages. Today it’s rare not to find a website without a database driven CMS behind it. What most people forget is that means it’s actually a software application and as such it needs to be patched! But it’s too late for that now, your site is toast, so now what? In this article we’ll look at WordPress specifically as it’s the most commonly hacked site we tend to see these days. In most cases when a WordPress site is hacked, it is because it’s not running the latest secure version of WordPress, theme, or one of the plugins that has been installed is outdated. That’s how the hackers (botnets really) exploit websites. When this happens, they will inject malicious code in your PHP scripts all over the site, it can make it very hard to clean up manually after the fact. It’s not impossible but if you are going to go this route, hire a professional, it’s not as simple as it looks.

Your Best Option:
If you have been proactive, the best solution is to make a new webspace and then load the site you have in your staging area to the new production environment but, if you are reading this, it’s most likely that isn’t an option or you would have done so already.

Second Best Option:
The second best option would be to restore the site from a last known good backup. If you are hosting with us you are in luck because for all our shared hosting customers we offer 90+ days of rolling backups (more than anyone else in the rest of the hosting world!)

Hire a Pro:

We’ve been specialized in hosting of WordPress pretty much ever since it came out. That’s why we are able to offer a true Never-Get-Hacked WordPress Hosting plan that so far no one else can match 🙂 We also offer a flat rate to clean a hacked WordPress site as well.

The DIY Option:

If you are out of options this is how you recreate your WordPress Website after it’s been hacked:

  1. Get Ready: Log into your Server Control Panel (Plesk) as seen here: Web Hosting Knowledge Base
    .
  2. Extract Files: Extract the files & folders from the server (either via the file manager or by FTP) to a local folder that you should call something like: “My Old Hacked Website”
    (don’t worry, those files won’t infect your local machine).
    .vvv
  3. Extract Database: In Plesk, go to the Database manager (the little database icon on the right hand side of the page) →Screen Shot 2015-09-17 at 10.35.48 AM
    Now find the name of your database that was connected to WordPress instance you use for your site (if you don’t know it, you can look in the WP-config.php file you downloaded in step #2) and then click on the “WebAdmin” link for that database. That will take you to phpMyAdmin, click on the “Export” tab →Screen Shot 2015-09-17 at 11.09.39 AM
    and then “Go”. Once downloaded you must now delete the database (back in the previous interface, not PhpMyAdmin) by clicking on the Red “Remove” X. →Screen Shot 2015-09-17 at 11.09.08 AM
    .
  4. Rename site: Now, back in the “Website & Domains” area of Plesk click on the “hosting Settings” link for your website. There, you can rename your existing web space to something like “Old-Hacked-Site.”
    .
  5. Make New Webspace: In “websites & Domains,” recreate the webspace by clicking on the
    “Add New Domain” button →Screen Shot 2015-09-17 at 10.49.07 AM
    when prompted, enter your domain name (everything else should be good as the default values).
    .
  6. Install WordPress: Install a fresh copy of WordPress via the automated Application installer Do not click “Install”, Instead, click on the drop down and click “Install (Custom)” so that you get the options you need →
    Screen Shot 2015-09-17 at 10.59.47 AM
    Installing WordPress this way is very important. This way it’s built right into the Plesk server control panel system and it’s more secure (it includes automatic updates and security fixes & features) We have a separate blog post on this here: Installing WordPress in Plesk, here are the main steps you need to know:

    • In most cases you will want to change the default install directory from “wordpress” to leaving that field blank (then it will install it in the root web directory)
    • For “Administrative Access” choose: “Grant administrative access to existing user
    • Enter the “Prefix of table” (it can also be found in the “WP-config.php: file of your old site)
      .
  7. Reinstall Theme: Ideally you can just download it via WordPress (or directly in Plesk). Otherwise, you can upload it from the files you downloaded in step #2; however in that case you must be very careful to ensure that no infected files were placed there before uploading them.
    .
  8. Reinstall Plugins: Similarly as with your theme, if you can install these from their source, upload from your old files only if you have to and you are confident that they are clean.
    .
  9. Upload Your Images: Your old images are stored in a series of nested folders located at:
    wp-content/uploads/ You must be very careful if you plan to upload them back to your new site as in most cases malicious files can be found in this area.
    .
  10. Import Database: To get all your content back you need to restore your database. You can do this by clicking on the same database Icon you did before and this time importing the same export file you downloaded earlier in the same place (phpMyAdmin) →Screen Shot 2015-09-17 at 10.35.48 AM
    but this time go to the “import” tab →Screen Shot 2015-09-17 at 5.06.43 PM
    and upload the SQL file you downloaded previously. (Double check that the “Prefix of table” you set in step #6 is the actual prefix on the tables in your Database. If not, you will need to do a global search & replace on your SQL file to change it to the prefix that your new database is actually using).

At this point, if you did everything correctly your WordPress site should be fully restored and hack free!

borat-thumbs-up-very-nice-210x197

Now be sure to use all those great features that come included with your DynamicHosting.biz Account to automatically protect your site moving forward!