WordPress is the most popular site-building software worldwide and therefore is a massive target for hackers. As a result, it's not uncommon for a site lacking regular maintenance to be targeted and hacked.
Hacked sites are a significant source of frustration, and restoring a site is much preferred to rebuilding the site from scratch.
Most WordPress hacks come from exploits in outdated WordPress software (including plugins and themes), although some come from discovering passwords.
Related Articles
Recover a Hacked WordPress Site
Install and Use ImunifyAV
Verify WordPress Checksums
Update WordPress Version
Signs That a Site is Hacked
- Hacked sites can take a variety of forms, but malware may do the following
- Redirect traffic to malicious sites
- Send spam emails
- Add fake product listings to a site
- Redirect payments to the hacker
- Delete site files
- Ransomware
- Steal personal information
- Some hacks are apparent, and some can remain unnoticed for months or years at a time
- Our team monitors for hacked sites on shared servers and will notify customers when they discover a hack
- The most commonly hacked core files are the
index.php
file, thewp-config.php
file, and the.htaccess
file - Other files that are most commonly hacked are the plugins and, less often, the themes
NOTE: Plugins and themes can be hacked even if they are inactive. It's best to delete inactive plugins/themes that are no longer in use. - Malware outside of the core files is commonly named with random numbers and letters
EXAMPLE:tbfgszz.php
- Malware is usually obfuscated, meaning the code is written in a way that it is not easily readable
- This is done so that it’s difficult or impossible to tell what the malware does and avoid detection by malware scanners
EXAMPLE: An excerpt of obfuscated malware.
<?php
IMPORTANT: Some legitimate code is encoded, most commonly with IonCube. Therefore some legitimate files may look like obfuscated malware. They can usually be differentiated by the length of each line of code. Malware will typically have unusually long lines of code. Files encoded with IonCube will have a comment at the top indicating that they are encoded with IonCube. If in doubt, it's usually best to start a malware scan and let the scanner determine if there is malware.
$stt1 = "Sy1LzNFQt7dT10uvKs1Lzs8tKEotLtZIr8rMS8tJLEnVSEosTjUziU9JT\x635PSdUoLikqSi3TU\x43kuKTHQ\x42\x41Fr\x41\x41\x3d...
- For more information, please review this guide from Wordfence
Identify Malware
CAUTION: When identifying malware, or core files with malicious code injected into them, it's important NOT to delete them unless you have a backup available to restore. At times, it may be difficult to distinguish malware from legitimate files. Deleting required files could be detrimental to a site.
- Verify WordPress Checksums
NOTE: The plugins will not be checked when verifying checksums. - If there are files that shouldn’t exist, named with random numbers/letters
- Review the file using File Manager
- If the file contains obfuscated code, like the example above, it’s almost always malware
- If the commonly infected core files fail to verify checksums
- Review the file using File Manager
- If the file contains any obfuscated code, like the example above, it’s almost always malware
- Other files that are identified as should not exist can also be investigated for obfuscated code in the same way
TIP: InMotion Hosting offers a malware scanning tool. If using a shared hosting plan, contact support to have a malware scan started. On VPS or dedicated plans, ImunifyAV can be used via WHM to scan the server, or support can also be contacted to use our internal malware scanning tool. If there are many files to check, consider running a malware scan instead. - Investigate the plugins folder at
wp-content/plugins
briefly for any obvious malware
TIP: Look for files or directories with random numbers/letters in the name.- If there are any directories or files named with random numbers/letters, it’s almost always malware
- Check the file for obfuscated code to confirm
IMPORTANT: Sometimes hackers will add rules to the .htaccess file to block access to PHP files, which will prevent much of the site from loading. There will be several 403 errors in your browser’s console if that’s the case.
EXAMPLE: Rules blocking access to PHP files added to an .htaccess file by a hack.
<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.$
Order allow,deny
Allow from all
</FilesMatch>
Determine if cPanel is Compromised
- Log into cPanel
- Click the User Menu at the top right of the page
- Open the Contact Information
- Check the contact email for the cPanel account
- Verify that the email addresses listed are valid email addresses
- Update the addresses if necessary
NOTE: Hackers may change these contact email addresses in an attempt to send themselves a password reset email if the password ever gets changed. cPanel password reset emails are disabled in our hosting environment, but a hacker may still update the contact email anyways.
Sending Spam Emails - Requires Immediate Attention
IMPORTANT: If an email account is sending out spam, we may disable the email account to protect our mailing reputation.
- It can be difficult to determine where spam emails are coming from
- Some emails may be spoofed, and appear to be sent from your email address but actually just contained a modified email header, where the from address is set to your email address but the sender does not actually have access to your email account
- Sometimes a spammer may take advantage of contact forms on sites to send out spam emails
- If you are sure that an email account is compromised and being used to send spam, it's best to reset the email account's password
- If the account is still sending out spam, sending can be temporarily suspended through cPanel
- For further assistance, contact support for a more thorough review
Malicious Redirects - Requires Immediate Attention
IMPORTANT: If a site has a malicious redirect, it can be incredibly frustrating to deal with while waiting for the malware to be removed. The redirect can sometimes be located in the usual places you’d find redirects.
- Check the Redirects tool in cPanel to see if the malicious redirect exists there
NOTE: If the malicious redirect is in cPanel, the cPanel account was compromised. Be sure to update the cPanel password. Also, perform the actions of the previous section, "Determining if the cPanel Account is Compromised," to update the contact email address. - Check the site’s .htaccess file for any rewrite rules that may be redirecting to a malicious site
TIP: Sometimes, the site will redirect to one site only to be immediately redirected to another. The first redirect is the one to search for. - If the redirect is still not found, it may exist in the database
- Create a backup of the database
- Try running a search and replace to replace the malicious URL with the correct URL
Recover From a Hack
IMPORTANT: All relevant passwords should be updated, from the cPanel password to email accounts to WordPress admin passwords. It will be of no use to recover a site from a hack for it to get hacked again hours later.
- This article can be reviewed for first steps that can be taken to secure a site after a hack
- The following articles may also be reviewed
- For general information on hacks
- For general information on improving site security
- For recommended security plugins
- Typically, the best option is to restore a backup that predates the hack
- If a backup is available that predates the malware, it's recommended to restore that
- If there are no backups available or restoring the backup is not a good solution, Sucuri is an excellent cyber security company that offers malware removal
- If these options are not feasible, a manual restoration can be attempted by following our guide on recovering a hacked WordPress site
Comments
0 comments
Article is closed for comments.