Recover Hacked WordPress Site

David Al.
  • Updated
Follow

Once you have determined a site is hacked, the next step is to evaluate options to restore the site. There are many different types of compromised sites, so it’s important to determine the best option before starting a recovery process.

This article details steps that can be taken to restore a site with a hack and relatively simple steps that can be taken to remove malware.

As the regular WordPress site and dashboard commonly doesn't work correctly after it has been hacked, it can be useful to familiarize yourself with alternative methods of managing WordPress sites.

For example, plugins and themes can be disabled by renaming the plugin's/theme's folder in wp-content/plugins or wp-content/themes.

WP-CLI is a great tool for managing WordPress through the terminal. Almost everything that can be done in the dashboard can be done in WP-CLI. Some useful features exist in WP-CLI that do not exist in the dashboard.

Related Articles

Identify a Hacked WordPress Site
Install and Use ImunifyAV
Verify WordPress Checksums
Deceptive Site Ahead Warning

Gather Information

  1. Determine the date of the hack
    1. When was the hack first noticed
    2. Though not always accurate, check the time that any malicious files were last modified
  2. Determine whether a clean backup is available
    NOTE: A backup that predates the hack is best to guarantee that the backup will be free of malware
    1. If a clean backup is available, it's best to restore the backup
      NOTE: There is a database to be restored as well. Ensure that the backup contains both the site files as well as the database.
    2. If the a backup is not available, search the hosting plan for any backups
      1. Backup manager is not the only place to find backups
      2. The following directories will often contain backups
        /home/userna5/boldgrid_backup
        /home/userna5/wordpress-backups
        /home/userna5/public_html/wp-content
        REPLACE: userna5 with the cPanel username and public_html with the site’s document root.
        TIP: Backup plugins may have a backup folder in wp-content. Other times, backups taken by plugins may be in the plugin's directory, found in the wp-content/plugins directory.
        1. If VPS+:
          /backup
          NOTE: This contains full cPanel backups taken by WHM.
          /home
          NOTE: This may contain past cPanel Transfers. This would house entire cPanel backups from the date of a transfer.
  3. If a clean backup is not available, it’s best to consult with an expert in malware removal, like Sucuri
  4. If working with a malware expert is not feasible, follow the steps below to attempt a recovery of the site

Recovery Option

  1. It's important to note that the steps outlined in this article are not guaranteed
    1. While these steps may restore a site, it's highly unlikely that a site recovered with this method will be completely free of malware
    2. These steps are typically used when a site is no longer loading due to a hack
    3. While these steps will usually get a site to load again after a hack, these steps do not prevent any malware that is removed from returning and do not resolve the vulnerability that caused the hack in the first place
    4. For a more thorough review of a hack, it's best to reach out to an expert in cyber security, malware removal, and/or site security, specifically for WordPress sites
      IMPORTANT: InMotion Hosting does not specialize in malware removal, and the removal of malware is outside of our scope of support. InMotion Hosting offers a malware scanner that can help to identify and quarantine malware, but we do not remove any malware. If you'd like to have your site scanned, please reach out to our Support Team.

WP-CLI Usage

  1. Using WP-CLI is typically fundamental for resolving more complex errors in WordPress sites
  2. If something needs to be accomplished but it can't be done through the dashboard, chances are there's a way to do it with WP-CLI
  3. Many steps outlined in this article are most easily accomplished with WP-CLI
  4. To get started with WP-CLI, open the Terminal tool in cPanel
  5. WP-CLI commands must be run from the document root of the site you intend to work with
    1. Change directories to the site's document root by running the following command
      cd $(docroot.py domain.com)
      REPLACE: domain.com with the domain you intend to work with.
    2. Once in the document root, WP-CLI commands can be run
  6. All WP-CLI commands are prefaced with wp
    1. For example:
      1. To list all installed plugins
        wp plugin list
      2. To create a database backup
        wp db export
      3. To run a search and replace on the database
        wp search-replace find_this replace_with_this
        REPLACE: find_this with the text you want to search for.
        REPLACE: replace_with_this with the text that will be inserted in its place.
        TIP: For a full list of WP-CLI commands, please refer to WP-CLI's documentation.
  7. If an error occurs while running a WP-CLI command, there may be a plugin or theme causing a conflict
    1. By default, any time an action is performed on a WordPress site, WordPress will check with each plugin to see if the results of the action need to be altered by a plugin
    2. If so, the action will be run through the plugin so that the plugin can alter the results
    3. Since each plugin is being checked with each action, you may need to tell WP-CLI to not check with the plugins or themes by using the following flags
      1. To skip plugins
        --skip-plugins
      2. To skip themes
        --skip-themes
        EXAMPLE:
        wp plugin list --skip-plugins --skip-themes

Recover Site

  1. Recovering a hacked WordPress site is mainly about replacing core files while keeping the database and posts intact
    1. This typically involves redownloading and installing the WordPress version currently in use, and redownloading all plugin's and theme's files

Make a Backup

  1. Back up the site files
    1. From cPanel, open File Manager
    2. Locate the document root of the site
    3. Right click on the document root folder and compress it using your preferred archive format
  2. Back up the database
    1. From cPanel, open phpMyAdmin
    2. Locate the site's database
    3. Open the database by clicking on it in the database hierarchy
    4. Click the Export button at the top of the page
      NOTE: This will download the database to your local computer. If this database needs to be restored, it will need to be uploaded back to the server.

Replace Altered Core Files

  1. Using WP-CLI, we can check to see if any core WordPress files have been altered from their original state
    1. While it may be normal for plugins to alter core files, it's also a good sign that the altered files are the result of a hack
  2. Run the following command as outlined in WP-CLI Usage
    wp core verify-checksums
    1. If any core files were altered, they will be listed
    2. These files can be manually reviewed for any suspicious code
      TIP: Review the guide on Identifying a Hacked WordPress Site for more information on what code is considered suspicious.
  3. To quickly replace the altered files with default WordPress files, re-download the core WordPress files using WP-CLI
    wp core download --version=$(wp core version) --force
    TIP: If an error is displayed, try skipping the themes and plugins by adding
    --skip-themes --skip-plugins

Redownload Plugin Files

IMPORTANT: These options will only reinstall plugins from the public WordPress repository, so will not affect premium plugins (i.e., paid), custom plugins, or plugins from third parties.  Currently, this will also not re-install BoldGrid plugins.

 

  1. Run the following one liner from the site's document root, as outlined in WP-CLI Usage
    plugins=$(\wp plugin list --skip-plugins --skip-themes|cut -f1|tail -n +2); versions=($(\wp plugin list --skip-plugins --skip-themes|cut -f4|tail -n +2)); i=0; for plugin in $plugins; do wp plugin update $plugin --version=${versions[$i]} --skip-plugins --skip-themes; ((i++)); done
    NOTE: This forces the plugin to update to the current plugin's version, causing it to redownload the files.
  2. If WP-CLI is not working, then you can re-install the plugins from the wp-admin dashboard
    1. Go to Plugins>Installed Plugins>Select All>Bulk Actions>Update>Apply

Redownload Theme Files

  1. Run the following one liner from the site's document root, as outlined in WP-CLI Usage
    CAUTION: When this is run on premium (paid) themes that were not downloaded through the WordPress repository (were manually uploaded), this will delete that theme’s files. It’s best to copy the themes directory first to be able to restore any deleted themes after this is completed. Any of these themes will need to be re-uploaded if their files need to be replaced.
    themes=$(\wp theme list --skip-plugins --skip-themes|cut -f1|tail -n +2); versions=($(\wp theme list --skip-plugins --skip-themes|cut -f4|tail -n +2)); i=0; for theme in $themes; do wp theme update $theme --version=${versions[$i]} --skip-plugins --skip-themes; ((i++)); done
    NOTE: This forces the themes to update to the current theme's version, causing it to redownload the files

Plugins Still Do Not Work

  1. If WP-CLI and WP-Admin both are not working, then it would likely require a new install of WordPress and transfer the previous database to the new install
    1. In this case, all plugins and themes would need to be installed on the new WordPress before the database is transferred

Replace .htaccess File

  1. Many hacks will modify the .htaccess file, blocking access to all PHP files
  2. Replace the .htaccess file found in the document root with a default .htaccess file

Further Troubleshooting

NOTE: Even if the site is loading, there may be coding errors coming from missing plugins. This may be expected if the plugins have not yet been installed or have been disabled during the restoration. These errors normally come in the form of blocks of code that are visible on the site's pages.

  1. At this point, the site should be recovered to the extent of what can be done without manually reviewing the files or referring to an expert in malware
  2. Malware is known to regenerate itself, and at times after completing all of these steps the malware may immediately regenerate itself
    1. When this happens, there is usually still malware on the site that is not a part of the core WordPress files
    2. A malware scan can be used to try to identify this malware
    3. Instead of deleting this malware, it's safest to move it outside of any sites' document roots
      TIP: The malware should be moved rather than deleted, since while it exists within a document root, the malware can be executed externally from any computer with internet access by loading the URL to the file. If the file were deleted, it may later be discovered that the file was not malware and was required by the site. Only if you are certain that the site is not using the file should it be deleted.
  3. Ensure the index.php file in the document root is a default WordPress index.php file
    NOTE: If using the above GitHub link, you may need to switch the branch from Master (latest version) to the correct version of WordPress that the site is running. The index.php file hasn't changed since version 2.5. But in case it does, ensure you're on the correct branch.
    TIP: Use WP-CLI to get the current WordPress version.
    wp core version
    NOTE: There's a chance that redownloading the core files did not overwrite the index.php file.
  4. If malware is not being regenerated, typically errors at this point can be resolved as normal
    1.  

Related articles

Comments

0 comments

Article is closed for comments.