WordPress is one of the most popular content management systems (CMS) available today. The platform is extremely popular, and a lot of people use it to create websites that are far from a simple blog.
However, at some point when their website is compromised or hacked, they may find that they can no longer access their website, redirecting to unknown spam websites.
Worse, most people will be terrified, find the news frustrating and upsetting. things like this happen when you don’t keep your plugins, themes, and WordPress up to date.
Like I explained in my previous article the simplest way to migrate a website, I thought I could write the simplest way to fix malware as well.
The steps in this article are the ones I usually use as the first troubleshooting steps to repair a hacked WordPress website.
I’m adding some of the useful links here just in case you’re interested in taking a look:
- How to migrate wordpress website (Better & faster)
- 25 WordPress Security Tweaks
- Powerful WordPress firewall setup.
Backups: if you already have backups, restore them for a quick hack fix. As a standard feature, a good web host always provides daily backup. talk to them first.
Before we begin, Some of the stuff to keep in mind:
- No, this is not a bullet-proof security solution.
- In most cases, the steps outlined here will help in your site recovery.
- (Minimal) There is a chance that your site could break due to conflict between plugin or theme updates or even wordpress.
- You need to be preferred to restore backups if things don’t go in the way it should be.
- You’ll need to have a basic understanding of how wordpress file system works and you’ll ned to have access to SSH with WP CLI installed.
That’s all for the start. now you probably ask what is WP CLI that I mentioned above. Here is the basic explanation that I copied from wp-cli.
WP-CLI is the command-line interface for WordPress. You can update plugins, configure multisite installations and much more, without using a web browser.
Now login to SSH and navigate to the WordPress installation directory. most of the time, when you log in as a user to SSH. you’d probably be on the WordPress directory by default but if you think you’re not, you can run below the command line.
This command will display a list of files and folders. If you see WordPress files, you’re in the WordPress directory.
If not, you can find WordPress path here: WP >> tools >> site health >> Info tab
If you are unable to access WordPress due to malware infection or some unknown reason, you must manually access your site’s file manager via the control panel to figure out the WordPress installation directory.
In my case, I’d navigate to my WordPress site using the following command because it is hosted on the cPanel control panel.
now that I am on my WordPress installation directory. here is the following strategy we would be using to fix the hacked website.
- Renaming htaccess file.
- Updating wordpress core files.
- Updating Installed plugins to latest version.
- Updating Installed themes to latest version.
Most of the above that I mentioned are self-explanatory. Start with renaming the htaccess file:
mv .htaccess .htaccess-bk
The htaccess file will be renamed to .htaccess-bk. The htaccess file is the primary source of redirection rules or deny file request rules. We have a good chance of resolving the WordPress spam redirection by renaming the htaccess file.
There is also the possibility of a malware backdoor creating this htaccess file again but we can try to resolve this with the following steps.
Now update WordPress core files:
wp core download --skip-content --force
This command will download WordPress core files from the official source and update your WordPress instance to the most recent version. I don’t usually update this with command because I find that updating manually is much easier and better.
What I’d typically do and I’d recommend this as well.
- Delete all files except wp-content folder and wp-config.php file.
- Download wordpress from official website. Extract it locally & remove the wp-content folder.
- Than upload this extracted files into your server.
This way, you are sure that malware backdoors are being removed if there are any in the core folder.
Now we would need to update the installed plugin by replacing existing files.
wp plugin install $(wp plugin list --field=name) --force
This command will forcefully update your installed plugins to the latest version by replacing existing files. Please bear in mind that this will only update plugins that are available in the WordPress repository. For any premium plugins, you must manually update them.
We are now up for the installed themes. Please be advised that updating the installed theme will overwrite any custom changes you’ve made to the theme’s CSS or function.php file, or even any files to say the least. So, back up any changes you’ve made and run the command below.
wp theme install $(wp theme list --field=name) --force
By removing existing files, this command will forcefully update any installed themes to the most recent version. Likewise, if you’re using a premium theme, you must manually update it.
We have updated themes, plugins & WordPress’s latest version now. In most cases, your site will be back to working again or the malware issue will be fixed but wait, don’t consider this as “FIX” to hacked site. Here are a few things to consider:
- Do manual site files inspection and remove any suspecious files.
- Delete any plugins that are unknown to you. Same for themes.
- Block PHP file execution in the /uploads folder.
- Remove unknow admins/users. (wp >> users)
- Setup & install WAF/web application firewall (Ninja firewall plugin)
- and finally keep eye on recent changes to site files.
That’s all. If you have any questions, ask in the comment sections.