What should I do if a WordPress website is hacked or infected with a virus?

Hacking and virus infection of the WordPress website is the nightmare of every website owner. From one moment to the next, your website disappears or worse, your customers report that Google is referring to you as an unsafe site. Traffic plummets and all the energy, effort, time and money you put into your site goes to waste.

Finding and fixing problems requires hard work, but it's not as complicated as regaining customer trust or getting your site off the spam blacklist. While being hacked is never pleasant, it is more common than you might think.

Why is WordPress being attacked?

The rise of WordPress drew attention to the vulnerability of CMSs, i.e. content management systems, and became the most popular target for hackers. According to a 2018 report ( https://sucuri.net/reports/2018-hacked-website-report/ ), there are more than 50 million websites that are risky to visit because they contain some kind of dangerous code. A year earlier, this number was only 17 million. 78% of infected sites use WordPress, making it the "most popular" platform in terms of vulnerability.

In order to protect yourself from the unpleasant experience of being hacked, in this article I have examined the motivations for hacking, how attacks are carried out, the characteristics of infections and what steps you can take to protect your site.

What motivates hackers to hack WordPress sites?

The first thing you need to understand is that the attack is not against you personally or your website.

Most sites are hacked because they can. There are very few reasons why hackers target a particular site. However, this is typically true for large companies such as Sony. However, for smaller businesses, hackers are only accessing our site because we unknowingly left them a loophole. So it's not based on logic or whether it makes sense to hack your site. No matter how much traffic you have, you are always a potential target.

However, it is difficult for an average person to understand why a hacker would even want to break into the website of a small company selling handmade soaps.

The most common motives are the following:

1. Placing a spam link in the text of the website or in the text of comments.
2. They want access to your data, mailing list, credit card information, etc.
3. Hackers redirect visitors from your site to other sites from which they make a profit.
4. Hackers take control of your server and use the hardware to send spam
5. Hackers use your site to infect your visitors' computers with malicious programs, such as back door hack, key tracker, ransomware, viruses or other malicious software

The last motive is perhaps the most terrifying. It is possible to host malicious software that is installed on visitors' machines without their knowledge.

One of the goals of these types of attacks is to enable larger-scale attacks. A typical Denial of Service (DoS) attack requires a lot of machines. Your hacked site could be one of them. But it is also possible that the hacker is using your page to build security for himself when attacking another entity.

Most WordPress attacks are automated

One of the reasons hackers don't differentiate between sites is that attacks are almost always automated.

If you think that someone will type the address of your site into the browser and search until they find some vulnerability, then you are probably wrong. This kind of method is not at all economical from the hacker's point of view.

Instead, just like browsers, hackers use bots to explore the Internet. However, instead of indexing the content, they try to detect known weak points. By automating this process, the hacker has the opportunity to attack several pages at the same time, thereby increasing efficiency to a high level. Economics at a higher level.

If your site is hacked or infected with a virus, the reason is probably that your website fell into the web of their automated script, not that someone deliberately targeted you.

Why are hackers attacking WordPress?

Try to imagine yourself in the position of the hackers for a moment. If you want to hack as many pages as possible to achieve your goal, which path would you choose? Would you try a platform used by 500 websites or one used by hundreds of millions?

Because WordPress is so widespread, it's a great target for hackers.

Although the "core" of WordPress is very secure, we are still talking about a modular platform - there are many ways to expand it with themes and plugins. Since anyone can build tools for WordPress, it's possible that not all of them work with the same code base as the WordPress "core" itself. Any popular WordPress plugin can contain security flaws that can affect tens of thousands of WordPress sites.

Due to its popularity, WordPress is a very popular platform among hackers and security researchers alike.

In truth, the open-source nature of the system makes it stronger and more resilient. White hat hackers can more easily discover errors in an open source system and report them, so these security holes do not remain unpatched or repaired for a long time.

By the way, the “core” of WordPress is a very secure software. In fact, you can make it even safer by applying a few small tricks. I recommend reading the official article below: https://wordpress.org/support/article/hardening-wordpress/

 

How are WordPress websites hacked?

Now that you know why people try to hack websites, let's look at the most common ways they succeed.

According to the WP Template graphics, these are the most common points for hacking pages:

• 41% are attacked through weak points in the hosting
• 29% through the uncertain topics (template).
• 22% through weak plugins
• 8% due to weak passwords

As you can see in the first point, the most common transition is through the hosting provider. This does not necessarily mean that your site's hosting was directly attacked. It's also possible that another site in the shared hosting environment was hacked and everyone else's website went along with it.

What is alarming is that more than half of successful attacks are carried out via WordPress themes and plugins. So this part requires special attention and I will talk about it in detail below.

And 8% of sites suffer from inadequate password protection. While 8% doesn't seem like a lot, given the popularity of WordPress, this number means hundreds of thousands of pages.

I previously published an article on the vulnerability and protection of login interfaces, it is worth reading.

How do I find out that my site has been hacked?

Many people have the question, how can I see that my page has been hacked? What are the signs of hacking? Here are some telltale signs:

• Security Plugins Send Alerts – If you use one of the many security plugins, you will most likely receive an email alert the moment your site is accessed. Despite the damage, this is the most optimal scenario, because you get the bad news almost immediately.
• You can't log in to the admin interface - One of the most common abuses is when someone steals your login data (or takes it with a strong attack). In this case, they can change your account information, so you can't access your page and you have to take other steps to access it.
• WordPress site redirects to another website - One of the common ways to abuse websites is to redirect visitors to other sites that often sell illegal products. If you notice or receive an e-mail about this from a visitor, you can be sure that someone has gained unauthorized access to your server.
• Strange links appear on the site - Another way to divert users from the website is to place spam links on the hacked site. That's why it's always worth checking your page to make sure everything looks the way you remember it.
• Google Marks Your Site as Dangerous - Google sometimes marks hacked pages as dangerous in its results. Along with this, Google Search Console will probably notify you in the Security Issues section.
• In-Browser Alerts – Chrome and other browsers notify users when it detects phishing attacks, malware, cross-linking, or other dangerous content on the website you're trying to access. If you or someone else gets a warning while opening your website, it doesn't mean much good.
• The web host takes your site offline - In some cases, the web host itself receives messages from users about hacked sites that they host, or they have a system that filters out these web pages. In many such cases, your site will be taken offline, which you will notice quickly. A good web host will also notify you of the problem.
• Antivirus indicates a problem - Attacks are often completely hidden and cannot be easily detected. That's why resourceful website owners sometimes run a virus scan. Sucuri Site Check (https://sitecheck.sucuri.net) is a good option. With its help, you will get to know the problems and be able to take action against them.
• Unexpected traffic spikes – Hackers sometimes use hacked websites to preview their own viral and flagged pages. In order to avoid a spam alert, visitors are redirected to another website using your domain. If you're experiencing unexplained traffic problems, run a virus scan.

Although the list is not complete, it describes quite a few methods that you can use to spot if there is a problem with your site. If in doubt, run a virus scan.

How do I restore my site after a hack / infection?

Stay calm

At first, the most you can do in such a case is to remain calm. It is natural that you want to solve the problem as soon as possible, but hasty actions can cause further damage.

Therefore, the first and most important thing is to take a deep breath, calm down and assess the terrain before doing anything. You'll have some time to build a viable plan before things get worse.

Here's a list to walk you through:

• Can you log in to the WordPress admin interface?
• Is your WordPress website redirecting to another website?
• Does your WordPress website contain unknown external links?
• Does Google mark your site as untrustworthy?

Write this list down, as it will help you when you negotiate with your hosting company or when you go through the steps below to solve the problem.

Another important thing is to change your passwords before you start cleaning. You should also change your passwords after you finish removing the malware.

Make a backup of what's left

While it may seem pointless to back up a hacked website, it's important to remember that there's a lot more to it than hacked system files.

As I already mentioned, some hosting providers automatically delete websites from their servers that are under attack. Since images and other media content are difficult to replace if lost, it's a good idea to keep copies of them when you need to rebuild the site later.

Therefore, as a first step, try to save what can be saved. There are quite a few backup methods available for WordPress, but you can also create a backup manually. Do this, but clearly mark it as a backup containing a virus.

Be a professional

Website security is a serious matter. If you don't feel like struggling with coding, servers, and other technical stuff, you need to hire someone to do it all for you.

Hackers love to make things difficult for web developers by hiding malicious code in multiple places, making it difficult to clean up or allowing the site to be re-infected. For this reason, the best option is to ask a professional web developer to perform these tasks, which often saves you time.

If you still want to get to the bottom of the problem yourself, I have collected a few ideas in the list below.

Check your own machine

In many cases, attacks against your website can be launched from your own computer. If a hacker got into your computer, it is quite possible that your website was also accessible to them. The malware on your computer monitors your keystrokes while you enter the WordPress admin with your username and password. From there, the path to infecting the website is straightforward.

That's why I recommend that you install and run a full virus/malware scan on your computer and make sure your operating system is up to date. This is the only way to know for sure that the problem didn't start on your machine and to reduce the chances of getting infected again after you've gotten rid of them.

Check with your hosting provider

The first person you should consult with in this case is your hosting provider. Better service providers are prepared for such emergencies and helpful. In many cases, the team of system administrators can solve problems independently.

Also, your hosting provider may be interested in a malware that can infect multiple sites. Especially in a shared hosting environment, if someone gained access to the server without permission, they might be able to access several websites on the same machine.

As a last resort, if you talk to your service provider, you might be able to get more information on how to resolve the issue.

Restore from backup

If you have a backup of your WordPress site, the best option is to restore the site from a backup made at a point before it was hacked. If you can do that, you've got a win.

However, if you have a website that is updated daily, you risk losing blog posts, comments, etc. In this case, you weigh the pros and cons.

In the worst case, if you don't have a backup or if your site has been hacked for a long time and you don't want to lose your content, you can manually screen for malware.

Identify the pathogen and eliminate it

Take a look at your WordPress site and delete all inactive WordPress themes and plugins. This is where the loophole for hackers is most often hidden.

Backdoor, as a concept, refers to the evasion of normal security authentication and remote access to the server when it remains undetected. Most smart hackers upload the backdoor as the first step every time. This gives them access again, even though you've deleted the malicious code.

Install the following plugins on your website: Sucuri WordPress Auditing, Theme Authencity Checker (TAC).

Once you're done with these, Sucuri will notify you about the integrity of the core WordPress files. In other words, it shows you where the hack is hiding.

The most common places are the theme and plugin directories, the uploads directory, wp-config.php, the wp-includes directory, and the .htaccess file.

Next, run the Theme Authencity Checker. If it finds any suspicious or malicious code in your themes, it will display a "details" button next to the theme with a link to the infected theme file. It also shows the malicious code.

Here you can remove the hack in two ways. You either remove the code manually or overwrite the file with the original. For example, if your WordPress core files have been poked, re-upload the files from a new download or re-upload all files to be safe.

The same goes for theme files. Download a new copy and overwrite the poked files with the new ones. However, do this only if you have not changed the original WordPress theme codes in the first place, otherwise you will lose them.

Repeat the same step with all plugins.

You also need to make sure that the theme and plugin folder are the same as the old one. Sometimes hackers upload new files that look like the plugin file name and are easily overlooked, eg hell0.php, Adm1n.php, etc.

Repeat this step until the hack disappears.

Check user permissions, secure user accounts

Take a look at the WordPress user section and make sure that only you and members you trust have admin access to the site.
If you see a suspicious user, delete it.

Change your security keys (SALTs)

Since WordPress 3.1, WordPress generates a security key that encrypts your passwords. If a user has stolen their password and is currently logged in to the site, they will remain logged in as long as the cookies are valid. To disable cookies, you need to create new security keys and add them to your wp-config.php file.

Change password

If you suspect or know that your site has been hacked, the first thing you should do is change your password. With this, you can prevent someone who illegally gained access to your login data from logging in.

Once you're done with that, force users with admin rights to change their password as well. The Expire Passwords plugin does this work for you. But you can even change their passwords yourself in the Users menu and send them the new passwords.

How to prevent hacking or virus infection?

WordPress security is all about being proactive. You know the saying, better safe than sorry, especially on the web.

Here are the best ways to prevent your WordPress website from being hacked and infected.

Choose a quality, reliable hosting provider

One thing that is clear from the statistics is that the quality of the hosting provider has a big impact on the security of your site.

Therefore, choosing a reputable service provider that pays a lot of attention to security should be at the top of your priority list.

In addition to supporting the latest PHP and MySQL versions, it is extremely important to perform at least regular mailware checks and daily backups.

For us WordPress users, it's a good idea to choose a hosting service that specializes in running websites by platform and provides a WordPress-optimized environment and knowledgeable team.

Also, if possible, stay away from a shared hosting solution to avoid bad neighbor issues like the example mentioned earlier.

Make regular backups

Although the steps mentioned in this list will seriously strengthen the security of your website, there is no 100 percent guarantee that you will avoid the site being hacked.

This is not because WordPress is inherently insecure, but because anything connected to the Internet is at some level at risk regardless of the level of threat we are talking about.

So, while it's good to hope for the best, it's also important to be prepared for the worst, which for website owners means making regular backups.

If you already have a quality hosting provider, they should take care of this, your job is to keep a copy of the site in a safe place.

For everyone else and those who want to be even more secure, you can choose from the following backup plugins:

• Duplicator
• UpdraftPlus
• WordPress Backup to Dropbox
• BackupBuddy (paid)
• VaultPress (paid)
• CodeGuard (paid)
• BlogVault (paid)

Keep WordPress up to date

Updates not only bring new WordPress features and code fixes, but also fix security issues in older versions.

This is especially true for security updates, which are solely intended to fix such things. According to WP WhiteSecurity, 70% of the most popular WordPress sites showed various vulnerabilities due to running old versions of WordPress.

For these reasons, it is very important to keep up with WordPress updates. This is not so complicated lately, since since WordPress 3.7 security updates are done automatically.

Maintain WordPress themes and plugins

As mentioned above, more than half of the attacks are carried out through poor WordPress plugins and themes.

Although this sounds quite dramatic, you should not doubt the reliability of the WordPress ecosystem.

Even the best, most maintained plugins can have security issues. Accidents happen, but in most cases they are fixed before they become a problem for many.
To reduce the risks to your site, here are a few suggestions on how to manage plugins and themes:

• Remove everything you can - To reduce the possibility of vulnerability, get rid of all plugins and themes that are not absolutely necessary. You'd be surprised how many are out there without any functionality. Either way, it can greatly speed up your site speed.
• Update regularly – Like the foundation of WordPress itself, parts of it need to be kept up to date. This also means that if a plugin hasn't been updated by its author for more than 1 year, you may need to look for an alternative plugin that is regularly updated.
• Check before installing – Do not install plugins and themes from unreliable sources, especially free ones. When you add components to your website, run Theme Check, Plugin Check and the database for vulnerable plugins.

There is also an option to update themes and plugins automatically, but like WordPress core, I recommend doing this manually to avoid hacking without your knowledge.

Change your login data/password

The default WordPress login is “admin” and most hackers know this. You need to change this to something else that is hard to figure out. For something like "gipsjakab259" or "jakab28gipsz", these are good examples. It is best to delete the basic admin and create new custom usernames.

I recommend using strong passwords that contain upper and lower case letters, numbers and symbols. E.g. "gipszJakab28!@" or "JakabEStarsaKft6@!" will be a sufficiently strong password.

Most hackers try to attack the password, so if your password is strong enough, it won't be a problem.

Add WordPress keys to wp-config.php file

Adding keys is also an important security measure. These keys work as a salt with WordPress cookies, providing better encryption for user data.

Use the WordPress Key Generator to generate these keys. Open the wp-config.php file, find the following lines and replace them with the generated texts:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

Save it and you're done!

Change table prefix

The default table prefix in wordpress is wp_. I know you know this and I'm sure the hackers do too. SQL Injections attacks are easier when the default table prefix is present because it is easier to guess. A good prefix e.g. "gipszkft59".

It is highly recommended to change your database table prefix and you can do this in two ways. The manual mode requires some work and is not for beginners; in this case, WP Security Scan makes our life easier. It has a tab called “Database”. Once you're there, there's the option to rename the entire board to a name that's hard to guess. Do this and you will be one step closer to strengthening the security of your website.

Prevent WordPress hacking by preventing crawlers from indexing the admin section

Search robots crawl your entire website and index all content, unless they are blocked from doing so. We don't want the admin panel to be indexed as it contains a lot of private information. The easiest way to ban it is to add a robot.txt file to the root directory. Paste the following code into the file:

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

htaccess breaches

.htaccess (hypertext access) is the default name for directory-level configuration files, which gives permission for decentralized management of the configuration if placed inside the web folder structure. .htaccess files are often used to define security restrictions for a given directory. This tip doesn't necessarily fit in the list, but you should be familiar with .htaccess as it can help prevent hacking.

Protect your .htaccess file

After tinkering with your .htaccess file to protect your blog from hackers, I can't just leave the .htaccess file open to attack. The hack below prevents external access to .htaccess. Simply put the code in the .htaccess file at the root of your domain.

No library browsing

Allowing visitors to browse the entire library is not a good idea. This is an easy way to learn about the directory structure and gives hackers a chance to find security holes.

To stop this, just paste these 2 lines into your .htaccess file inside the root directory of your WordPress site.

# disable directory browsing
Options All -Indexes

Make your wp-config.php file secure

wp-config.php is important because it contains all the sensitive data and configuration of your blog, so we need to protect it through the .htaccess file. Simply paste the following code into the .htaccess file in the root directory

The code denies everyone access to the wp-config.php file.

Restrict access to Wp-Content Directory

Wp-content includes everything. It is an important folder, so it must be protected. It is not recommended that users access unsolicited/other types of data while browsing. Users are only allowed to view certain file types, such as image files (jpg, gif, png), Javascript, css and XML.
Place the code below in the .htaccess file inside the wp-content folder (not in the root directory).

Protect your WordPress admin files

Wp-admin can only be accessed by you and your co-authors. You should use .htaccess to restrict access and only allow specific IP addresses to this area.

If you have a static IP address and always edit the page from your computer, then this could be a good choice for you. However, if several users edit the page from different machines, with non-static IP addresses, then this solution may not be applicable.

It is very unpleasant if your website is hacked, but unfortunately it can happen to almost anyone

Having your WordPress site hacked or infected with a virus is not a pleasant experience, nobody wants it. But it happens, even to the best.

If the worst comes to worst, I hope this guide will help you resolve the issues and get back to normal. If the above information is not enough to restore your site, don't delay, call a professional web developer! If your website is part of your life (as many of us are), then it's a sensible investment.

In short: be proactive!

Having your WordPress site hacked or compromised is something that not too many website owners want to experience, and they won't soon forget if they have.

Recovering from a fully successful hacker attack requires a lot of energy, fortitude and, in many cases, money.

Although facing security problems is an inherent part of website development, it is better to be safe than sorry and then suffer the consequences.

Fortunately, WordPress itself is very secure. In most cases, the entry point for hackers is the hosting environment itself, vulnerable plugins and themes, or weak login data.
The above-mentioned list helps you identify the most common problems and makes your site much more immune to attacks.

Many of the steps mentioned above are part of the plugins below, which is why it's worth taking a look:

• BulletProof Security - https://hu.wordpress.org/plugins/bulletproof-security/
• Sucuri Security - https://kb.sucuri.net/plugins 
• iThemes Security - https://ithemes.com/security/ 
• Wordfence - https://www.wordfence.com 

Remember, if something goes wrong, the first step is to stay calm and put together a backup plan to mitigate the damage and restore the website. I hope this article will help you!