You are checking out how your site is ranking in Google today and notice your website description has been hijacked by Viagra salespeople.
You type in the address to your site and your site doesn’t load…
You’ve been hacked!
First, take a deep breath. Getting hacked stinks. It feels like you’ve been invaded, robbed, taken advantage of. And cleaning it up is going to take some time and concentration. But your site can be back up and running and more secure today.
I suggest checking out WordPress.org’s checklist on what to do if your WordPress site gets hacked before going through this list. I take the strict approach when it comes to cleaning out a site, but other options are presented there that may fit your need better. And, it’s always good to get a second opinion.
Now let’s clean your site!
Salvage the Old Site
1. If you can access the dashboard, export all pages, posts, categories, tags, and media from the site using the Tools–>Export function. If you can’t access your dashboard any longer, you’ll need to do a database dump via your host account. Instructions vary by host on how to do this, so if you’re unsure contact your hosting provider.
2. Download, via FTP, the wp-content folder from the corrupt site.
3. Make good notes about any custom menus you’ve created, as these won’t be in the export file or in the wp-content folder.
4. Also make good notes about any widgets you have – their contents, settings, placement, order, etc. – as these aren’t in the export file or wp-content folder either.
5. Lastly, go through the whole Settings area of the dashboard and make note of anything customized there. Most folks only have messed with the Settings–>General area, but you’ll also want to be absolutely sure you take note of the settings in the Settings–>Permalink menu, as if your new clean site has a different permalink structure then visitors from search engine results won’t end up at the right content (likely will get a 404 error screen). Do not take note of settings related to plugins that may be in the Settings area, as these will be pulled in when you re-upload the contents of your wp-content folder.
Attempt Recreation of the Site at Another Location (a.k.a. Cover Your A$$)
6. Do a fresh WordPress install with a brand new database (don’t use same DB name, username, or password as the old install) and WordPress username and password at another location. A completely different domain is preferred, but a subdirectory of the existing site is acceptable if that’s the only option.
7. Import the .xml file exported from the old site.
8. Upload the contents of the old site’s wp-content folder to the new install’s wp-content folder. I like to get choosy here, by actually only re-uploading the specific theme I know I want to use, and same for the plugins. This minimizes the risk of putting a vulnerability right back into the new clean site.
9. Using your perfect notes, recreate your custom menus, widgets and widget areas, and Settings.
10. Check out the site. Does it look just like the old one? Does it operate as it should? Great. Now that you’re sure you have a (hopefully) clean version of your site working, let’s go trash the corrupt site.
Trash the Corrupt Site & Change Passwords
11. At your host account, delete the database associated with the old site.
12. Via FTP, delete all files contained in your old website’s directory that you had WordPress installed to.
13. Change the FTP password for the host account associated with the site.
Restore the Clean Site at the Permanent Home
13. Go back and repeat steps 6-10, but at the site’s new permanent home. Again, ensure all usernames and passwords are different than they were on the corrupt site, and that they meet “Strong” standards.
When finished, you should have your site up and running and clean again. To keep it that way, stay tuned for my next post where I’ll review the steps to take to keep your WordPress install safe and secure to prevent any further attacks.
A Couple Notes
- If you were keeping good backups of your site to begin with, you may be able to just restore back to a time before the corruption. I personally wouldn’t be very comfortable with thinking this is truly cleaning the site (different backup plugins cover different database parts and files), but in a pinch or until you have the time to do a full clean out, this could work.
- Take your time going through all of this. It’s easy to get pretty riled up when you find out your site has been hacked by the Viagra dealer next door, but your site can be cleaned and restored with minimal to no loss of information. Stay on track and you’ll be up and running in no time.