Disclaimer: I can’t promise that the information below will help you recover your hacked WordPress website, or that the methods used by your attacker(s) were anything like mine. This is the story of how one of my website got hacked, and how I was able to get it back. I hope the information helps you.
Just recently one of my money sites that uses WordPress got hacked again for the third time. The first time it happened, visitors were shown images and messages from what looked like an ISIS related extremest group. I am not going to lie, I almost wanted to cry. Especially knowing the fact that I hadn’t backed up my site for more than 7 months, and in that period I managed to post over 200 new articles. The feeling I felt was a mixture of sadness, self disappointment, and extreme rage.
Me, like an idiot, decided to fix the problem myself without really doing any proper research. To make a long story short, in my attempt to “fix” the problem I ended up making it worse and caused some irreversible damage to the site, which resulted in me having to give GoDaddy $150 fee to restore my website and all the files I had lost. Ouch! (I now use Hostgator for hosting my money sites, which provides free backups.)
Fast forward a month later and my website gets hacked again. This was especially frustrating because after the first attack, I was able to identify (or so I thought) the problem as a RevSlider plugin exploit and downloaded a patch for it. The patch/plugin worked great, it would cache and blacklist any IP that even attempted to try and use the exploit. To my surprise, it only took a week and it had already blacklisted about 25 IP addresses that the plugin deemed as “suspicious”.
So why was I hacked again? To be honest, I still don’t know. But I was able to fix the problem myself, and I learned a couple things a long the way.
Fast forward another month, and my WordPress is again hacked for the THIRD time. At this point, it’s become a minor annoyance more than anything. The website makes around $150/month using CPA and content locking, so I AM losing money, which is frustrating, but all times I was able to identify the problem quickly and have it fixed within 24 hours.
I have sense decided to bite the bullet, and ramp up my WordPress security (on all my sites), which I will get further into later. For now, I want to explain how I was able to recover my website myself, and hopefully help others and possibly even save you a $150 restoration fee.
How To Fix A Hacked WordPress Website
One thing I noticed was that all 3 attacks were surprisingly similar in the fact that for the most part, all they really did was delete your index.php file and replace it with it’s own. This new index.php file would be the file that basically says “Haha, you got hacked by ISIS. F*** your government, we are 1337 hackers” to all your visitors. Although, we all know this is the work of “script kiddies” who probably downloaded the exploit from Astalavista and don’t even know what a basic line of code looks like. If I recall correctly, one of the attacks seemed to infect the main index.php in the main WP folder, and another seemed to infect the index.php in your theme folder.
Now if you read my little introduction, you would know that the only “recent” backups I had at the time weren’t recent at all. Lucky for us, the index.php never really changes unless you change your theme or hard code some changes yourself.
So log into your FTP and remove the infected index.php file(s). I would check/replace both the main index.php and the one in your theme folder just to be safe. (Hopefully you still have your install .zip of your theme, especially if you paid for a premium theme. If you’re using one of the integrated themes WordPress provides, you can still find the .zip installation file online. Simply download it and re-upload the index.php file in it’s proper folder).
For the main index.php use the one from an old back up (if you have one), if not you will need to download your site’s version of the WordPress .zip installation file and retrieve it from there.
Once you delete the infected index.php file(s) and replace them with the new ones, you should be happy to see that all your posts and content were never lost. (That’s if your attack was anything like mine.) If you’re lucky enough to have a back up, I would use it to replace all the files you can. (There may be a possibility that other files were unknowingly infected.)
Okay so awesome.. my site looks normal, my visitors stopped complaining, and it’s making money again. But wait, I can’t log into my WP-Admin panel! Oh no, what do I do?!
Relax, I had the same problem (the hackers changed my password to lock me out). You will need to create a php script that will allow you to override the password manually. Click here and copy the emergency.php source code, save it in your text editor as “emergency.php” and upload the file using FTP to your WordPress folder. Go to yoursite.com/emergency.php and change your password. That’s it. You will want to delete the emergency.php file immediately after changing your password, for obvious reasons. Now you should be able to log into your WP Admin panel using your new assigned password.
So in a nutshell..
- Delete the infected index.php file(s)
- Replace the deleted file by uploading a new fresh copy of index.php
- Create and upload the emergency.php via FTP
- Navigate to yoursite.com/emergency.php and change your password
- Delete emergency.php and gain back access to your website
Best WordPress Plugins For Security
Here are my top recommendations for WordPress security plugins:
This a popular WordPress security plugin that finds vulnerabilities in your website and alerts you when something is wrong. It also has brute force protection and will go into “lockdown” mode after so many failed login attempts. It will also detect weak passwords and recommend setting a stronger one if needed. It also has a backup system which you can automate and schedule any time to your liking, then have it e-mailed to you with ease. (This would have come in really handy back then.) It will blacklist any IP that attempts to use common exploit methods such as XSS, CSRF, or SQL injection. Most importantly, it will identify malicious code and alert you when any files have been changed or modified, and will even block unwanted comment spam.
This is also a really great plugin to ramp up your WordPress security, and probably the most popular. Used by thousands of webmasters, this plugin will keep hackers and silly script kiddies at bay and away from your precious content and files. It pretty much does everything All In One WP Security & Firewall can do, and more. You can block certain country IP addresses, you can setup SMS authentication in the event of a brute force attack, a firewall to protect you from fake traffic and botnets, you can also watch your traffic in real-time and see if there is any security threats attempting to attack your website.
Extra Security Precautions
- Keep your WordPress up to date. Most new versions are released to patch a current vulnerability in a previous version. These exploits are incredibly easy to find online, and literally anyone (even a kid) can compromise your website.
- Also as important is to keep your WordPress plugins up to date, obviously for the same reason.
- When downloading a new plugin, make sure it’s from a trusted source. You can also go one step further and check online to see if there is any current exploits or vulnerabilities for it. A lot of times a developer will abandon a project, or it takes weeks/months before a patch is released.
- Avoid using admin/Admin as your default administrator name.
- Always use a strong password. Exercise using passwords that include capital letters, numbers, and special characters. The stronger the password, the better.