Developing websites we’ve supported quite a few clients when their site became compromised and we have plenty of practice restoring and recovering websites. With our clients we value the importance of planning which includes setting up preventative measures to avoid getting hacked in the first place. If we do have a website that’s been hacked, here’s what we typically do.
When your site is hacked there are three important things to do:
It can be tempting to first try and fix your content, but if someone gained access to your system and is still there, then you want to quickly prevent more harm from being done before fixing the existing damage.
The first simple thing to do is to have admins change their passwords and then change your salts. Changing your salts will kick everyone currently logged in to WP-Admin out. With new passwords in place, they will not be able to log in again.
If you cannot quickly get hold of an admin to have them change their password, demote them to a lower permission role.
Once this is done, you should review users with admin access and update users with access to your site. You can find a comprehensive summary of WordPress Roles and Capabilities here. You should use the principle of least privilege. If someone doesn’t need the access level they have, give them a lower level permission. Don’t give people a higher access level, “just because they might need it.”
Additionally, have at least admins enable two factor authentication (2FA). This will prevent a stolen password from being used to login.
Next, do a quick backup of your database. This backup can help you figure out what went wrong. The backup can be used in a controlled environment to find the hacked content.
In addition to these technical gates, think about who might have access to your site that shouldn’t. For example are the accounts of former employees still active? Are there any shared accounts being used?
The first step is to determine the nature of the attack. For example, if the contents of a post have been changed, then the database is affected. If one post is changed, assume that others have been too. Attackers will often change many posts in the same way. A common example is to inject a script tag that redirects to a particular url. In this case you can search the database for the url.
A very useful tool to search the database is wp cli. A WordPress database search will print out the references to the string you’re searching for.
If images are modified on the server, then you can recover these by reverting to an older image assets backup. We tend to use Updraft Plus for backups. We backup sites we monitor to AWS S3 using permissions that allow write but not deletions to the bucket. So even if a hacker gets into wp-admin, they cannot delete our Database and Assets backups. Our code is in version control.
This can be the most difficult step. It is mostly careful detective work. A good starting point is to update WP Core and all plugins to the latest versions.
Sometimes – especially if permissions are not set correctly on a server – the contents of WP Core, themes, or plugins can be changed. If you have things version controlled, this can be remedied by discarding the differences. Many security plugins such as iThemes Pro – can monitor for file changes.
At the end of the day, the single most important thing to have is scheduled backups. If you have code, database, and uploads backups, then you can recover from just about any website hack.
Also, you won’t have to recover from hacked site very often if you setup your site in a secure manner. Here’s a checklist to keep WordPress Core up to date:
Having your site hacked can be a very stressful event. Making sure that you are doing the things required for a secure WordPress site ahead of time, and spending some time reviewing what to do in case your site is hacked will help ease your mind and make you more prepared.