If your site has been hacked, Don’t Panic.
This article will describe how to clean your site if it has been hacked and infected with malicious code, backdoors, spam, malware or other nastiness. This article was updated on Friday March 8th, 2018 with additional resources to help clean specific infection types. This article is written by Mark Maunder, the founder of Wordfence. I’m also an accredited security researcher, WordPress developer and I own and operate many of my own WordPress powered websites including this one. Even if you aren’t running WordPress, this article includes several tools that you can use to help clean your site from an infection.
If you are running WordPress and you have been hacked, you can use Wordfence to clean much of the malicious code from your site. Wordfence lets you compare your hacked files against the original WordPress core files, and the original copies of WordPress themes and plugins in the repository. Wordfence lets you see what has changed (do a diff) and gives you the option to repair files with one click and take other actions.
Have you really been hacked?
If you suspect you have been hacked, first make sure that you HAVE actually been hacked. We sometimes get panicked site administrators contacting us thinking they’ve been hacked when their site is just misbehaving or they are seeing spammy comments and can’t tell the difference between that and a hack.
Your site has been hacked if:
- You are seeing spam appearing in your site header or footer that contains adverts for things like pornography, drugs, illegal services etc. Often it will be injected into your page content without any thought for presentation, so it might appear as dark text on a dark background and not be very visible to human eyes (but the search engines can see it)
- You do a site:example.com (replace example.com with your site) search on Google and you see pages or content that you don’t recognize and that looks malicious.
- You receive reports from your users that they are being redirected to a malicious or spammy website. Pay special attention to these because many hacks will detect that you are the site administrator and not show you anything spammy but will only show spam to your visitors or to the search engine crawlers.
- You receive a report from your hosting provider that your website is doing something malicious or spammy. For example, if your host tells you that they are getting reports of spam email that contains a link to your website, this may mean you have been hacked. What the hackers are doing in this case is sending spam from somewhere and using your website as a link to redirect people to a website they own. They do this because including a link to your website will avoid spam filters while including a link to their own website will get caught in spam filters.
- Wordfence detects many of these problems and a lot that I haven’t mentioned here, so pay attention to our alerts and respond accordingly.
Back up your site right now. Here’s why:
Once you’ve ascertained that you’ve been hacked, back up your site immediately. Use FTP, your hosting provider’s backup system or a backup plugin to download a copy of your entire website. The reason you need to do this is because many hosting providers will immediately delete your entire site if you report that it has been hacked or if they detect this. Sounds crazy, but this is standard procedure in some cases to prevent other systems on their network from getting infected.
Make sure you also back up your website database. Backing up your files and database should be your first priority. Get this done, then you can safely move on to the next step of cleaning your site comfortable with the knowledge that at least you have a copy of your hacked site and you won’t lose everything.
Things you should know before cleaning a WordPress site that has been hacked:
Here are the rules of the road when cleaning your site:
- You can usually delete anything in the wp-content/plugins/ directory and you won’t lose data or break your site. The reason is because these are plugin files that you can reinstall and WordPress will automatically detect if you’ve deleted a plugin and will disable it. Just make sure to delete entire directories in wp-content/plugins and not just individual files. e.g. if you want to delete the Wordfence plugin, you must delete wp-content/plugins/wordfence and everything under that directory including the directory itself. If you only delete a few files from a plugin you can leave your site inoperable.
- You usually only have one theme directory that is used for your site in the wp-content/themes directory. If you know which one this is you can delete all other theme directories. Beware if you have a “child theme” you may be using two directories in wp-content/themes – although this is rare.
- The wp-admin and wp-includes directories very rarely have new files added to them. So if you find anything new in those directories it has a high probability of being malicious.
- Watch out for old WordPress installations and backups. We often see sites infected where someone says “But I kept my site up-to-date and had a security plugin installed so why did I get hacked”. What sometimes happens is you or a developer will back-up a copy of all your site files into a subdirectory like ‘old/’ that is accessible from the web. This backup is not maintained and even though your main site is secure, a hacker can get in there, infect it and access your main site from the backdoor they planted. So never leave old WordPress installations lying around and if you do get hacked, check those first because it’s likely they are full of malware.
A few useful tools:
If you have SSH access to your server, sign in and run the following command to see all files that were modified during the last 2 days. Note that the dot indicates the current directory. This will cause the command below to search the current directory and all subdirectories for recently modified files. (To find out what your current directory is in SSH, type ‘pwd’ without quotes).
find . -mtime -2 -ls
Or you can specify a specific directory:
find /home/yourdirectory/yoursite/ -mtime -2 -ls
Or you can change the search to show files modified in the last 10 days:
find /home/yourdirectory/yoursite/ -mtime -10 -ls
We suggest that you do the search above and gradually increase the number of days until you start seeing changed files. If you haven’t changed anything yourself since you were hacked, it’s very likely that you will see the files that the hacker changed. You can then edit them yourself to clean the hack. This is by far the most effective and simple way to find out which files were infected and it is used by every professional site cleaning service.
Another useful tool in SSH is ‘grep’. For example to search for files that contain base64 (commonly used by hackers) you can run the following command:
grep -ril base64 *
This will just list the file names. You can omit the ‘l’ option to see the actual contents of the file where the base64 string occurs:
grep -ri base64 *
Keep in mind that “base64” can occur in legitimate code as well. Before you delete anything, you’ll want to make sure that you are not deleting a file that is being used by a theme or plugin on your site. A more refined search could look like this:
grep --include=*.php -rn . -e "base64_decode"
This command searches all files recursively that end with .php for the string “base64_decode” and prints the line number so that you can more easily find the context that the string occurs in.
Now that you know how to use ‘grep’, we recommend that you use grep in combination with ‘find’. What you should do is find files that were recently modified, see what was modified in the file and if you find a common string of text like “bad hacker was here” then you can just grep all your files for that text like so:
grep -irl "bad hacker was here" *
and that will show you all infected files containing the text “bad hacker was here”.
If you clean a lot of infected sites you will start noticing patterns in where malicious code is commonly found. One such place is the uploads directory in WordPress installations. The command below shows how to find all files in the uploads directory that are NOT image files. The output is saved in a log file called “uploads-non-binary.log” in your current directory.
find public_html/wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg" >uploads-non-binary.log
Using the two simple command line tools “grep” and “find” you can clean an entire infected website. How easy is that! I bet you’re ready to start your own site cleaning business at this point.
How to clean your hacked WordPress site with Wordfence:
Now that you have some powerful tools in your arsenal and you’ve already done some basic cleaning, lets launch Wordfence and run a full scan to clean your site. This step is important because Wordfence does some very advanced searching for infections. For example:
- We know what all WordPress core files, and open source themes and plugins should look like so we can tell if one of your source files are infected even if it’s a new infection that no one has ever seen before.
- We search using complex regular expressions for infection signatures and our database of known infections is continually updated. You can’t do this with simple unix command line tools or CPanel.
- We search for malware URLs using the Google Safe Browsing list.
- We use many other data sources like SpamHaus to find malware and infections on your system.
How to clean your hacked site using Wordfence:
- Upgrade your site to the newest version of WordPress. If you are running a version of WordPress prior to WordPress 5.x.x then we recommend you read this article here before upgrading to the latest version of WordPress.
- Upgrade all your themes and plugins to their newest versions.
- Change all passwords on the site, especially admin passwords.
- Make another backup and store it separately to the backup we recommended you make above. Now you have an infected site but that site is running the newest version of everything. If you break anything while cleaning your site using Wordfence you can go back to this backup and you don’t have to retrace all the steps above.
- When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
- Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
- Look at any changed core, theme and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
- Slowly work your way through the list until it is empty.
- Run another scan and confirm your site is clean.
- If you still need help, we offer a commercial site cleaning service. You can find out more by emailing email@example.com with the subject “Paid site cleaning service”.
I have a file that looks suspicious, but I’m not sure if it is. How can I tell?
Email it to us at firstname.lastname@example.org and we’ll let you know. If you don’t receive a reply, either your mail system or ours may have discarded the message thinking it was malicious because of your attachment. So please email us a message without the attachment letting us now that you’re trying to send us something and we’ll try to help get it through.
Where can I find help cleaning a specific kind of infection?
The Wordfence Learning Center has a range of articles that will help you. Here is a list of articles that will help you with specific infection types:
I’ve cleaned my hacked WordPress site but Google Chrome is still giving me the malware warning. What should I do?
You need to get your site removed from the Google Safe Browsing list. Read this Google document on how to clean your site. Here are the steps:
- First sign-in to Google Webmaster Tools.
- Add your site if you haven’t already.
- Verify your site, following Google’s instructions.
- On the Webmaster Tools home page, select your site.
- Click Site status, and then click Malware.
- Click Request a review.
My site visitors are getting warnings from other security products and anti-virus systems. What should I do?
Getting off the Google Safe Browsing list is a big step, but you may have some work ahead of you. You need to keep a list of every anti-virus product that is saying your site is infected. This may include products like ESET anti-virus, McAfee’s Site Advisor and others. Visit each anti-virus makers website and find their instructions for removing your site from their list of dangerous sites. This is often called “whitelisting” by anti-virus makers, so Googling for terms like ‘whitelisting’, ‘site removal’, ‘false positive’ and the product name will usually lead you to the place where you can get your site removed.
How can I manually check if my site is listed on Google’s Safe Browsing List?
Visit the following URL and replace example.com with your own site address.
You can include a sub-directory if your site has one. The page that appears is very plain, but contains detailed information about the current status of your site, why it is listed on Google’s malware or phishing list (The google safe browsing list is actually two lists) and what to do next.
What to do once your site is clean:
Congratulations if you have managed to clean your site. Now you need to make darn sure it doesn’t get hacked again. Here’s how:
- Install Wordfence and run regular scans on your WordPress site.
- Make sure WordPress and all plugins and themes are kept up to date. This is the most important thing you can do to secure your site.
- Make sure you use strong passwords that are hard to guess.
- Get rid of all old WordPress installations lying around on your server.
- Sign up for our security alert mailing list at the bottom of our home page to get alerted to important security updates related to WordPress: http://www.wordfence.com/