If your site has been hacked, Don’t Panic.
This article will describe how to clean your site if it has been hacked and infected with malicious code, backdoors, spam, malware or other nastiness. This article was updated on Friday March 20th, 2015 with additional tools you can use to clean your site. This article is written by Mark Maunder, the founder of Wordfence. I’m also an accredited security researcher, WordPress developer and I own and operate many of my own WordPress powered websites including this one. Even if you aren’t running WordPress, this article includes several tools that you can use to help clean your site from an infection.
If you are running WordPress and you have been hacked, you can use Wordfence to clean much of the malicious code from your site. Wordfence lets you compare your hacked files against the original WordPress core files, and the original copies of WordPress themes and plugins in the repository. Wordfence lets you see what has changed (do a diff) and gives you the option to repair files with one click and take other actions.
If you suspect you have been hacked, first make sure that you HAVE actually been hacked. We sometimes get panicked site administrators contacting us thinking they’ve been hacked when their site is just misbehaving or they are seeing spammy comments and can’t tell the difference between that and a hack.
Your site has been hacked if:
Once you’ve ascertained that you’ve been hacked, back up your site immediately. Use FTP, your hosting provider’s backup system or a backup plugin to download a copy of your entire website. The reason you need to do this is because many hosting providers will immediately delete your entire site if you report that it has been hacked or if they detect this. Sounds crazy, but this is standard procedure in some cases to prevent other systems on their network from getting infected.
Make sure you also back up your website database. Backing up your files and database should be your first priority. Get this done, then you can safely move on to the next step of cleaning your site comfortable with the knowledge that at least you have a copy of your hacked site and you won’t lose everything.
Here are the rules of the road when cleaning your site:
If you have SSH access to your server, sign in and run the following command to see all files that were modified during the last 2 days. Note that the dot indicates the current directory. This will cause the command below to search the current directory and all subdirectories for recently modified files. (To find out what your current directory is in SSH, type ‘pwd’ without quotes).
find . -mtime -2 -ls
Or you can specify a specific directory:
find /home/yourdirectory/yoursite/ -mtime -2 -ls
Or you can change the search to show files modified in the last 10 days:
find /home/yourdirectory/yoursite/ -mtime -10 -ls
We suggest that you do the search above and gradually increase the number of days until you start seeing changed files. If you haven’t changed anything yourself since you were hacked, it’s very likely that you will see the files that the hacker changed. You can then edit them yourself to clean the hack. This is by far the most effective and simple way to find out which files were infected and it is used by every professional site cleaning service.
Another useful tool in SSH is ‘grep’. For example to search for files that contain base64 (commonly used by hackers) you can run the following command:
grep -ril base64 *
This will just list the file names. You can omit the ‘l’ option to see the actual contents of the file where the base64 string occurs:
grep -ri base64 *
Keep in mind that “base64” can occur in legitimate code as well. Before you delete anything, you’ll want to make sure that you are not deleting a file that is being used by a theme or plugin on your site. A more refined search could look like this:
grep --include=*.php -rn . -e "base64_decode"
This command searches all files recursively that end with .php for the string “base64_decode” and prints the line number so that you can more easily find the context that the string occurs in.
Now that you know how to use ‘grep’, we recommend that you use grep in combination with ‘find’. What you should do is find files that were recently modified, see what was modified in the file and if you find a common string of text like “bad hacker was here” then you can just grep all your files for that text like so:
grep -irl "bad hacker was here" *
and that will show you all infected files containing the text “bad hacker was here”.
If you clean a lot of infected sites you will start noticing patterns in where malicious code is commonly found. One such place is the uploads directory in WordPress installations. The command below shows how to find all files in the uploads directory that are NOT image files. The output is saved in a log file called “uploads-non-binary.log” in your current directory.
find public_html/wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg" >uploads-non-binary.log
Using the two simple command line tools “grep” and “find” you can clean an entire infected website. How easy is that! I bet you’re ready to start your own site cleaning business at this point.
Now that you have some powerful tools in your arsenal and you’ve already done some basic cleaning, lets launch Wordfence and run a full scan to clean your site. This step is important because Wordfence does some very advanced searching for infections. For example:
How to clean your hacked site using Wordfence:
Email it to us at firstname.lastname@example.org and we’ll let you know. If you don’t receive a reply, either your mail system or ours may have discarded the message thinking it was malicious because of your attachment. So please email us a message without the attachment letting us now that you’re trying to send us something and we’ll try to help get it through.
You need to get your site removed from the Google Safe Browsing list. Read this Google document on how to clean your site. Here are the steps:
Getting off the Google Safe Browsing list is a big step, but you may have some work ahead of you. You need to keep a list of every anti-virus product that is saying your site is infected. This may include products like ESET anti-virus, McAfee’s Site Advisor and others. Visit each anti-virus makers website and find their instructions for removing your site from their list of dangerous sites. This is often called “whitelisting” by anti-virus makers, so Googling for terms like ‘whitelisting’, ‘site removal’, ‘false positive’ and the product name will usually lead you to the place where you can get your site removed.
Visit the following URL and replace example.com with your own site address.
You can include a sub-directory if your site has one. The page that appears is very plain, but contains detailed information about the current status of your site, why it is listed on Google’s malware or phishing list (The google safe browsing list is actually two lists) and what to do next.
Congratulations if you have managed to clean your site. Now you need to make darn sure it doesn’t get hacked again. Here’s how: