A hack is a concept that won't reveal much about what really happened. Make sure you understand the exact symptoms that make you think you've been hacked to ensure you receive the assistance you need.
A few indicators that are definite signs of a hack include:
- Search engines, such as Google, blacklisted the website.
- The website is suspended by the host.
- The website received a warning for distributing malware.
- The website is flagged by your visitors's anti-viruses.
- The creation of new users on the website, an action which was not authorized.
You can use the steps listed below to start following the post-hack procedure. They are not exhaustive, as it would be impossible to consider all eventualities, but they are intended to guide your thinking.
Don't panic
As a website owner, you're probably under a lot of stress when it comes to a security issue. Contrary to what everyone has told you, "WordPress is easy!!", it is often the most exposed.
Take a step back and collect your thoughts. By doing so, you will be in a better position to take care of the problem and restore your presence on the Internet.
Incident report
Documentation is the practical first step you should take after being hacked. Take a moment to write down what you are going through, including timings if possible. You should bear in mind the following:
- What leads you to believe that you have been hacked?
- When did you become aware of this problem?
- What actions have you taken recently? Has a new plugin been configured? Did you modify the theme in any way? Modify a widget?
You establish the starting point of a document called an incident report. This document will serve you well over time, whether you intend to manage the incident response yourself or hire a qualified company.
Analyze the website
You have several options for scanning your website, including application-level scanners or external remote scanners. Each is intended to review and report on various topics. Neither option is the ideal strategy, but working together greatly increases your chances.
Plugin-based scanners:
The WP repository also contains a variety of additional related security plugins. The ones listed above with annotations have all been around for quite some time and each has a sizable following.
Examine the local environment
You should start scanning your local environment in addition to your website. Often the attack or infection can come from your local machine (i.e. laptop, desktop, etc.). Attackers use locally installed Trojans to sniff login credentials for services such as FTP and /wp-admin
, allowing them to log in as the site owner.
Run a full anti-virus and anti-malware scan on your local system. Some viruses are able to spot anti-virus programs and disguise themselves. So you might want to try another one. This recommendation applies to computers running Windows, OS X, and Linux.
Improve your access controls
In terms of access control, we must strengthen all positions. For starters, it involves using complex, long, and unique passwords. Use a password generator, or see the article How to choose a good password?.
Keep in mind that this also involves updating all access points: FTP/SFTP, /wp-admin
, cPanel (or whatever other admin panel you use with your hosting account) and MySQL are examples of access points.
This includes not only your user, but also everyone who has access to the environment.
It is also advisable to think about implementing a two-factor authentication solution. When connecting to your WordPress instance, this adds and requires a second form of authentication in its most basic form.
Here are some of the plugins that can help you:
Reset each access
One of the first things you should do after discovering a hack is to lock down the system to prevent further modifications. Your users are a good place to start. Forcing a global password reset for all users, especially administrators, is one way to achieve this.
Also, you need to disconnect all users that might still be connected to WordPress. To do this, modify the secret keys in wp-config.php
(The WordPress key generator allows you to have new keys). Take these keys, then replace the existing values in your wp-config.php
file with the new ones. Anyone who might still be logged in will be forced to log out by this.
Configure a backup
Now would be a great opportunity to make a backup of your website if you don't have one. Your continued business depends on backups, so you should actively plan for them in the future. Additionally, you need to be aware of your web host's backup policies. If you have a backup, you should be able to restore it and immediately start working on the investigation.
You should regularly back up your database and files, as an aside. If it happens again. Your cPanel account has the Softaculous tool which allows you to backup your WordPress installation automatically: How to configure an automatic backup for your installations on Softaculous?
However, it is advisable to take another image of the environment before proceeding to the next cleaning step. Even if it is infected, depending on the type of hack, the effects can lead to many problems, but at least you will have that faulty copy to which you refer in the event of a catastrophic failure.
Locate and eliminate piracy
The most difficult aspect of the whole procedure will be locating and eliminating the hack. The specific actions you should take will depend on various variables, including but not limited to the symptoms mentioned above. Your technical expertise in using websites and web servers will determine how you solve the problem.
There may be a temptation to throw everything away and start over. It's doable in some circumstances, but it's just not feasible in many others. You can, however, reinstall specific website components without worrying too much about how it will affect the functionality of the website as a whole. If you choose to install a newer version of software than the one your website is currently running on, your website will likely crash. Make sure you don't use your /wp-admin
's reinstall options when reinstalling. Drag and drop versions using your FTP or SFTP program. In the long run, this will be much more successful because these installers often overwrite already existing files, while hackers frequently add new files. The following folders are safe to modify:
-
/wp-admin
/wp-includes
From there, it is advisable to go through /wp-content
, as it contains your theme and plugin files, with greater diligence in modifying and replacing files.
Your .htaccess
file is the only document you need to review. Regardless of the type of infection, it is one of the most frequently modified and maliciously exploited files. Although it could potentially be embedded in a number of other directories on the same install, this file is frequently found at the top of your install folder.
During the repair process, you need to watch out for a few files regardless of the type of infection. They consist of:
-
index.php
header.php
footer.php
function.php
These files are often vulnerable to modification, making them prime targets for malicious users. The article "How to identify and clean malicious files with ImunifyAV on cPanel?" will help you determine the files affected by the hacking of your account.
Unable to access WordPress admin panel
Sometimes an attacker will take control of the administrator account. There are several things you can do to regain control of your account, so there's no need to panic. To change your password, simply follow the instructions below.
phpMyAdmin is the tool available on your hosting account. It lets you bypass your admin screen and connect directly to your database, resetting your user in the wp_users
user table.
Just update your email, return to the login screen, click the forgot password link, and wait for the email if you don't want to mess with password hashes or don't can't understand it.
Update!
After cleaning, you should update WordPress to the latest version. Intrusions occur on older versions than on newer versions.
Reinstall WordPress
Completely reinstall WordPress, its plugins (updated) and the latest version of the theme then inject articles, pages, menus and images via the native import/export tool of your WordPress. It is certainly more restrictive and longer, but starting over with a new WordPress, plugins and an up-to-date theme should limit the risks.
Here is how to proceed in a few points:
- FTP your entire site and its database via phpMyAdmin onto your PC.
- From your hacked WordPress, export all content (posts, pages, comments, custom fields, terms, navigation menus, and custom content types) via the "Export" tool (Tools > Export > All Content), and save the XML file thus generated on your PC.
- Delete via FTP all your old content (WordPress folders, files at the root, etc.) except for the directories of your host.
- Delete your database and create a brand new one with complex name and password.
- Download the latest version of WordPress or install it from the Softaculous tool in the cPanel account.
- Install the latest version of your theme.
- Import all the contents of the XML file through your new WordPress from the Tools > Import > WordPress menu.
- Install the latest versions (up to date and without known flaws) of your plugins.