If you’ve had a security incident where your website has had a security vulnerability exploited, it’s important that you ensure that you not only fix the security vulnerability but you fix any changes made as well.
It’s common for exploits to leave further backdoors into your website so that they can easily regain access.
If any of the below is confusing, we highly recommend engaging with a professional to complete the work.
We offer Managed WordPress hosting for Australian customers and will perform a once off site clean for free as part of the migration to this service.
Take a backup of your site
Before you begin, you should ensure that you have a copy of your website files and database. To do this, you can use the Plesk Backup manager to create a backup for you.
Alternatively, if you already have a backup plugin in use, you should manually verify that you have a copy downloaded before proceeding.
Review the logs carefully
If Conetix or your hosting provider haven’t sent through a root cause as to why your WordPress site was exploited, you’ll want to ensure you review the logs in detail.
Covered previously in our Root Cause Analysis of a Hacked WordPress Website, you can in many instances work out the exact cause of the exploit to ensure you patch it.
Remove malicious files
If the files have been uploaded rather than modified, these files should be deleted.
If the files have been modified (eg they’re part of a plugin / core), then you need to restore a clean copy of the files (from your backups) to remove the exploit.
Patch your WordPress site
While prevention is better than the cure, you’ll need to bring the site up-to-date quickly so that after after you remove any malicious files, they’re not re-infected again. To do this, you need to update the WordPress core, all plugins and all themes.
Install a security plugin
Reset all passwords
If your site has been compromised, then it’s possible that hackers now have a copy of your database. While the passwords are encrypted within this database, they can use brute force methods to slowly get a copy of these over time.
Passwords which are 8 characters or less can be quickly brute forced with modern compute power and therefore should be avoided. Password security has been covered in a previous article Secure Passwords: Why They’re Important.
Update WordPress Salt Keys
Contained within your WordPress configuration file (wp-config.php) is a set of cryptographic keys which are used to hash the password storage in order to keep it secure.
When your site has been compromised, these keys should be considered to also be compromised and therefore be replaced with a new set of keys.
WordPress can automatically generate a new set of randomised keys for you buy simply accessing the following URL: https://api.wordpress.org/secret-key/1.1/salt/
You then need to copy and paste these over the existing key definitions within your wp-config.php to apply.
Check cron / scheduled tasks
One sneaky trick some malware can do is to set a scheduled task to re-download and reinfect your site (even after the files have been removed). To check for any malicious scheduled tasks, login to the control panel for your website and review all tasks within the Scheduled Tasks area.
Create a scheduled patching regime
After your site is completely up-to-date and clean, you’ll want to ensure it remains this way. There are a number of Managed WordPress services where this is taken care of or you can complete the work yourself.
We recommend updating all themes, plugins and checking for core updates for your site at least once a week.