Overview

If you’ve had a security incident where your website has had a security vulnerability exploited, it’s important that you ensure that you not only fix the security vulnerability but you fix any changes made as well.

It’s common for exploits to leave further backdoors into your website so that they can easily regain access.

Warning

If any of the below is confusing, we highly recommend engaging with a professional to complete the work.

We offer Managed WordPress hosting for Australian customers and will perform a once off site clean for free as part of the migration to this service.

Alternatively, Conetix highly recommends the use of WordFence or Sucuri to do this if you want a once-off clean or have your site hosted elsewhere.

Instructions

Take a backup of your site

Before you begin, you should ensure that you have a copy of your website files and database. To do this, you can use the Plesk Backup manager to create a backup for you.

Alternatively, if you already have a backup plugin in use, you should manually verify that you have a copy downloaded before proceeding.

Review the logs carefully

If Conetix or your hosting provider haven’t sent through a root cause as to why your WordPress site was exploited, you’ll want to ensure you review the logs in detail.

Covered previously in our Root Cause Analysis of a Hacked WordPress Website, you can in many instances work out the exact cause of the exploit to ensure you patch it.

Remove malicious files

If the files have been uploaded rather than modified, these files should be deleted.

If the files have been modified (eg they’re part of a plugin / core), then you need to restore a clean copy of the files (from your backups) to remove the exploit.

Patch your WordPress site

While prevention is better than the cure, you’ll need to bring the site up-to-date quickly so that after after you remove any malicious files, they’re not re-infected again. To do this, you need to update the WordPress core, all plugins and all themes.

Install a security plugin

We highly recommend the use of WordFence to run an audit across your site as well as using the Scan capability of the plugin to scan all files on your site for malicous code or unauthorised changes.

Reset all passwords

If your site has been compromised, then it’s possible that hackers now have a copy of your database. While the passwords are encrypted within this database, they can use brute force methods to slowly get a copy of these over time.

Passwords which are 8 characters or less can be quickly brute forced with modern compute power and therefore should be avoided. Password security has been covered in a previous article Secure Passwords: Why They’re Important.

Check cron / scheduled tasks

One sneaky trick some malware can do is to set a scheduled task to re-download and reinfect your site (even after the files have been removed). To check for any malicious scheduled tasks, login to the control panel for your website and review all tasks within the Scheduled Tasks area.

Create a scheduled patching regime

After your site is completely up-to-date and clean, you’ll want to ensure it remains this way. There are a number of Managed WordPress services where this is taken care of or you can complete the work yourself.

We recommend updating all themes, plugins and checking for core updates for your site at least once a week.

Was this article helpful?

Related Articles