Overview

If you’ve had a security incident where your website has had a security vulnerability exploited, it’s important that you ensure that you not only fix the security vulnerability but you fix any changes made as well.

It’s common for exploits to leave further backdoors into your website so that they can easily regain access.

Warning

If any of the below is confusing, we highly recommend engaging with a professional to complete the work.

We offer Managed WordPress hosting for Australian customers and will perform a once off site clean for free as part of the migration to this service.

Alternatively, Conetix highly recommends the use of Wordfence to do this if you want a once-off clean or have your site hosted elsewhere.

Instructions

Take a backup of your site

Before you begin, you should ensure that you have a copy of your website files and database. To do this, you can use the Plesk Backup manager to create a backup for you.

Alternatively, if you already have a backup plugin in use, you should manually verify that you have a copy downloaded before proceeding.

Review the logs carefully

If Conetix or your hosting provider haven’t sent through a root cause as to why your WordPress site was exploited, you’ll want to ensure you review the logs in detail.

Covered previously in our Root Cause Analysis of a Hacked WordPress Website, you can in many instances work out the exact cause of the exploit to ensure you patch it.

Remove malicious files

If the files have been uploaded rather than modified, these files should be deleted.

If the files have been modified (eg they’re part of a plugin / core), then you need to restore a clean copy of the files (from your backups) to remove the exploit.

Patch your WordPress site

While prevention is better than the cure, you’ll need to bring the site up-to-date quickly so that after after you remove any malicious files, they’re not re-infected again. To do this, you need to update the WordPress core, all plugins and all themes.

Install a security plugin

We highly recommend the use of Wordfence to run an audit across your site as well as using the Scan capability of the plugin to scan all files on your site for malicious code or unauthorised changes.

Review who has access

It’s common to find WordPress websites where more than one developer has worked on the site. However, these previous developers and indeed any other user (eg ex staff member) should be removed from your site. Leaving these accounts enabled means that if their credentials or email is compromised, they’ll be able to gain access to your site.

Reset all passwords

If your site has been compromised, then it’s possible that hackers now have a copy of your database. While the passwords are encrypted within this database, they can use brute force methods to slowly get a copy of these over time.

Passwords which are 8 characters or less can be quickly brute forced with modern compute power and therefore should be avoided. Password security has been covered in a previous article Secure Passwords: Why They’re Important.

Update WordPress salt keys

Contained within your WordPress configuration file (wp-config.php) is a set of cryptographic keys which are used to hash the password storage in order to keep it secure.

When your site has been compromised, these keys should be considered to also be compromised and therefore be replaced with a new set of keys.

WordPress can automatically generate a new set of randomised keys for you buy simply accessing the following URL: https://api.wordpress.org/secret-key/1.1/salt/

You then need to copy and paste these over the existing key definitions within your wp-config.php to apply.

Note

You’ll know that the keys have been successfully updated as it should log you out of the site if you try to access the WordPress Admin.

Check cron / scheduled tasks

One sneaky trick some malware can do is to set a scheduled task to re-download and reinfect your site (even after the files have been removed). To check for any malicious scheduled tasks, login to the control panel for your website and review all tasks within the Scheduled Tasks area.

Review Google Search Console

Even after you’ve removed the exploit, the pages may still remain indexed in Google. This will not only show malicious links (which can affect brand trust) in Google, but it can cause issues with excess resource usage as well. You can use our guide on Abnormal Google Bot traffic to review and remove.

Create a scheduled patching regime

After your site is completely up-to-date and clean, you’ll want to ensure it remains this way. There are a number of Managed WordPress services where this is taken care of or you can complete the work yourself.

We recommend updating all themes, plugins and checking for core updates for your site at least once a week.

Review third party management tools

We’re seeing increasing compromises of websites from third party WordPress management tools in the last 12 months. While we don’t believe it’s a compromise of these systems, it’s another attack vector for hackers to use compromised credentials against to see if they can find a login.

If you’re using a service such as ManageWP, review all users with access. We highly recommend rotating passwords for all users within any third party management platform as well as removing any user who no longer requires access.

Was this article helpful?

Related Articles