You visit your website, and the first thing that you see, is that it is not functioning as how you want it to function, then you discover something which makes you yell My WordPress website has been hacked. After some sigaretes and drinks, you have the reality check, yes, my wordpress website has been hacked and I need to take action. Well, you are lucky, in this article, we will discuss the steps that you will need to take, once you have noticed that you have been hacked.
Start with the WordPress FAQ
WordPress is a widely used package, so the chance that cybercriminals will target WordPress environments is very high. This means, that on a daily basis, WordPress websites are attacked and owners need to take action to fix their websites. WordPress knows this, and in order to help hacked website owners forward, they have setup a FAQ on their website.
In the FAQ you will get instructions on:
- Website scanning
- Scanning your local environment
- Checking with the hosting provider
- Improve access controls
- Reset all access
- Creating back-ups
- Finding and removing the hack
- Using the WordPress community
- How to update WordPress
- How to change your passwords
- Securing your website
First, snapshot the hacked environment
This might sound harsh, but it is the best thing you can do, in this way, you will have a backup of the hacked website, which you can use to investigate in-depth of what exactly has happened. There are a lot of security services available that will help you to investigate what has happened, and how it was possible that the threat actors got inside your WordPress website. The results of that can be used for cyber insurance claims and lessons learned sessions.
The chance is there that your hosting provider can be in assistance of this, so make sure that you contact them.
Take down your website
If you care about your visitors, it is adviced to take down the WordPress website. Go into maintaince mode, and make sure that you inform your visitors and community about the fact that your website has been breached, and that you are investigating the matter. In this way, your visitors are informed and you can minimize the damage that your hacked WordPress website can bring.
Inform your hosting company
Your hosting company is your friend, as mentioned before, WordPress websites are attacked on a daily basis, and your hosting company has a lot of experience with these type of attacks. They can help you to identify the hack, clean-up and update your WordPress to a secure status again. Most of the hosting companies have security services running that can identify malicious files and hacked environments such as WordPress, so do contact them.
Remove all your plugins & themes
Make a list of all the plugins you have and all the themes you have. Now you have the chance to remove all of your WordPress plugins, reset them to disabled, and then remove them.
Once removed, you continue to your WordPress themes and remove all of the themes you have with the exception of the official WordPress theme.
Now that we have removed all plugins and themes, we are left with the core. Now we are going to reinstall the WordPress environment via WordPress itself.
You can find the re-install Now page here: www.[yourwebsite].com/wp-admin/update-core.php
Change your passwords
As mentioned in the official WordPress FAQ, it is important that you change your passwords, you will have to do this for your own accounts, user accounts, and local accounts, lets say, your MySQL database password.
WordPress stores a password in wp-config.php, you should expect that the attacker also gained access to that. Change it.
Reinstall your plugins step by step
You can start reinstalling the plugins, step by step, make sure that they are updated and patched. Once you have installed everything, perform an vulnerability audit on your website. Use the report, to verify if all the low-hanging-fruit vulnerabilities have been fixed.
Get all the logs that you can find, and start digging into them. Try to find information that you can use.
Check for newly created files on your WordPress site and hosting environment.
You can also tunnel your traffic via cloudflare. This service can mitigate most of the attacks that target your WordPress website.