Tsohost Blog, News & Announcements

Fix and Protect Your Hacked WordPress Site

Posted Wednesday 05th Aug, 2015 by

11 Comments

Websites get “hacked” all the time, and the symptoms a site experiences as a result differs from case to case. Your website might redirect to a website you’ve never seen before, it might get flagged as malicious by Google, or it might have even developed a keen interest in improving your visitors’ sexual life through medicaments and dating websites.

No matter what your site’s symptoms, there’s almost always a cure. As a fully managed service, we’re on hand to rid your site of all malicious content, but this doesn’t stop you knowing how to do it yourself. In this post I explore how to identify and remove malicious content, and the steps you can take to make sure your site doesn’t surrender to hackers again.

A '403 Forbidden' Error

If a '403 Forbidden' error displays when you visit your website, it's safe to assume that we’ve identified malicious activity and have gone ahead and disabled your site. This isn’t a decision we take lightly and we only do it if we're certain that your site has been hacked. We disable your site to help protect other sites on the server, your brand and to reduce the likelihood of the malicious content affecting your Google ranking.

To rid your site of malicious content, you will firstly need to grant your computer access to your website. In order to do this, you’ll need your computer’s IP (the unique number that your computer identifies on the internet with). You can find out your device's IP simply by visiting www.whatismyip.com

The underlined number is your IP. Jot this down as you’ll need to reference it later on.

What is my IP address

Allowing Your IP Access:

To allow your IP to access your site you’ll need to make a small change to you .htaccess file. Locate your ‘File Manager’ ‘in your cloud control panel, open your public_html’ folder and then open your ‘.htaccess’ file. Once open, you should see a text file just like the one below:

Allowing your IP address

The ‘deny from all’ line, is what is blocking users from visiting your site. To grant yourself access, below ‘deny from all’ add ‘allow from *enter your IP*’:

Deny from all

Once saved, you and only you, will be able to access your WordPress admin panel from this single device.

Identifying Malicious Content:

Now you have access to your admin panel, you can take steps to identifying and removing the malicious content from your site. To do this, we firstly recommend you install the Wordfence plugin, an excellent anti-malware solution that scans your site for ‘issues’.

Identifying malicious content on a WordPress site

Once installation is complete, Wordfence will appear in the left-hand side bar of your WordPress admin panel. Click ‘Wordfence’ then ‘Scan.’ All your websites files will now be scanned for any content that might be malicious. All identified issues will be highlighted with ‘next step’ suggestions.

Additional Measures:

If Wordfence doesn’t locate the malicious content, you can run your site through a second scan using Sucuri, an excellent third-party company that specialises in malware detection.

Also, you can always contact us and we can check for you too, or we can restore the website from a backup generated when it has been clean.

How to Prevent Future Exploits:

Keep WordPress and all your plugins updated

More often than not, one outdated plugin is all it takes for someone to exploit your website. Every single plugin and WordPress update introduces security fixes which if are not applied, leave your site open to known vulnerabilities. We strongly advise that you only use plugins from established developers, and that when an update becomes available, run it as soon as possible.

Make sure that your devices are clean

Sometimes a sneaky file might go through with a regular application that you are installing leaving access to your computer open. Common viruses include, keyloggers which send all your usernames and passwords to someone as you type and Trojans which leaves your password file visible to hackers. Run antivirus scans on all the devices you have used to access your website and as an extra precaution reset all related passwords.

Avoid plugins with known exploits

If you are about to install a new plugin, hold back for just 5 minutes. Before you go ahead and install it, carry out a simple Google search to uncover any known exploits – it could save you a lot of hassle. Take extra care to ensure that you do not download anything 'nullified' or from an unofficial source.

Reactivating Your Website

If you are sure your site is free from malicious content, you can now reactivate global access to your website.

This involves returning to the .htacess file in your public_html folder and removing the ‘deny from all’ line. A default WordPress .htaccess looks like the following (please note that some of your plugins might have added some content to the .htaccess file which is legitimate. This applies mostly for caching plugins):

Reactive your site

Once the 'deny from all' rule is removed, your website will be fully accessible for everyone.

If you have taken the preventive measures that we discussed above, the likelihood of these or any issues you’ve experienced reoccurring is fairly slim, so reward yourself with a cup of tea or a pint. It’s not every day you fix a hacked website!


Leave A Comment

@Chris - Thanks for sharing your tips, these are great suggestions. These are more complex solutions so I recommend they are only explored by the more advanced WordPress user. Thanks again!

If you look at the access log there are large numbers of attempts to access standard WordPress files, like wp-login.php. A good first line of defence is to not install WordPress into the document root. Instead, install into a subfolder, e.g. wp1234.

This then needs a couple of other changes:
1) Copy the index.php file from the WordPress folder to the root and edit it; add the folder to the path in the last line to give ‘/wp1234/wp-blog-header.php’.
2) Go to the dashboard, settings, general and remove the path from the end of the site address (not the wordpress address)
3) Go to settings, permalinks and click on ‘save changes’ to update the permalinks (this will write a new .htaccess file in the root folder if it is needed).

All those attempts to access wordpress files will now give ‘file not found’ errors. Further, slightly more complicated methods of obfuscation are to rename the wp-content folder and to move it to a non-standard location. This also improves URLs. I rename it ‘files’ and put it in the root. Then a link to an uploaded file becomes domain.com/files/uploads/filename. The new location and URL have to be defined in wp-config.php.

Be careful to test though because some plugins assume the standard location.

Ditto what Gary says. I recently took over responsibility for the www.carmdale.co.uk website, which hadn’t been updated for two years. Spent a month building it only for it to be hacked and Google sticking a hacked warning on its listings. I now have Wordfence and Sucuri installed as well as a number of other security add ons, and no problems since. Your support at the time was first class. I also recommend checking out the Spamhaus site to make sure your site hasn’t been listed in their database. If cleaned up, you can request it is removed from their list, which is an international list of hacked sites.

@Gary- Really glad to hear that this post has helped get your site up and running again. We have a handful of WordPress articles coming so check back soon.

Perfect timing - one of my sites has just been attacked and my manual attempts to remove the malicious content had all been thwarted. Installation of Wordfence as recommended in this article found and removed the suspect files by recognizing common malicious code - something I would never have found on my own!

Also my site had been flagged by Google in the search results as “this site may be hacked” - This has now been removed after submitting a “Re-appraisal” request to Goolge, so I guess the plugin has done a thorough job of removing all traces. Thanks Tsohost for a great article - keep them coming.

Ditto above :) Your service and support have been amazing in the four or so short weeks that I have been a customer! Great advice.

Wordfence, coupled with UpDraft, are the first two plugins that I ever install on WP. Good article. Thanks.

The best hosting company around always pushing to look after there customers, I always recommend Tsohost to any one Looking to find a good host. Paul

I have had quite a problem with Hacked WordPress sites over the last few months. I have now installed this plugin: https://ithemes.com/security/ and have found it to be very good so far.

Good call on Wordfence. I’ve found it be to excellent - be sure to set in the options to also scan theme and plugin files for changes, as well as images for executable code. Wordfence also does things like prevent username disclosure so is essential for any site from day one in my opinion. Cellphone sign-in is a great premium feature as well.

Great article, and thank you for suggesting some plugins. Your support and advice has always been sound and it’s nice to know that you offer support for these malicious attacks, should they happen.
J