In our previous post about WordPress security, we covered our standard approach to investigating malware. If you haven't read it yet, we advise you to go ahead and do so now. We will now be building on it with our tested steps to secure a compromised account. Unless a safe backup exists, this task can appear daunting, but it is actually pretty straightforward with a modern CMS.
Finding all executable files on your account and manually reviewing them for malware (since automated scanners do not work well enough for obfuscated PHP code) can range from difficult to outright impossible. Luckily, with a modern web application such as WordPress, you can simply re-install it while preserving your uploaded files. This is the fastest and the most effective method to bringing your site back up in a clean and secure state. We use it every day on all but the most specific and niche cases.
Save the wp-config.php file, your images, and your personal files
The wp-config.php file contains the basic configuration for your site, including the information necessary to connect to the database server. When saving it, open it and inspect its contents for anything suspicious, like a very long first line containing unusual characters. As a rule of thumb, if your text editor has an unusually long horizontal scroll bar, the file that you are editing is likely to be compromised. If that's the case with the wp-config.php file, copy the database connection strings to a clean wp-config.php file from a fresh WordPress archive.
Your images and personal files should be stored in the wp-content/uploads directory. Ideally, there should be no PHP files at this location. Unfortunately, some plugins and themes may store some of their files in subdirectories there, making the task of correctly identifying and removing malware even harder. An easy way to list all PHP files in a given directory is to run the following command via SSH:
find wp-content/uploads/ -iname "*.php"
If you receive no output, you can safely copy the uploads directory. Otherwise, you should review the identified PHP files manually in order to see if they were placed there by a harmless plugin, or by an attacker.
Before you delete anything, you should first get a list of your active plugins. You can either do this from the WordPress Dashboard, or by typing the following in the SSH terminal:
wp plugin list --status=active
This is how the command's output may look like:
+----------------------------------+----------+-----------+---------+ | name | status | update | version | +----------------------------------+----------+-----------+---------+ | classic-editor | active | none | 1.5 | | really-simple-ssl | active | none | 3.2.3 | +----------------------------------+----------+-----------+---------+
You can do the same for your active theme:
wp theme list --status=active
Delete the entire folder where WordPress is installed
The wp-config.php file and the uploads directory are all the files that you need to preserve from your current WordPress installation, since most of your site resides in the database. In some cases, the database needs cleaning, too - but these are relatively rare, and not as trivial to secure. By now, you should also have a list of your active plugins and themes, so that you can download their latest versions from the official vendors.
Upload a new clean full package of the latest WordPress version
You can obtain WordPress from their official website and install it manually, or you could use our automated installer. In either case, you can now copy the previously saved wp-config.php file and the uploads directory. You can also install all plugins and themes that you had been using previously. If they are publicly available in the WordPress repository, you can do so from the terminal:
wp plugin install really-simple-ssl classic-editor --activate
At this point, you can test your site - ideally, it should work just like it did before the incident. In the odd chance that it does not, you should contact our Support Team.
When a WordPress site has been compromised, we assume that the attackers know its administrative credentials. This is why you should review and update the passwords for all administrative users. You should also double-check for any unusual users created around or after the attack.
We also encourage you to update your Control Panel password, as well as the passwords for all MySQL users. You should note that following a password change for your MySQL user, you should also update your wp-config.php file accordingly.
You should update your passwords on a regular basis - it is a great way to increase your security, even if you haven't been hacked recently. If you find our overview confusing, you can consider a professional security solution. We are proud to announce that we now offer the Advanced Security service to our customers. It is an annual subscription service which includes an initial site audit and report, site cleanups, and additional security and hardening - all performed by dedicated experts from our Incident Response Team. They can even help you and move over a compromised website from another provider with our free Site Migration service.