Recovering from your WordPress website being compromised (hacked)

To make it easier to get in touch with us, from the 24th of March 2016 all support tickets will need to be submitted from your Crucial Control Panel.

 

 

Below are our recommended steps to get your WordPress website back up and running ASAP.

Throughout this process, we'll take your website down (temporarily), restore the website files and database from a clean backup (we keep the last 7 days worth of backups for our Business, Reseller and Managed VPS plans) and then go through some additional steps to help prevent your website from becoming compromised again. We will also keep a copy of the files and database to be safe. 

Before you proceed, you will need the following:

1.  Your cPanel login details.  If you don't have these, please follow this guide to acquire them:  How to change your cPanel password 

2.  Your WordPress login details.  If you don't have these, please follow this guide:  Resetting your WordPress password

3.  About 30-60mins of time

 

1.  Clearing the infected files

First, start by temporarily taking your website down so you can shortly do a clean restore of your website files.  You will then be able to restore it shortly (typically within 5-15mins for most websites).

1.1 - Login to cPanel: http://yourdomain.net.au/cpanel  (not sure how to login to cPanel?  Follow this guide: How to login to cPanel)

1.2 - Once logged in with your username and your password, click on the File Manager icon. 

1.3 - Select Home Directory and ensure the Show Hidden Files (dotfiles) checkbox is selected, then click Go.

 

1.4 - Left click on public_html in the list of your items in the middle of the screen.  Right click on it and choose Rename from the menu that appears. 

1.5 - Rename it appropriately, we recommend "public_html - DD-MM-YYYY - HH:MM (infected)".  Once you've entered in your desired name, click Rename File to continue. 

1.6 - Close the File Manager tab and you'll end up back in cPanel. 

 

 

2.  Restore the public_html directory from R1Soft Backups

2.1 - In cPanel, where you've got a long list of icons, etc. (the page you saw when you logged into http://yourdomain.net.au/cpanel), find R1Soft Restore Backups and click on it.

2.2 - Locate the earliest available backup which is not infected. The earlier the better – The backups are sorted by date and time. Once you’ve located the appropriate backup, click the Browse button.  In this example, the "November 4, 2015 7:00:14 PM EST" backup is going to be used.

2.3 - Double click on the name of the folder home.

2.4 - Locate the folder public_html from the folder list near the bottom and click to select the checkbox for it.

2.5 - Click on Restore Selected near the top of your screen.

2.6 - When a message comes up saying "Restoring these files will also overwrite any files if they already exist." click on Restore and this will start the restore process.

Keep this tab on your browser open, feel free to open a new tab and continue on about your daily business whilst your files are restored, checking back every 5-10 mins.

NOTE: This may take up to an hour or so for accounts that have more than 1gb of files in the public_html directory.

Watch the progress bar.

2.7 - Once you see Restore Complete, great, you've restored all the files in public_html from the date you chose earlier.  Great, now onto your Database. 

 

3.  Backup your database

3.1 - Log into cPanel again: http://yourdomainhere.com/cpanel

3.2 - Open up File Manager again and use the same options as before.

3.3 - Double left click to open the public_html directory. 

3.4 - Locate and left click to select the wp-config.php file, then right click it and select Code Edit

3.5 - Click Edit in the window that appears. 

3.6 - Typically around rows 19-25 or a few rows below, you will see   "define('DB_NAME','8letters_wp###');" or something along those lines.  This is your Database Name.  You will need this shortly, so note down what comes after 'DB_NAME' on your computer or on a piece of paper, etc. 

3.7 - Exit the Code Editor tab you're currently in, also close the File Manager tab you're in and you should end up back at the cPanel homepage.  If not, log back into cPanel.  

3.8 - Locate and then click to select phpMyAdmin.

3.9 - Click on + symbol next to the item below information_schema.

 

3.10 - Click on the name of the appropriate database which you noted down earlier.

3.11 - Click on Export in the top menu and then click Go

3.12 - When prompted to save the file (if it doesn't automatically start downloading it), click OK or Save File

3.13 - Exit or close that tab to be taken back to your cPanel homepage

 

4.  Restore your Database

4.1 - Back on the cPanel homepage, locate and click on R1Soft Restore Backups again.

4.2 - Find the same restore point as before that you used to restore your websites' files from and this time click on the Browse Databases icon (1 icon to the right of the Browse icon you clicked on earlier).

 

4.3 - When you see Databases with a + symbol next to it, click on the + symbol to expand. 

 

4.4 - Then, with the same database as you noted down earlier click to select the checkbox and then click Restore Selected. This will start the database restore process.

4.5 - Wait for this page to show that your Database has finished being restored.  It may show like the below for a while, this is fine and expected:

When the restore is done, you will see a message stating this, shown below:

Note: Your website may show as up and running earlier than this database restore is complete but this still needs to be completed as if your website was compromised and managed to get into your database, if you don't restore it, they might still have an account in your database and therefore your website which they can use to potentially compromise your account again.

 

5.  Securing your accounts and changing passwords

When the restoration of both your public_html and database is complete, your passwords will be back to what they were as of that date. Assume those passwords were compromised and change them, along with your other account passwords associated with your website hosting.  Ensure your passwords are secure. 

Secure passwords are:

  • At LEAST 8 characters (ideally 10+).
  • Have UPPERCASE and lowercase characters
  • Contains numbers and symbols.  
  • Not easily guessed by your coworkers, friends, family - That is, your password does not contain your name, your pets name, a kids name, your birth year, etc. 

Strong password examples:  x(55gJ#r@VxDF   |   3Hd#02$ju!Hdbn   |   98D3h2d9Ggh23iu952!!84d

Weak password examples:  bronty1981  |  alien123  |  p@ssw0rD  |  itsasecret  |  yellow4433  |  BLUE399

5.1 - Change your OnePanel password. Do this by going to https://onepanel.digitalpacific.com.au and logging in and changing your password by clicking on Profile from the LHS menu and then choosing Edit Profile. Set a new password and move onto the below.

5.2 - Change your cPanel password from within OnePanel – Since you’re already in OnePanel, follow this guide from our knowledgebase to change your cPanel password: How to change your cPanel password

5.3 - Change your email accounts passwords (if appropriate) - If you have provided your email accounts or created email accounts on behalf of any of your old developers/designers/SEO team, etc. and to also check if there are any unauthorised email accounts (if so, delete them), manage them by following the steps in this knowledgebase guide: How to change an email account password

5.4 - Change your WordPress logins
5.4.1 - Log into your WordPress Dashboard via http://yourdomainhere.com/wp-login.php

5.4.2 - From the LHS menu, navigate to Users.
5.4.3 - Go through any administrator and editor accounts and change the password for each by clicking on their name one by one, scrolling down the page until you see the Password fields and changing the password.  Also check for any unauthorised accounts or old accounts that don't need to exist anymore with adminsitrator or editor level access and delete them. 

Assuming that your passwords were potentially compromised, the hijacker may still be on your website logged in, so to forcefully kick them out, you need to follow the below too: 
5.4.4 - Visit this page:  Official WordPress Salt Key Generator
5.4.5 - Highlight all of the content on that page.  Right click within the area you higlighted and click Copy. 


5.4.6 - Log into cPanel again.  http://yourdomainhere.net.au/cpanel
5.4.7 - Access File Manager with the settings shown below.


5.4.8 - Double click to navigate into the public_html directory.


5.4.9 - Left click to select and then right click on wp-config.php and select Code Edit.


5.4.10 - Click on Edit in the window that appears.


5.4.11 - Locate the lines shown below.  These are typically around lines 49-56 or a few rows below this.  Highlight these lines with your mouse.  Right click on the highlighted content and click Paste. 


5.4.13 - Click Save at the top right hand corner of the page. 



This will force Everyone logged into the admin area out and force them to login again.  Since you've changed the passwords, the hijacker will no longer be able to access the dashboard with the username and the old password. 

 

6.  Update your WordPress website software, plugins and themes

It's important to ensure your WordPress website software, plugins and themes are All up to date.  If even one of these items are not and the update is an update which patches (fixes) a security issue, it needs to be updated.

6.1 - Log into your WordPress website at http://yourdomain.net.au/wp-admin/

6.2 - In the LHS menu, select Updates (it will be one of the top most items in that menu). 

6.3 - On the resulting page, work your way down the page.  Start by updating WordPress itself.  Then any Plugins.  Then any Themes.  Your page should look like the below once everything has been successfully updated. 

NOTE: Failing to update WordPress, its plugins and themes are the main way WordPress websites get compromised.  It's important to ensure that whenever there are any updates to WordPress itself, themes or plugins, ensure they are updated (check every few days / weekly). 

IMPORTANT NOTE:  After performing website updates, ensure you check your website for any issues with its functionality or how the website displays after doing so.  If your website has any display or functionality issues, consult your web developer or view our article on Troubleshooting WordPress here (not yet created). 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk