Below are our recommended steps to get your WordPress website back up and running ASAP.
Throughout this process, we'll take your website down (temporarily), restore the website files and database from a clean backup (we keep the last 7 days worth of backups for our Business, Reseller and Managed VPS plans) and then go through some additional steps to help prevent your website from becoming compromised again. We will also keep a copy of the files and database to be safe.
Before you proceed, you will need the following:
1. Your cPanel login details. If you don't have these, please follow this guide to acquire them: How to change your cPanel password
2. Your WordPress login details. If you don't have these, please follow this guide: Resetting your WordPress password
3. About 30-60mins of time.
1. Clearing the infected files
First, start by temporarily taking your website down so you can shortly do a clean restore of your website files. You will then be able to restore it shortly (typically within 5-15mins for most websites).
1.2 - Once logged in with your username and your password, click on the File Manager icon.
1.3 - Select Home Directory and ensure the Show Hidden Files (dotfiles) checkbox is selected, then click Go.
1.4 - Left click on public_html in the list of your items in the middle of the screen. Right click on it and choose Rename from the menu that appears.
1.5 - Rename it appropriately, we recommend "public_html - DD-MM-YYYY - HH:MM (infected)". Once you've entered in your desired name, click Rename File to continue.
1.6 - Close the File Manager tab and you'll end up back in cPanel.
2. Restore the public_html directory from R1Soft Backups
2.1 - In cPanel, where you've got a long list of icons, etc. (the page you saw when you logged into http://yourdomain.net.au/cpanel), find R1Soft Restore Backups and click on it.
2.2 - Locate the earliest available backup which is not infected. The earlier the better – The backups are sorted by date and time. Once you’ve located the appropriate backup, click the Browse button. In this example, the "November 4, 2015 7:00:14 PM EST" backup is going to be used.
2.3 - Double click on the name of the folder home.
2.4 - Locate the folder public_html from the folder list near the bottom and click to select the checkbox for it.
2.5 - Click on Restore Selected near the top of your screen.
2.6 - When a message comes up saying "Restoring these files will also overwrite any files if they already exist." click on Restore and this will start the restore process.
Keep this tab on your browser open, feel free to open a new tab and continue on about your daily business whilst your files are restored, checking back every 5-10 mins.
NOTE: This may take up to an hour or so for accounts that have more than 1gb of files in the public_html directory.
Watch the progress bar.
2.7 - Once you see Restore Complete, great, you've restored all the files in public_html from the date you chose earlier. Great, now onto your Database.
3. Backup your database
3.1 - Log into cPanel again: http://yourdomainhere.com/cpanel
3.2 - Open up File Manager again and use the same options as before.
3.3 - Double left click to open the public_html directory.
3.4 - Locate and left click to select the wp-config.php file, then right click it and select Code Edit.
3.5 - Click Edit in the window that appears.
3.6 - Typically around rows 19-25 or a few rows below, you will see "define('DB_NAME','8letters_wp###');" or something along those lines. This is your Database Name. You will need this shortly, so note down what comes after 'DB_NAME' on your computer or on a piece of paper, etc.
3.7 - Exit the Code Editor tab you're currently in, also close the File Manager tab you're in and you should end up back at the cPanel homepage. If not, log back into cPanel.
3.8 - Locate and then click to select phpMyAdmin.
3.9 - Click on + symbol next to the item below information_schema.
3.10 - Click on the name of the appropriate database which you noted down earlier.
3.11 - Click on Export in the top menu and then click Go.
3.12 - When prompted to save the file (if it doesn't automatically start downloading it), click OK or Save File.
3.13 - Exit or close that tab to be taken back to your cPanel homepage.
4. Restore your Database
4.1 - Back on the cPanel homepage, locate and click on R1Soft Restore Backups again.
4.2 - Find the same restore point as before that you used to restore your websites' files from and this time click on the Browse Databases icon (1 icon to the right of the Browse icon you clicked on earlier).
4.3 - When you see Databases with a + symbol next to it, click on the + symbol to expand.
4.4 - Then, with the same database as you noted down earlier click to select the checkbox and then click Restore Selected. This will start the database restore process.
4.5 - Wait for this page to show that your Database has finished being restored. It may show like the below for a while, this is fine and expected:
When the restore is done, you will see a message stating this, shown below:
When the restoration of both your public_html and database is complete, your passwords will be back to what they were as of that date. Assume those passwords were compromised and change them, along with your other account passwords associated with your website hosting. Ensure your passwords are secure.
Secure passwords are:
Strong password examples: x(55gJ#r@VxDF | 3Hd#02$ju!Hdbn | 98D3h2d9Ggh23iu952!!84d
Weak password examples: bronty1981 | alien123 | p@ssw0rD | itsasecret | yellow4433 | BLUE399
5.1 - Change your OnePanel password. Do this by going to https://onepanel.digitalpacific.com.au and logging in and changing your password by clicking on Profile from the LHS menu and then choosing Edit Profile. Set a new password and move onto the below.
5.2 - Change your cPanel password from within OnePanel – Since you’re already in OnePanel, follow this guide from our knowledgebase to change your cPanel password: How to change your cPanel password
5.3 - Change your email accounts passwords (if appropriate) - If you have provided your email accounts or created email accounts on behalf of any of your old developers/designers/SEO team, etc. and to also check if there are any unauthorised email accounts (if so, delete them), manage them by following the steps in this knowledgebase guide: How to change an email account password
5.4 - Change your WordPress logins
Assuming that your passwords were potentially compromised, the hijacker may still be on your website logged in, so to forcefully kick them out, you need to follow the below too:
6. Update your WordPress website software, plugins and themes
It's important to ensure your WordPress website software, plugins and themes are All up to date. If even one of these items are not and the update is an update which patches (fixes) a security issue, it needs to be updated.
6.1 - Log into your WordPress website at http://yourdomain.net.au/wp-admin/
6.2 - In the LHS menu, select Updates (it will be one of the top most items in that menu).
6.3 - On the resulting page, work your way down the page. Start by updating WordPress itself. Then any Plugins. Then any Themes. Your page should look like the below once everything has been successfully updated.
IMPORTANT NOTE: After performing website updates, ensure you check your website for any issues with its functionality or how the website displays after doing so. If your website has any display or functionality issues, consult your web developer or view our article on Troubleshooting WordPress here (not yet created).
Recovering from your WordPress website being compromised (hacked)
To make it easier to get in touch with us, from the 24th of March 2016 all support tickets will need to be submitted from your Crucial Control Panel.