I had the worst experience of running a wordpress blog when I got an email from my webhost to say that my site had been hacked. In fact it wasn’t just my wordpress site that got hacked but my whole server. Yikes!!

how to fix a hacked site from malware copy

Well it took me well over a month to completely fix the problem and secure my server and wordpress sites from possible future hacks. I decided to document what I did and how I fixed the issues so that anyone else may learn and if in the same predicament know what to do. I have also added a section on what I now use to secure my sites so that I do not hopefully get re-hacked. Nothing is 100% secure these days, but it pays to do what you can to try and prevent being hacked. You must also realize that if you are hacked you will also have to secure your wordpress sites to prevent re-infection.

 

Disclaimer: Please note that some of the links below are affiliate links and I will earn a commission if you purchase through those links. I have used all of the products listed below and recommend them because they are helpful and are companies that I trust.

The Two Essential Steps to Fixing and Securing Your WordPress Site from Hackers and Malware

  1. Fixing a Hacked WordPress Site
  2. Securing a WordPress Site from Malware and Hackers

First of all what is a hack and why do they do it?

Did you know there are bots or programs out there that all they do is search for vulnerable sites and try to break in? A common method is a brute force attack where the bot will locate your wp-login page and then start an all out assault to guess your username and password. Even if they don’t guess it, it is still a nuisance as its using your bandwidth and resources.
If they do guess your password and username, then they can break in and inject code called malware onto your site. When this happens you will need to find malware removal tools and a malware fix to fix your site. More on how to do this soon. The code that was injected into my site was a redirect script injected into my themes header.php file. Apparently what the hacker is trying to do is redirect your visitors to their website which in turn might infect the visitor’s computer with a virus. Nasty people huh!
I also had an infection which I think was different to this header.php infection which uploaded a pile of files to my directories and created new directories and an index file to proclaim I had been hacked by King Sam.

How Did I Fix It?

First the best tool I found that’s free to check if your site has been hacked is Sucuri. Their scanner is free and I suggest you go there and scan your site now to see if you are clean. If your site has been infected then read on. If your site has not been infected then also read on because you will still need to know how to secure your site and protect it from being hacked.

sucuri scanner free

If You Are Hacked With Malware Or A Virus.

First don’t panic. For my lesser important sites I bought a hosting package from Indianets to copy all of my cleaned files over to a new server. Indianets was only $2.26 per month or $3.99 for their 5GB package using this coupon HNY2015. Click here for Indianets Hosting Packages
I was using Hostgator but since Hostgator is $11.95 per month for their basic package Indianets is way more economical and there cPanel comes with a virus scanner for your websites!!!
To clean my infection I logged into my account using WinSCP its free

winscp
You may have another FTP client so use what you are comfortable with but I know that WinSCP is rated very highly. Once logged into my server I organized my files from newest to oldest. In this way I can see what has been recently changed. More than likely files recently changed are hacked but it’s not always the case. They can change the date I understand. However this is a good place to start.
I start to examine every file anything that is obviously a hack or addition to my site I delete. For example I had a zip file that was uploaded and unzipped creating a directory with about 20,000 files. I deleted all of these. I also took out the added script from my header.php file by searching for the script that Sucuri scanner had identified.

header
I then copied everything across to my computer and ran an independent AVG scan on the files. Its interesting to note that AVG was the only scanner that actually picked up the injection. I ran antispyware on the files and malwarebytes but they never picked up the injection only AVG. Not sure about any other scanners as these were the only three I used.

Once I was happy that everything was clean I then copied all these clean files to my new server.
For WordPress sites you will need to export your MySQL database. You will then need to create a new MySQL database on your new host, and also a new user and then import your database. Might seem like a lot but it’s not as hard as you might think. If you want to know how to do this you will have to search online. There are plenty of articles and videos showing you how to go about doing this. Alternatively you may contact us and we can do this all for you for a small fee.

Take a note of your database name, your database user and password and update your wp_config.php file accordingly with these new values.

Download the latest version of WordPress onto your computer and unzip it.

For WordPress sites – Delete all files and folders from your server except wp-content folder and wp-config.php file. From your fresh latest copy of WordPress on your computer copy wp-admin folder wp-includes folder and all the other files except wp-config.php . You want to keep your wp-config.php file as this has your password etc to access your database. You don’t want to replace your wp-content folders as they have your current content.
keep files folders
You will also need to edit your wp-config.php file once more. You will need to get new Authentication Unique Keys and Salts – this is because if someone previously has logged into your WordPress site and saved it to cookies, even though you change your password they will still be able to login to your site with the old password. Get the new keys here https://api.wordpress.org/secret-key/1.1/salt/ and copy them into your wp-config.php file at the appropriate location ( around line 45)

If you are using a new host don’t forget that you will need to change your DNS servers to point to your new host!

Once your site is up and running goto your wp-login.php page something like http://yoursite/wp-login.php (where yoursite is your actual domain name)

Now login and then go to your users and change your password. If the user is admin that you log in with normally then create a new user that is not called admin and not called the name of your site. Make sure this new user has admin privileges and a strong new password and then delete the user called admin. Remember to assign all your posts to your new user.

Make sure all your WordPress themes are updated and WordPress plugins are updated and you are using the latest WordPress update. I would recommend deleting all themes except the one your site is using.

Even after doing all of this I was still getting reinfected which lead me to believe that the hacker had hidden a file somewhere that I didn’t know and was using it to reinject the header.php file.
To fix this and also Secure your site I now needed to do the following

How To Secure Your WordPress Site from Hackers and Malware

First I installed a plugin that’s called Sucuri Security. This plugin will harden your site by locking it down securely. Go to the harden tab and harden everything except Website Firewall protection – you can Harden this if you want but there is a charge (its over to you)

sucuri plugin
This harden will secure your files from changes. Click on Malware and run a free scan on your website. If they find a virus it will cost to fix so use another plugin to scan and remove any new infections.

This plugin is called Anti Malware and it’s free. You can donate and I recommend you do to keep it free as its worth its weight. You will save a lot of money using it.

anti-malware

Install the plugin and register your copy. Then download the latest data files. Once done run a scan it will locate any infections and potential threats. Once found a simple click of a button will clean and fix found threats. Simple. After doing this my site stayed clean and is now infection free.

A tip if you want to scan your whole server and you have multiple domains then install a copy of WordPress in your root folder and install Anti Malware plugin. When selecting options to scan select public_html

It will scan your whole server. Also if you have an Indianets hosting you will have access to a virus scanner in your control panel.

After doing all of this I noticed that I was getting a lot of emails regarding login attempts on my wp-login page. To make this more secure you need a firewall or a plugin called rename wp-login.php

rename

What this plugin does is it renames your wp-login.php page to whatever you like and still allows your site to work perfectly. Most bots search for wp-login.php so if you rename your login page to say login or hidden they simply cannot find it so cannot even begin to try and guess your password.

I now get no brute force attempts on my site.

If you need any help we can help clean your site or move your site to new servers for a small fee. Please contact us to find out more.

Please link back to this article from your website and help others who may be facing similar problems.

Please subscribe to our newsletter for updates.