We just finished a project fixing their WordPress Site that was hacked. They couldn’t log in, it was showing some errors. We thought it might be a good opportunity to go over what the hacking did and why this can be such a project. This was a technically savvy owner who, unfortunately, didn’t get much help from their host. Of course, most hosts aren’t going to fix a hacked site for you (without a fee) but they should at least respond to tell you that’s the case and to make sure that their end is secure.
How It Looked
You never know for sure how a hacked WordPress site is going to look. Sometimes, often, in fact, you’ll never know until something else tells you. We’ve had clients come to us because someone else told them or because Google told them that their site was hacked. As Google crawls the internet, when it finds sites that there is a problem, it labels that site so that no one catches anything from a suspicious site. Of course, it also means that anyone who might have gone to your site now won’t.
In this case, it was pretty obvious something was wrong because there were errors on the login page. He was also unable to login. This meant that we had to go into the back-end which means going in through their hosting system which C-Panel makes pretty easy.
The first thing that we did was to back up the site. Why back-up a hacked site? Because sometimes you end up need files that aren’t reinstalled or you need to be able to compare. This helps in tracking down the problem. Sometimes, you assume that the site is hacked and later find out it was a bad plug-in or something. We also always want to avoid making things worse. At least with a backup of where it was, we can get it back to there. You never know for sure how one of these projects is going to go. The hackers are pretty creative.
As we dug in, we discovered that many of the subdirectories had been turned into files. This is part of the reason that we couldn’t log-in. We reinstalled WordPress to restore those files. We then noticed that the index.php file in the main directory kept rewriting itself. It had a bunch of gibberish in it with some buried php code. This file is what actually loads WordPress. It’s usually very short. In fact, it has more comments than code, but not in this case.
We also saw a number of other files that we hadn’t seen before in places that they didn’t belong. There are certain directories that are basically just for WordPress and these had extra “stuff”. These files were similar. We would delete them and then they would reappear, so something was still actively wreaking havoc. With this in mind, we set out to get it fixed.
Our Work to Fix the WordPress Hack
The client had a backup but it was a giant file. It was over 10GB and it took him overnight to upload it to a place where we could get it. We didn’t know when starting out that we would even get it. We figured out later that it was including some backup files that were on the server. So, it was so big because it was backing up backups. The good news is that he had the backups going to an off-site location, so it was uncorrupted. The even better news is that he kept copies from before being hacked, so it was pretty clean. Of course, we didn’t have it initially and didn’t know if it would be a good backup. We did later get a database backup, but we ended up not needing it. Thankfully, they didn’t impact the database very much (more in a bit on what they did do.) The downside being that if we had to restore the backup database, he would have lost data. Since this was an e-commerce site, he would have lost about 2 months worth of orders. He said he could work with that, but we wanted to avoid it.
So, we started by trying to replace the core WordPress files. We just downloaded the latest version and replaced the files on the server. We didn’t initialize realize it was writing over the index.php file so thought we were in good shape when we did that and we were able to see the site. We still couldn’t log-in though and still had some odd errors. That’s when we realized that the problems were continuing.
After digging some more, we saw that there was a problem in the initial configuration file. You have a file in your WordPress installation call wp-config.php. It tells WordPress some key things like how to connect to the database, some configuration items and it contains something called keys and salts. These are randomly generated strings that help to secure your site when someone is logged in. It was odd that they were missing. At first, we thought it was a sloppy installation. We later looked and realized that they were in the older wp-config.php file, so we think that they were removed in the hacking. We generated new ones using WordPress’ online utility. The good news is that once we did that, the files being rewritten stopped. That moved us forward quite a bit.
Now we had the site up and running, but still couldn’t login. Need to be a bit more specific. We could log in but couldn’t access the dashboard. It turns out the hackers had removed administrative privileges from all users. Once we fixed that, we had full access.
Once fully inside, we noticed a few things that were security issues. We can’t say for sure but these very well may have helped to open the door for the bad guys. Maybe the biggest is that there were over 30 updates due. This isn’t unusual and sometimes is understandable. Once plug-ins started getting updated, we found that other, older plug-ins were using functions that didn’t work anymore. Not updating plug-ins and such leads to a more stable site often, especially with a lot of plug-ins. Unfortunately, these plug-ins and themes are often updated for security reasons. (See our Known Vulnerabilities page for recent plug-in security issues that we know of.)
This was a knowledgable, engaged website owner. He backed up diligently and had older backups. All of this helped. It happened to him. Let’s look at some things that you can do to hopefully avoid it.
Some Learnings for You
You want to backup your site regularly. You should keep a set of backups somewhere else other than your server. Make sure you backup your database too. It’s easy to forget that. Also, know what’s backing up and where. His backup software was saving copies on the server where were then being backed up. This led to a colossally large backup file which meant difficulty moving it around and it was also weighing down his server. Hosting space is often limited and they stop running certain tasks when it reaches a certain size or number of files.
Make sure you know what your system is backing up. We typically use Updraft Plus but there are other solutions. They do a good job of running regular backups. You do have to pay to get it to save your copies somewhere else but then it will save them to Dropbox, OneDrive, Amazon S3 or a number of other places. It will automatically backup your database. It does a good job overall. One catch, we’ve found to be careful of is that we include backing up the core WordPress files. It doesn’t do this by default to save time and space. That strategy makes sense, but it also means that things like wp-config aren’t saved. That’s not the end of the world, but it’s convenient to have everything in one package.
In terms of how often to backup, we prefer weekly and save four backups. This gives you a month worth of files. If you do it too often or save too many, it uses up a lot of space and server bandwidth. You also could run into a scenario where you back up a hacked or flawed website. Then the backups don’t have as much use.
Check Your User Accounts
Don’t have too many administrator accounts, that’s more opportunities to get hacked. Try to use complex, random passwords. Yes, they are a hassle to remember which is why we recommend LastPass. It’s a good system that integrates with almost any device and lets you share passwords across devices and even people. You can even share a password with someone without letting them see it. It’s a neat system that works really well. Avoid user names like admin, God (yep some do it), or other common terms.
Change Your Passwords Periodically, Especially After Being Hacked
It’s a good technique to change your passwords periodically. This helps to avoid password hacks on other sites (if you reuse passwords, but who does that?) from impacting you. It also avoids someone getting or hacking your passwords in other means. If you ever get hacked, make sure you change all your passwords. Not just your WordPress password but any FTP, database or account passwords.
Hopefully, this insight into someone else’s challenges can keep you safe. Thankfully, we were able to fully recover his site and his business is intact, but he was down for a few days. We have no way of knowing how much business he lost but it was definitely stressful and can permanently lose you some customers. Sometimes, we aren’t so lucky. We may have to rebuild the site or go back to a very old backup. These hackers can really cause havoc, don’t let that happen to you. If you think you’ve been hacked or if you want a security check-up, check out our security packages and we’d be happy to help.
Some links on this page may be affiliate links. This means that we get paid if you purchase through them. First, thank you for considering our partners. More importantly, we only partner with companies that we can legitimately recommend.