In this article we'll discuss the steps you'd want to take after a WordPress site has been hacked, to get your site back up and running quickly. In most cases when a WordPress site is hacked, it is because you are not running the latest secure version of WordPress, or one of the plugins that you have installed is outdated and has been used by a hacker to exploit the site.

A lot of the time a hacker will inject malicious code in your PHP scripts that can make it very hard to clean up manually after the injections took place. In some cases this might require our system administration department to quarantine your entire WordPress site outside of your [/public_html] directory, so that we can ensure further hacks aren't taking place and further damage isn't done to your WordPress database.

If you happen to have read our previous article on how to clean up a code injection attack, the steps mentioned in that article might allow you to clean up any injections that have taken place to get your site back online.

In the steps below we'll walk through an example site PrimaryDomain.com that has been maliciously injected to the point where it's not going to be easy to remove all the malicious code and ensure we've caught all of it. So in this case we're simply going to reinstall WordPress and then link up the new install with our old database.

  1. First you'll want to download the latest version of WordPress to your local computer.
  2. Extract the files in the .zip archive you downloaded to a local folder.
  3. filezilla upload files to public htmlUsing FTP, upload all of the folders and files contained within the wordpress directory to your public_html directory. Or if your domain was an addon domain and its document root was in a sub-directory make sure you're uploading it there. You can do this by hitting Ctrl-A in your FTP client when you're in the left-hand pane to select all the files, then simply drag them onto the server.
  4. filezilla view quarantined wp-configOnce the files are done uploading, navigate to the quarantine directory on the server side, right-click on wp-config.php and choose View/Edit. Your FTP application should prompt you for what application you'd like to open the file with, you can just use a text editor such as Notepad. Then finally copy down the database information from the define('DB_...) sections.
  5. wordpress no wp-config fileAt this point if you try to simply access the site you'll get a WordPress error about no wp-config.php file.
  6. filezilla save wp-config sampleBack in your FTP client, navigate to your public_html directory and you should see a file called wp-config-sample.php, right-click on this file and choose View/Edit, open the file in Notepad then fill in your database name, database user, and database user password.

     

    Then hit Ctrl-S to save the file, in a few seconds your FTP client should prompt you if you'd like to save this back to the server, click Yes. You can also place a check beside Finish editing and delete local file if your FTP client gives you that option.

  7. Now in your FTP client right-click on wp-config-sample.php choose Rename, and then name the file just wp-config.php.
  8. filezilla download custom themeNow in this case if we try to go to our site again it's an all blank page, the reason for this is because our site used a custom theme, and those theme files are still quarantined. So next in your FTP client navigate to the /quarantine/wp-content/themes directory, and drag over the pinboard directory (or whichever theme you used) to your local computer.
    Prior to copying your quarantined theme's files back to the server, you should scan them for a virus/malware, or preferably re-download a fresh copy of your theme from the developer to ensure no malicious files have been placed inside your theme's folders.
  9. filezilla upload custom themeNow navigate on the server side to the /public_html/wp-content/themes directory, and then drag the pinboard directory from the local computer to the server.
  10. wordpress site restored successfullyYou should now be able to hopefully pull up your website again free of any malicious hacks.
  11.  

Depending on the complexity of your WordPress site, you might want to also go in and reinstall any plugins that you had setup to get your site fully functional again. These steps above should at least get you to the point where you can start logging back into your WordPress administration panel again, and get your site back online for your visitors.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
2013-05-07 11:23 am
You should always check the theme for fake pages as well....

Don't ever just copy it from the quarantined installation to your new fresh installation.

Just drag it on to your local computer, do a full and extended virus sweep first (with avg and maybe spybot too).
Then download the original theme and compare the two theme-folders with each other (with winmerge).

If all oke, you can put your theme back :) If not oke, put the new downloaded theme back.

P.s. I am talking from personal experience here. They put a file in my theme in this directory (guess what it looked like a online bank's login page):
?/wp-content?/themes?/delight?/scripts?/cache?/xxx?/logon.htm
Staff
9,968 Points
2013-05-07 1:25 pm
Hello rduinmayer, and thanks for your comment and sharing your experience.

I've gone ahead and updated step #8 above to suggest to others that might also read this article that they should scan their theme's folders for signs of a virus or malware, or preferably download a fresh copy of their theme.

Thanks again for your comment!

- Jacob
2013-09-14 11:08 pm
sir, i want to install security in my site www.learningall.com, if i edit .htaccess file, my site is not working please check whats problem and where i add .htaccess coding in my .htaccess.
thanks
Staff
8,502 Points
2013-09-16 11:32 am
When adding your the lines to your .htaccess file according the below article, be sure that you are adding these in addition to what you already have there. Removing the existing lines that Wordpress requires for permalinks will cause 404 errors.

Lock down WordPress admin login with .htaccess
n/a Points
2014-09-03 9:40 am
It just resolved the issue, someone has hacked our site and we could able to restore it using the methods mentioned above
n/a Points
2014-09-21 9:32 pm

Before step 3 (upload all of the folders and files contained within the wordpress directory to your public_html directory), should everything be deleted from that folder first?

Staff
18,689 Points
2014-09-22 7:42 am
Hello Mansdorf,

If the files were quarantined, there should not be any WordPress files in the public_html folder. If there are, rename the wp-config.php file so it does not get overwritten with the new one. Then you can open it to get the database connection information from it. After you get that and place it in the new wp-config.php file, you can delete it. Any files that are already in the public_html folder will get overwritten if you copy over the top of them, so there is no direct need to delete them if they are there.

Kindest Regards,
Scott M

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

7 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!