How to Re-Install WordPress after a Hack

In this article we’ll discuss the steps you’d want to take regarding how to re-Install WordPress after a hack, to get your site back up and running quickly. In most cases when a WordPress site is hacked, it is because you are not running the latest secure version of WordPress, or one of the plugins that you have installed is outdated and has been used by a hacker to exploit the site.

A lot of the time a hacker will inject malicious code in your PHP scripts that can make it very hard to clean up manually after the injections took place. In some cases this might require our system administration department to quarantine your entire WordPress site outside of your [/public_html] directory, so that we can ensure further hacks aren’t taking place and further damage isn’t done to your WordPress database.

If you happen to have read our previous article on how to clean up a code injection attack, the steps mentioned in that article might allow you to clean up any injections that have taken place to get your site back online.

In the steps below we’ll walk through an example site PrimaryDomain.com that has been maliciously injected to the point where it’s not going to be easy to remove all the malicious code and ensure we’ve caught all of it. So in this case we’re simply going to reinstall WordPress and then link up the new install with our old database.

Reinstalling WordPress after a Hack

  1. First you’ll want to download the latest version of WordPress to your local computer.
  2. Extract the files in the .zip archive you downloaded to a local folder.
  3. filezilla upload files to public html

    Using FTP, upload all of the folders and files contained within the wordpress directory to your public_html directory. Or if your domain was an addon domain and its document root was in a sub-directory make sure you’re uploading it there. You can do this by hitting Ctrl-A in your FTP client when you’re in the left-hand pane to select all the files, then simply drag them onto the server.

  4. filezilla view quarantined wp-config

    Once the files are done uploading, navigate to the quarantine directory on the server side, right-click on wp-config.php and choose View/Edit. Your FTP application should prompt you for what application you’d like to open the file with, you can just use a text editor such as Notepad. Then finally copy down the database information from the define(‘DB_…) sections.

  5. wordpress no wp-config file

    At this point if you try to simply access the site you’ll get a WordPress error about no wp-config.php file.

  6. filezilla save wp-config sample

    Back in your FTP client, navigate to your public_html directory and you should see a file called wp-config-sample.php, right-click on this file and choose View/Edit, open the file in Notepad then fill in your database name, database user, and database user password.

     

    Then hit Ctrl-S to save the file, in a few seconds your FTP client should prompt you if you’d like to save this back to the server, click Yes. You can also place a check beside Finish editing and delete local file if your FTP client gives you that option.

  7. Now in your FTP client right-click on wp-config-sample.php choose Rename, and then name the file just wp-config.php.
  8. filezilla download custom theme

    Now in this case if we try to go to our site again it’s an all blank page, the reason for this is because our site used a custom theme, and those theme files are still quarantined. So next in your FTP client navigate to the /quarantine/wp-content/themes directory, and drag over the pinboard directory (or whichever theme you used) to your local computer.

    Prior to copying your quarantined theme’s files back to the server, you should scan them for a virus/malware, or preferably re-download a fresh copy of your theme from the developer to ensure no malicious files have been placed inside your theme’s folders.
  9. filezilla upload custom theme

    Now navigate on the server side to the /public_html/wp-content/themes directory, and then drag the pinboard directory from the local computer to the server.

  10. wordpress site restored successfully

    You should now be able to hopefully pull up your website again free of any malicious hacks.

  11.  

Depending on the complexity of your WordPress site, you might want to also go in and reinstall any plugins that you had setup to get your site fully functional again. These steps above should at least get you to the point where you can start logging back into your WordPress administration panel again, and get your site back online for your visitors.

Thoughts on “How to Re-Install WordPress after a Hack

  • I am trying to connect through Filezilla and everything passes through (username & password) but once it validates the password it reads:

    “Response: 421 Home directory not available – aborting/ Error: Could not connect to server”

    Where do I go from here?

    • As a test try using the “quickconnect” option, since it uses the default settings. You can also check your FTP logs for additional errors or record of your connection.

      Thank you,
      John-Paul

  • Please offer a suggestion. This is all probably obvious to you, but to me, this is Greek, and I need some help. Thanks!

    • Yes, a database can be compromised in WordPress. I recommend using a 3rd party WordPress plugin to scan your database. There are many available.

      Thank you,
      John-Paul

    • It sounds like a PHP error. I advise re-tracing the most recent steps followed and trying to undo. That should help isolate where the error came from.

  • Hi Scott,

    I see, thanks for clarifying. I guess I would delete the old db from MySQL in CPanel – is this correct?

    Also, what are the implications if I didn’t delete it?

    Thanks,

    Russ

    • Hello Russ,

      I think there may be a misunderstanding here. In order for you to recover your website you need to direct the new WordPress files to the old database. Such as by using the old WordPress wp-config.php file.

      Best Regards,
      TJ Edens

  • Hi,

    My sites were recently hacked and I was redirected by support to this page. In steps 1 – 3, why can’t we reinstall using Softaculous in CPanel? Could you please explain why, if it’s linked to the latest version of WordPress, it isn’t safe to use/install?

    Also, I don’t know what I’m doing wrong, but I follow the steps above and don’t get a config error in step 5. I get a WordPress setup dialog.

    After that, it doesn’t get any better.

    Thanks,

    Russ

    • Hello Russ,

      As long as you are uploading to a blank directory, you would be OK to use the Softaculous to install WordPress. However, it would install a new database and connect to it. You would need to change the wp-config.php file (or replace it with the old one) to direct it to the old database. Then you would want to delete the unused database.

      Kindest Regards,
      Scott M

  • Hi,

    How do you “quarantine” files that’s currently in the folder containing the WordPress installation?  When I got to step 3 the FTP ask me if I want to overwrite all of the files that were in the WordPress folder on my local machine… So what should I do?  Thank you!

    • To relocate your current files, you may simply create a new folder within your FTP client, then move those files into that new folder.

  • I dont know if the service tech will get this. But Chris from Virgina beach did an amazing job helping me on this issue. Jesus name!!

  • Before step 3 (upload all of the folders and files contained within the wordpress directory to your public_html directory), should everything be deleted from that folder first?

    • Hello Mansdorf,

      If the files were quarantined, there should not be any WordPress files in the public_html folder. If there are, rename the wp-config.php file so it does not get overwritten with the new one. Then you can open it to get the database connection information from it. After you get that and place it in the new wp-config.php file, you can delete it. Any files that are already in the public_html folder will get overwritten if you copy over the top of them, so there is no direct need to delete them if they are there.

      Kindest Regards,
      Scott M

Leave a Reply to Hieru Cancel reply