Having your website hacked can be scary and stressful, but it needn’t be a disaster.
If you use Jetpack Scan to monitor your site, it will notify you of any potential threats, and in many cases, these can be resolved with the click of a button.
However, sometimes a website can get hacked more severely, meaning a one-click fix is not possible. This article will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks.
How to tell if your site has been hacked
The first step is confirming that your site has really been hacked, and isn’t just experiencing an easily resolved error.
The following issues are a good indication that your site has been hacked:
- Your site is redirecting to another website with malicious or spammy content.
- Your site contains links to spam sites, which you did not add, and you can’t remove them.
- You find pages on your site that you don’t recognize via a Google search.
- Google shows warnings for your site, such as This site may be hacked, Deceptive site ahead, The site ahead contains malware etc.
- You scan your site with a tool such as Jetpack Scan, and it detects security threats which can’t be resolved automatically.
You can check if Google currently lists your site as unsafe with their Safe Browsing status checker.
Cleaning a hacked site
If you’re sure your site has been hacked, you can follow these steps to resolve the issue:
1. Contact your hosting provider
Your host should be the first port of call, as they may be aware of a wider issue, especially if you are on shared hosting. In some cases, your host may be able to deal with the issue for you, saving you a lot of work.
2. Restore from a backup
If you have a backup of your site from before it was hacked, either with your host, or with a dedicated backup service like Jetpack Backup, then restoring to that point may do the trick.
However, if the hack lies within files that aren’t included in the backup, then the issue may remain even after restoring the site.
It’s also worth noting that you would lose any content added after the point you’re restoring to, so this may not be an ideal option.
3. Cleaning hacked files
If your host is unable to assist, and restoring the site is not an option, then it’s time to do some detective work to find the source of the problem. Make sure you have a full backup of your site before starting this, as removing/editing your site’s files can be harmful to your site if something goes wrong.
First, check the results of any malware scanners you’re using. They may provide a list of suspicious files, which is a good starting point.
If the affected file(s) are part of WordPress core, you can compare the code to a clean download from WordPress.org and remove any code that doesn’t belong there.
Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now’.
If the malicious code is not in a core WordPress file, you’ll need to determine what the file is for, and whether it’s needed. If it’s part of a theme or plugin, you can install a fresh copy, or delete it if you’re not using it.
If you’re not sure what the infected file is, you may need to consult an expert who can help you clean the site safely.
If you want to explore further and learn how to clean up various types of hack, Google has an in-depth guide to cleaning hacked sites.
Tightening security after cleaning your hacked site
Once your site is free from malware, it’s important to follow these steps to secure your site, as failing to do so may leave your site open to another hack from the same point of vulnerability.
1. Make sure WordPress and all themes and plugins are kept updated.
Outdated plugins, themes, and WordPress files are a very common cause of hacked sites. Keeping them all updated to the latest version is one of the best ways to protect your site. Also be sure to fully delete any themes or plugins that you are not using.
2. Reset all passwords
In case any of your passwords have been compromised, you should change your password for everything you can think of, including:
- Hosting account
- Email account(s)
- Website’s admin account(s)
- FTP/SFTP/SSH accounts
- Database passwords
Make sure you use a strong and unique password for each one.
3. Audit your site’s user accounts
Check your accounts list via Users > All Users and make sure there aren’t any administrator accounts that you don’t recognize. Delete any suspicious user accounts.
4. Update your WordPress secret keys
Your site’s wp-config.php file contains secret keys which are used for encryption. You should generate new secret keys and replace the old ones in your wp-config.php file.
5. Scan your site regularly
The measures above will help keep your site safe, but nothing is 100% guaranteed, so you should use an automated scanning service such as Jetpack Scan to make sure you are alerted of any future security threats so you can deal with them quickly.
Removing your site from “unsafe” lists
If your site is listed as unsafe by Google, then Google will likely still show warnings about your site even after the hack has been cleaned.
To get that removed, you’ll need to request a review of your site.
McAfee SiteAdvisor has a similar service that rates a website’s reputation. If your site is listed as unsafe there, you can submit a dispute request here.