My wordpress site got hacked, Now what?

So you suddenly figured out your wordpress site is down… or worse. Or only customers that say they’d clicked through from google can’t get there. Or it just isn’t right…

It’s happened, to a lot of us.

Solving a hack

There is no way to track the source of every hack, but it helps to know what happened. The first few places to check are consistent: .htaccess, wp-config.php, your DNS, and the installation.

What you’ll need to get these done: admin access to your server to find hosting information, FTP access to your server, and admin access to your DNS provider.

DNS first

Check your DNS first. If your site is pointed somewhere other than where it should be, nothing else you do will work. Get with your website host and figure out the IP of your hosting, then check to be sure your site makes it there. There are hundreds of ways to trace, one of my favorite hosted solutions is at mxtoolbox.com/ if you don’t know where to start.

If your site is not resolving to your own servers, reset your DNS settings to point back at your server, and check back in another couple of hours—up to 48 hours for DNS to resolve.

.htaccess

An .htaccess issue is usually an easy fix if you have access to the file. There is not regularly information in there that does not match the file from wordpress. Save a copy of the file locally as a backup, then edit it to match the original wordpress file.

Once you fix the site’s display, you’ll want to follow up with a permissions check on all of your files. Easy rule of thumb: 755 for folders, 604 for .htaccess, 600 for wp-config.php, 644 for almost everything else. There are a few possible differences, but I would start with marking .htaccess and wp-config.php.

wp-config.php

Check for a few things: does the file have a reference to a random-letters.php file? (eg sldkurasdoiea.php) If so, delete or comment out those lines.

Next steps:

  1. Change all of the salts and hashes in the file.
  2. Check your MySQL prefix, password, database name, and table name are the same as your database.

Fixing either of those should cover a large portion of hacks.

Follow-up and hardening

Permissions Check

Permissions fixes can usually stop most of the hacks that you’ll actually receive that aren’t specifically based on a password hack, of course you’ll want to have all of your admins check their passwords and possibly reset.

You may need to go through and re-install wordpress, as well as your plugins, removing and replacing all of the files is the easiest way to confirm any deep seeded altered files are back to normal.

Firewall and monitoring

I’m currently recommending wordfence to all of my clients for security. Some of my clients also run succuri as a service included in their hosting. For general purposes, Wordfence seems to include a much more robust system before their service paywall kicks in, and that really is the separation point for me. Both are great products.

Uptime Monitor

It’s a great idea to get one of these running, Jetpack offers one, I have also used one from MXtoolbox as well as Uptime Robot. You’ll get an early detection on when your site is experiencing problems, as well as when the site is publicly visible again.

One thing to keep in mind is that there may be times where the monitors will happen to be rejected by your firewall for misbehaving on how often it has visited if your previously-set-up firewall has a bad robot detector, or if your cached is refreshing exactly when it hits. So don’t panic immediately when you get that site-down email.

Still having problems

Time for a pro, your problems could still be fairly simple, there might just have been a corrupted update to a plugin, or you might need major fixes. I’m happy to jump in and help, just fill out the project request form and I can start helping from there.


Have a project to work on?

Let’s talk about it. I don’t charge for quotes, and I’m happy to customize a plan to make sure we can get your project done.