Resolve a hack without losing your website.
If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, a one-click fix may not be possible when:
- A website gets hacked too severely
- Jetpack Scan is installed after the hack occurs
Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. We rely on the site being uninfected at the time of purchase and having a clean version to compare any changed files to.
This article will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks. Assistance with manual restores and site cleaning is outside the scope of support we can offer.
Detect if your site has been hacked
The following signs are a good indication that your site has been hacked:
- Your site is redirecting to another website with malicious or spammy content
- Your site contains links to spam sites, which you did not add, and you can’t remove them
- You find pages on your site that you don’t recognize via a Google search
- Google shows warnings for your site, such as “This site may be hacked,” “Deceptive site ahead,” “The site ahead contains malware,” etc.
- You scan your site with a tool such as Jetpack Scan, and it detects security threats which can’t be resolved automatically
- You can check if Google currently lists your site as unsafe with their Safe Browsing Site Status tool
Clean a hacked site
If you’re sure your site has been hacked, follow these steps to resolve the issue:
1. Contact your hosting provider
Your host should be the first port of call, as they may be aware of a wider issue, especially if you are on shared hosting. In most cases, your host may be able to deal with the issue for you, saving you a lot of work.
2. Restore from a backup
If you have a backup of your site from before it was hacked, either from your host or with a dedicated backup service like Jetpack Backup, then restoring to that point may do the trick.
However, if the hack lies within files that aren’t included in the backup, then the issue may remain even after restoring.
You could lose content added after the point you’re restoring to, so this may not be an ideal option.
3. Clean hacked files
If your host is unable to assist, and restoring the site is not an option, then it’s time to do some detective work to find the source of the problem. Make sure you have a full backup of your site before starting this, as removing/editing your site’s files can result in even more work if something goes wrong.
First, check the results of any malware plugins or services you’re using. They may provide a list of suspicious files, which is a good starting point.
Cleaning hacked WordPress core files
If the affected file(s) are part of WordPress core, you can compare the code to a clean download from WordPress.org and remove any code that doesn’t belong there.
Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now.’ It sounds scary, but this will only replace the files at the very core of WordPress and will not remove or replace any of your content, media, themes, or plugins.
Cleaning hacked Themes
If the infection is a part of a theme, you can install a fresh copy if you’re using it or uninstall the theme completely if you’re not using it. If you’re unable to clear the threat through this method, you should contact your theme’s developer for guidance.
Cleaning hacked Plugins
If the problem lies within a plugin, you can also install a fresh copy or delete it if you’re not using it as with the theme process above. Or advanced users can follow these steps:
- If you’re an advanced user and have the appropriate technical knowledge, check which plugin file is affected by the threat.
- Click “Edit this file” to see that plugin’s code
- Copy the URL slug of plugin (e.g. “code-snippets”)
- Search for that plugin’s slug on WordPress.org
- Go to Plugin > Development > Browse the code
- Find “Tags”
- Open tag matching your installed plugin version
- Locate the correct file and download it
- Open the file in a text editor
- Use “Find” and copy/paste the entire code from step 2 and search
- If the code matches the plugin’s code from the WordPress.org Plugin Repository, you have a false positive and the plugin is working as intended! If not, we recommend consulting with an expert who can clean the site safely.
If the plugin is not in the Repository, you can contact the plugin’s developer and have them check the code identified as malicious by Jetpack Scan.
Feeling Unsure About Cleaning Hacked Files?
Understanding and modifying your site’s files can be daunting, especially if you’re unsure about the affected files’ purpose. In such cases, you may consider consulting an expert who can help you clean the site safely.
This is particularly relevant if your site suffered a security breach before installing Jetpack Scan and now requires an intervention.
If you need a recommendation, we trust our partners at Codeable to provide you with the reliable and quality services of their highly vetted security experts. They offer free initial consultations to help you identify the full extent of security cleanup work required. After you post the project, Codeable’s experts will respond with clarifying questions so they can provide an accurate no-obligation estimate for your specific requirements.
Tighten security after cleaning your hacked site
Once your site is free from malware, it’s important to follow these steps to secure your site, as failing to do so may leave your site open to another hack from the same point of vulnerability.
1. Make sure WordPress and all of your themes and plugins are kept updated
Outdated plugins, themes, and WordPress files are an extremely common source of vulnerability. Keeping them all updated to the latest version is one of the best ways to protect your site and keep it running efficiently. Also, be sure to fully uninstall any themes or plugins you are not using.
2. Reset all passwords
In case any of your passwords have been compromised, you should change your password for everything you can think of, including your:
- Hosting account
- Email accounts
- Website’s admin accounts
- FTP/SFTP/SSH credentials
- Database passwords
- The password to unlock any device you’ve edited your site with
Make sure you use a strong and unique password for each site, device, or program to avoid a domino effect if one is ever compromised.
3. Enable Two-Step Authentication (2FA)
For enhanced security, we strongly advise enabling two-step authentication (2FA) for all sign-ins to your WP Admin area. Jetpack offers an easy-to-implement 2FA solution through WordPress.com Secure Sign On. For detailed instructions on activating this feature, visit Requiring Two-Step Authentication.
4. Audit your site’s user accounts
Check your user list via Users > All Users inside your site’s dashboard and make sure there aren’t any administrator accounts that you don’t recognize. Remove any suspicious user accounts.
5. Update your WordPress secret keys
Your site’s wp-config.php file contains secret keys/”salts” which are used for encryption. You should generate new secret keys and replace the old ones in that file. Your webhost may have an automatic tool on their side to do this.
6. Scan your site regularly
The measures above will help keep your site safe, but nothing is 100% guaranteed, so you should use an automated scanning service such as Jetpack Scan to make sure you are alerted of any future security threats so you can deal with them quickly.
Remove your site from “unsafe” lists
If your site is listed as unsafe by Google or McAfee, then you will likely still see warnings on your site even after the hacked files have been cleaned or even removed.
To get that warning lifted, request a review of your site from Google, or submit a dispute request from McAfee.
Jetpack