WordPress is popular for good reason: it’s user-friendly, reliable, well-built, and generally secure. But nothing’s perfect. WordPress’s popularity means its users are also tempting targets for hackers who are looking to infect a large number of websites.
One of the most treacherous things about being hacked is that you probably won’t know. In order to use your site for their purposes under-the-radar, hackers may intentionally leave your site up and running normally after they’ve installed their backdoor.
There are, of course, clues. A friend of mine recently discovered her site was hacked after her Google search results started showing ads for Viagra in the description. She sells jewelry, not pills, and was understandably concerned. After running her site through Sucuri’s security scanner, I was able to confirm that she had indeed been hacked.
If you’re concerned about your website’s security, or even worse, you’ve been blacklisted by browsers…
… that scan will at least let you know if you’re in danger, but it won’t fix it.
So what can you do? If you have a backup from before you noticed the issues, you might be all set. Restore the older version, repost any new content (we recommend doing it by hand instead of a WordPress export to be sure you’re not carrying the malicious code with you), and rescan your site to be sure the security issues are resolved.
If you don’t have a backup service already installed, we cannot recommend enough getting one ASAP! There are lots of great premium services, but UpdraftPlus Backup will backup both your database and files and store the files in your Dropbox, FTP, or Amazon S3 account for free. Check out this post for more information on backing up your content.
If you’re already hacked, but have no backup, don’t despair. All is not lost.
Make sure you’re updated to the latest version of WordPress. The developers over at WordPress stay on top of the latest malware and build security right into the framework. Staying up-to-date will also help the scanner detect suspicious code and prevent future attacks.
Then create a backup of your infected site because a malware site is still easier to fix than a deleted one.
Install Wordfence. Not only will this plugin help block hacking attempts, but it will also scan your site for anything out-of-place, and let you fix it with the click of a button. Perform the scan and fix any problems that it catches, then run your site through Sucuri again to see if you’re clean.
If not, your next line of defense is trial and error. Re-download and install all your plugins, rescanning with Sucuri along the way to try to narrow down where the problem is. Switch your theme to a core WordPress theme, delete yours, and rescan.
As a last resort (before contacting a professional), try exporting your WordPress posts via the WordPress exporter, backing up your wp-content/uploads folder, deleting the entire site, and reimporting your posts to a clean version of WordPress.