How to clean your hacked website

Ever received an email from google, such as the below indicating that hacked content has been detected on your WordPress website? I sincerely hope not! If you have, I hope this post will help you clean a hacked WordPress site and secure your site from future attacks.

We’ll you’re somewhat lucky if you received an email at all.

According to Google, 61% of webmasters never receive the email notification informing them that their website has been infected. That’s because they haven’t setup and verified their site in Google’s search console.

There are three common website hacks at the moment:

Gibberish Hack: This hack creates many pages that don’t make sense, but filled with keywords required to rank on the destination site. This hack is designed so it will rank well and redirect traffic to another site, such as porn or other vice categories.

Japanese Keywords Hack: This hack creates pages with Japanese (and sometimes Chinese) text. The added pages are affiliates selling fake goods and use this hack to rank well in Google search results.

Cloaked Keywords Hack: This hack creates many pages that don’t make sense. The pages often look like normal pages from the website, but with weird content that direct you to a third party site.

Recently, I needed to clean up a site that was hacked. These are the steps I followed and recommend:

After validating the email from Google is genuine (by checking the header and hovering over email links) and verifying that indeed the site is listed as hacked via the Google Transparency report, it’s time to take action!

This website was hit with SQL Injection. More specifically, the Japanese Keywords Hack, which involved a hacker trying to use this website to sell fake Japanese products. This is a purely English site, as you can see via the below results from Google Search Analytics, the hack was relatively effective!

Inspect the damage

Log into the Google search console to see the full extent of the warning messages from Google and see the sample of hacked pages identified by Google.

In this example, we can see there are additional pages added as previously, this website only had about 50 pages. As we can see, a hacker has created over 8,000 additional pages on this website. A sure sign that it’s been hacked!

Only use “Fetch as Google” to see the pages created. Don’t click any of the pages identified by Google via your web browser, as they often contain malware and can infect your PC.

It’s now time to clean a hacked WordPress site!

Scan for a virus on your web hosting environment

Next, you log in to the web hosting console (cPanel or equivalent) and run a virus scan on the full site directory to see if there’s any virus present.

In this instance, we can see that there’s a php malware virus. This mailer virus is usually used to send SPAM email from your domain.

Click “Process Cleanup” to ensure the malware is cleaned.

After that, you can either trawl through your WordPress database and directories, looking for any suspicious files or just reinstall WordPress. This will set your installation files back to their default binaries.

Run a virus scan on all WordPress Administrator PCs

Malware, virus or keylogger on your computer may have been used to access your WordPress site without your knowledge. You should now perform a full scan on any PCs that have been used to access the WordPress administrator console.

Restore a clean version of your website.

The easiest approach is to restore a recent backup. This will restore both the database and files of your website.

If you don’t have a backup, you’ll really need to trawl through your WordPress database and directories mentioned above. You need to identify any files outside your WordPress installation that have been modified by the hacker.

Check your htaccess file

This file controls access security to your WordPress site. In the case below, a rewrite rule was added to allow the hacker to perform a SQL Injection.

Clean up your htaccess file, or take a clean one from a backup or another website.

Change passwords

Change your WordPress console password and FTP/cPanel Console password ASAP. The passwords may have been “cracked” allowing access to modify your WordPress site.

Clean up your sitemap

With many of these hacks, thousands of pages are added to your site and sitemap. Clean up your sitemap to remove reference to the hacked pages.

Once you’re convinced the site is now clean, it’s time to fix the vulnerabilities:

Secure your site

Remove any un-needed applications, plugins or files. In this particular site hack, I’ve narrowed down the point of entry to an insecure plugin, or one plugin that hosts files for download from a site directory.

Ensure your WordPress version and Plugins are always kept up to date (even if plugins are disabled). Plugin and WordPress updates are often security fixes to known vulnerabilities. Protect yourself by updating these frequently.

Install security and firewall tools on your website such as WordFence. It never fails to amaze me how many attempted hacks are detected and blocked on my websites by WordFence. Often hundreds of attacks per month are trying to connect to my WordPress console with user names that are invalid.

Submit a reconsideration request with Google

Finally, when your site is clean, submit a reconsideration request in your Google search console to re-crawl and index your site.

After you’ve performed the above activities, you should be good to go.

Hopefully this blog has been of use for those that have been hacked or more importantly to stop your websites being hacked.

Feel free to Contact Evolocity for advice on SEO and WordPress sites.