How to recover a hacked WordPress site

How to recover a hacked WordPress site

In this post we are going to deal with techniques and tips to recover a hacked WordPress site, it is difficult to find a site administrator (excluding those who are just starting) who has not dealt with an attack on their site, or at least an attempted attack. While this is certainly the most stressful thing to go through, it’s nowhere near the problem it was a few years ago.

Because of the frequency (and creativity) of attacks, the industry dedicated to security and backup has flourished. It will be difficult to discover a well-known website that doesn’t use several daily backups and numerous levels of protection procedures.

While startup websites must make some compromises because of their constrained budget, security should not be one of the things to look out for, especially if you are running a website that handles highly sensitive information (both on your side and the customer’s side.

There are several ways to restore a WordPress site that has been compromised that can help you completely avoid assaults, even if your budget is limited. Minimize damage if something goes through, and finally, offer backup services that bring your data back in the unlikely event that everything else fails.

How to recognize if your WordPress site has been hacked

But you need to be sure that the site has been hacked.

Some signs may appear if something goes wrong on your site. Some of them are clear as day, while others require you to invest some time in figuring out minor bugs or glitches.

As these incremental changes are too many and too specific to mention, we’ll focus on covering the most common and easily recognizable cases.

Please note that everything we say will be based on using WordPress as your platform of choice, some of the issues and solutions may apply to other platforms, but the focus is on WordPress.

unable to enter

If you’re the admin of a site and you can’t log in to the backend, you’ll instantly know something is wrong. This is also probably the most annoying type of issue, as there’s virtually no way to access the dashboard to see what went wrong – you’re simply locked out.

There are ways around this, but you’ll need the proper tools that aren’t part of your default WordPress feature selection – we’ll get to that in a moment.

a notification

Even if you’re not an admin, you’ve probably seen this type of notification before. With the global changes in Internet security procedures over the last couple of years, these notifications have become commonplace.

What you’re likely to encounter is the Gmail notification that tells you whenever your account is accessed via a new (or unknown) IP address.

A similar notification can also be received directly on the dashboard or by mail when there is an attempt to hack your website. Upon receiving notice, you can take action before further damage can be done.

Read More :

How to remove malware from WordPress

WordPress Website Maintenance: 13+ Must-Do Tasks in 2022/2023

How to increase WordPress speed and performance

Google Chrome Warning

Chances are, getting hacked will raise some red flags on your website, and since browsers like Chrome automatically check websites before a user lands on them, most of the time if anything is detected, the website will be blocked.

You can check the live status of a site yourself, or you can get feedback from your users and/or the browser itself.

Overlays / Redirects

When your website is compromised, an overlay that redirects users every time they click on something on the page may be installed.

This can often be seen when browsing streaming sites where you have to close a bunch of windows before starting to play the stream and each time you try to close a new window pops up, most commonly advertising some sort of product.

A hacker can set up an invisible overlay or add ads to the top of your pages that link to other sites once clicked. As you would expect, this makes it impossible to navigate its pages and must be dealt with expressly.

How to recover a hacked WordPress site?

You can implement specific measures preventively that can be triggered after the hack. Alternatively, some actions can be taken after the hack to bring your site back to normal. We’ll cover both, and you can decide which ones work best for you.

The free ERS script

Emergency Recovery Script, or ERS, is essentially your “get out of jail” card designed to combat even the worst situation that could arise after a hack.

With such a grandiose introduction, you’re probably wondering what’s so special about it. Well, ERS is designed to combat the first sign of a hacked website we mentioned – being blocked from your website.

Generally, most issues can be resolved with plugins or add-ons once you can access the dashboard, but there’s very little you can do if you can’t.

ERS doesn’t need you to be logged in to show its magic. It is a standalone, WordPress-independent PHP file that allows you to access the backend without the need to log in.

From that access point, you can do a myriad of things to get the site back up and running without much loss, making it the ultimate failsafe.

The screenshots below show the part of the plugin where you can find all the information about your WordPress and server.

You’d expect something like this to need to be installed up front, collecting data in the background so there’s something to fall back on when you need it. You would be wrong.

While it’s recommended to install ERS, especially for development sites while you’re building it, there’s no need to do so, and you’ll get full functionality even if you download it after the hack has already happened.

access all

With ERS installed, you will have access to basic WordPress and server information – these include, among other things, wp-config.php location, WP, PHP, and MySQL versions, site URL, core files, etc.

Usually, some of them will be affected by the hack, so you can easily identify the problem.

If the issues persist, you can also check installed themes and plugins (enabling and disabling them if that’s the issue), user roles including the admin account (if you’re locked out, this Turn off maintenance mode, change the URL (a compromised SSL certificate can potentially lead to issues), and the. htaccess file (this feature is vital).

These changes can be made separately, so disabling one thing shouldn’t affect another.

The Core Files section lets you check all core files to find out if any of them are changed or missing.

When the scan completes, you will receive the scan report and suggested actions. In addition to the verification and suggested actions, you have the option to reinstall all core files and you will end up with clean core files as you get them with the new WordPress install.

The Reset WordPress section allows you to reset the database and start from scratch, including creating a new admin account. An important note for the reset is that all plugins, themes, and files will remain intact.

Reset and backup to recover hacked WordPress site

If more decisive actions are in order, there is always the option of completely resetting your WordPress.

The difference with resetting with ERS is the fact that no files are deleted (plugins, themes, uploads, etc. all stay). Instead, only the database is brought back to default values, including the user accounts, which means you’ll need to create a new admin account, which will almost certainly get around the lockout status you’re experiencing.

If you’ve already taken snapshots, you can also restore them. Even though ERS has a lot to offer in this area, there are more sophisticated ways to back up and reset your site after using ERS to access it.

The WP Reset Plugin

The perfect “most elegant” solution that complements the ERS script in all the right ways is the WP Reset plugin.

Your options for backup and reset are expanded to the smallest details with the WP Reset plugin. First, let’s talk about the reset alternatives. There are three options available:

A site reset that doesn’t include the files, just the database (the same feature that ERS directly provides);

Targeted reset of just a specific part (e.g. reset only plugins or only themes, everything else remains unchanged);

“Nuclear option” that wipes the slate clean and you can start over. Of course, data loss is absolute.

Failing to reset the site via the plugin, you will also be able to create the snapshots mentioned above (which can be restored with ERS). These functions are simpler versions of backup files where the database is saved and files omitted.

They’re great for testing your website, but they may also be quite helpful for recovering your database following an attack and avoiding data loss. You can take as many snapshots as you like, combining those taken by automatic scheduling and those taken manually.

Because each snapshot is autonomous, if one is lost or destroyed, the others will continue to exist if necessary. Snapshots are helpful for more than just data backup.

They can also be used as an activity log – a snapshot whenever major changes are made, making it easy to track and identify when something went wrong and restore the site to that point.

As you would expect, the storage of snapshots is not just limited to the plugin repository. They can be uploaded to the cloud or a hard drive. This ensures that you are safe if something happens to the site or plugin.

Backups to recover hacked WordPress site

Speaking of backups, it goes without saying that you should always back up your website, on multiple devices and in multiple ways – cloud storage, backup to your computer, external drive, etc.

Remember that if you are running an online store or any website that requires/offers users the option to leave their information, it is not just your data that is at risk, but theirs as well.

Having extensive backups will put them at ease as much as you do, if not more. Fortunately, most hosting services these days offer regular backups within their plans.

Be sure to look for at least daily backups from your hosting service, which shouldn’t be that difficult, quickly becoming the industry standard for even low-budget hosting services.

Contact your hosting service

If you don’t have the necessary knowledge or simply want to escalate the problem to professionals right away, this may be the first thing you do after your website is hacked. It seems sense that you would want to contact and ask for assistance from your hosting company given that they handle the majority of your backup and security.

While they have dedicated teams of people whose job it is to just deal with these situations, you’ll likely be able to get things done faster by following some of them merely because of the amount they have to deal with, compared to the other processes outlined above.

Regardless of the priority you place on contacting your hosting service. They should be notified sooner or later, if nothing else, to incorporate changes that don’t let the same thing happen again.

Find maintenance companies that can fix your website

A step beyond just contacting your hosting service and handing the recovery work over to them would be to contact a third party who will fix your site for you.

With so many businesses requiring an online presence, many of which don’t have dedicated people working exclusively on maintenance, an entire industry has grown up from companies that get it up and running after problems occur.

These maintenance services aren’t free, but when you factor in the amount of time you’ll waste fixing the hack and the damage (financial and reputational) your site will be down for an extended period, these options look more and more attractive. There are several solutions to choose from.

You can opt for full maintenance or simply use them when needed. The choice is entirely up to you.

How to Make Sure a Hack Doesn’t Happen Again

It’s hard to single out the one main thing you can do that will ensure that nothing like this ever happens again. Rather, it’s a combination of things that can improve your odds, but you’ll always be chasing 100%, never catching up.

The most straightforward answer would be to invest in security software/plugins – anti-malware, anti-virus, basically, anything with “anti” in the name can’t hurt.

Also, try to get stability-enhancing plugins and fail-safe options like WP Reset, a tool with features that work just as well in good times and bad.

Find a good hosting service that offers high speed, frequent backups, and state-of-the-art server infrastructure that won’t leave you hanging if your traffic spikes unexpectedly. Don’t be afraid to spend some money on any or all of these.

There is a notable difference between the features you get with premium services and what you get with free solutions.

Conclusion on recovering hacked WordPress site

Getting hacked is very stressful, regardless of the circumstances. In these times, two things are crucial – staying calm and having the right tools to recover your hacked WordPress site.

As we cannot influence their level of calm, the least we can do is offer solutions regarding the tools.

Something like WP Reset and/or ERS Script could be the difference between recovery in a matter of hours or recovery in a matter of days. The best you can do is do everything you can to put your contingencies in place and hope for the best.

Consider performing preventative maintenance to keep your site safe at all times!