How to Fix Your WordPress Site If It Gets Hacked (Part One)

Posted on Jun 21 2010 by Alistair Barnett in Tutorials WordPress 

PART I: Introduction and Housecleaning

It’s no fun when your WordPress site gets hacked. I had a first-hand experience the other day when I was told by my brother that it happened to his site. After being able to successfully get it up and running again, I’d like to now share some helpful information and a step-by-step guide with all of you.

First things first: Try not to panic. I realize how silly or unrealistic this may sound, but millions of sites are hacked every day so you’re not alone in feeling scared, violated, or cheated. It will probably happen to each one of us at some point or another in our lives. Maybe not with a Web site, but with our computer, smartphone, iPhone (yes, it can happen), etc. Now, on to the actual steps:

1. Make sure your anti-virus software is up-to-date
It is essential that you’re using the latest virus definition files for your anti-virus software. If you are using Windows and don’t have one yet, get avast! antivirus or AVG Free — both of these are highly rated free anti-virus programs. Fully install and download all updates then continue with the below steps.

2. Save the hacked page to your computer [optional]
If you choose to report the hacker it’s very important to have a copy of the hacked page. Plus, if you decide to write a post about it to warn others, you can get screenshots and examples of the text as well. In Firefox, you go to File -> Save Page As… then navigate to where you’d like to save the files (a drive other than C: is strongly recommended). Be sure that “Web Page, complete” is selected as the “Save as type” option, change the file name if you’d like, then click ‘Save’.

3. Download the latest version of WordPress
At the time of this writing, it is 3.0. You are able to always get the most up-to-date version of WordPress at http://wordpress.org/download/. Even if you are unsure whether the server your site is on has the requirements, it’s imperative that you upgrade and find a host who does, if necessary. HostGator is a good one and is not as likely to be a target for hackers like, say, Go Daddy. Once the latest version of WordPress is downloaded, go ahead and extract all of the files (will go to a ‘wordpress’ folder within the same folder you’re in).

4. Clean up all affected folders and files on the server
Now that you have the latest version of WordPress, you are able to delete everything but the essential files from your server. Don’t worry, your database has all of your data including your posts, pages, categories, tags, and so on. If you were so unfortunate to have a hacked database too, hopefully you have been making regular backups (more about this in PART III)  and/or your host may have one from within the last 24 hours (hey, better some than none). Below are the folders and files that should NOT be removed:

  • DO NOT DELETE folders that were there in the first place (e.g., stats)
  • DO NOT DELETE ‘wp-content’ folder (themes and sometimes plugin content)
  • DO NOT DELETE .htaccess (permalink structure, permissions, passwords, etc.)
  • DO NOT DELETE favicon.ico (customized icon to left of URL)
  • DO NOT DELETE google…html (Google Webmaster Tools verification)
  • DO NOT DELETE wp-config.php

5. After uploading the latest version of WordPress, you may safely delete these files:

  • DELETE /wp-admin/install.php (not needed anymore)
  • DELETE /readme.html (to prevent users from seeing WordPress version)

6. Refresh your site’s home page
Things should look better now. If your host has a default page that appears when it finds no content, that will be shown. Otherwise, you’ll get the standard “Page Not Found” error, which is much better to see than a hacked page, am I right?

7. Install the latest version of WordPress
If your site’s content has been removed in Step 5, use FTP to upload everything (except the ‘wp-content’ folder) from the ‘wordpress’ folder in Step 4 above. (If you like to keep things clean like me, you don’t need to upload the wp-config-sample.php file since you already have wp-config.php on the server.) After the transfer is complete, you can then go into the ‘wp-content’ folder and upload new files and folders if you’d like, but it isn’t necessary.

8. Refresh your site’s home page again
Hopefully you see your site as it was now. If not, I hate to say this but your database has been hacked. This is a lot more complicated to fix, but bear with me while I direct you to PART II: Database Modification and WP Admin.

PART I: Introduction and Housecleaning
PART II: Database Modification and WP Admin
PART III: Plugins to Make Your Life Easier