Your wordpress site got hacked, Now what?

Your wordpress site got hacked, Now what?

So you suddenly figured out your wordpress site is down? or worse. Or only customers that say they’d clicked through from google can’t get there. Or it just isn’t right?

It’s happened, to a lot of us.

Solving a hack

There is no way to track the source of every hack, but it helps to know what happened. The first few places to check are consistent: .htaccess, wp-config.php, your DNS, and the installation.

What you’ll need to get these done: admin access to your server to find hosting information, FTP access to your server, and admin access to your DNS provider.

DNS first

Check your DNS first. If your site is pointed somewhere other than where it should be, nothing else you do will work. Get with your website host and figure out the IP of your hosting, then check to be sure your site makes it there. There are hundreds of ways to trace, one of my favorite hosted solutions is at mxtoolbox.com/ if you don’t know where to start.

If your site is not resolving to your own servers, reset your DNS settings to point back at your server, and check back in another couple of hours?up to 48 hours for DNS to resolve.

.htaccess Repair

An .htaccess issue is usually an easy fix if you have access to the file. There is not regularly information in there that does not match the file from wordpress. Save a copy of the file locally as a backup, then edit it to match the original wordpress file.

Standard Permissions

Once you fix the site’s display, you’ll want to follow up with a permissions check on all of your files. Easy rule of thumb: 755 for folders, 644 for almost everything else. Specific files/types:

  • directories: 755
  • files: 644
  • .htaccess: 604
  • wp-config: 600 (sometimes can go to 400)

Consult a pro for these, but standards:

  • php.ini: 600
  • php.cgi: 711
  • php5.cgi: 100

wp-config.php checks:

Check for a few things: does the file have a reference to a random-letters.php file? (eg sldkurasdoiea.php) If so, delete or comment out those lines.

Re-install the whole thing.

On a problematic hack, start by re-installing the WP-core, and each and every plugin and theme from fresh downloads at the wp repo and any paid plugin repos. Then re-run the permissions corrections I described above. (Don’t remove the wp-config file.)

WP-CLI scripts

If you have ssh access and terminal, a great step is to simply run >wp core verify-checksums and >wp plugin verify-checksums --all. Those two commands will point out a lot of post-hack cleanup options.

Save a lot of time by just running >wp core download --force --skip-content. As long as you are able to update to the most recent version. Older versions will be replaced with the most recent command with that command.

Follow-up, hardening, and prevention

Get Salty in wp-config

  1. Change all of the salts and hashes in the file.
  2. Check your MySQL prefix, password, database name, and table name are the same as your database.

Fixing either of those should cover a large portion of hacks.

Permissions Check (yes again)

Permissions fixes can usually stop most of the hacks that you’ll actually receive that aren’t specifically based on a password hack, of course you’ll want to have all of your admins check their passwords and possibly reset.

You may need to go through and re-install wordpress, as well as your plugins, removing and replacing all of the files is the easiest way to confirm any deep seeded altered files are back to normal.

Firewall and monitoring

I’m currently recommending the free wordfence plugin as a minimum security step to all of my clients. I really recommend throwing the DNS over to cloudflare for the free CDN and firewall that happen before traffic touches your server. For general purposes, Wordfence seems to include a much more robust system before their service paywall kicks in, and that really is the separation point for me. I’d take a lot more steps than the above two, but the basic setup will save you a lot of headaches without much effort.

Uptime Monitor

It’s a great idea to get one of these running, Jetpack offers one, I have also used one from MXtoolbox as well as Uptime Robot. You’ll get an early detection on when your site is experiencing problems, as well as when the site is publicly visible again.

One thing to keep in mind is that there may be times where the monitors will happen to be rejected by your firewall for misbehaving on how often it has visited if your previously-set-up firewall has a bad robot detector, or if your cached is refreshing exactly when it hits. So don’t panic immediately when you get that site-down email.

Still having problems

Time for a pro, your problems could still be fairly simple, there might just have been a corrupted update to a plugin, or you might need major fixes. I’m happy to jump in and help, just contact me.