Which wordpress plugins were hacked

WordPress hacked? Tips & immediate help for laypeople & professionals

WordPress hacked? - What now?

First: No panic!

In this guide, I'll explain exactly how you can get your website back on track after your WordPress instance has been hacked.

Including pictures of all important plugins and a checklist so that you don't forget anything.
So that you do everything right, you should first keep calm and take a deep breath.

In this guide I use various plugins & software that help you clean the website, but are all free of charge - however, it can make sense to invest in some of these tools in the future; However, this is not necessary for the implementation of this guide.

A cleaning action on a WordPress blog or a WordPress website takes about 1-4 hours, depending on the size and degree of infection of the page. However, after step 2.1 you can take a longer time without taking an increased risk. However, your website will not be available until the end of the tutorial.

Immediate action - first aid with WordPress hacks

If you would like professional help right now, please feel free to contact us.

Easy, quick and with a guarantee that the website will not be infected again (and you will have to repeat the process)!

Just contact us here if you are interested

Has your WordPress been hacked? Signs that your WordPress site has been taken over

Before we panic, let's take a quick look at what the problem is. Depending on the situation, this analysis can help us to clean up your WordPress instance faster.

You cannot log in

One of the first signs that something is wrong is usually that your password is no longer working.

If you haven't recently changed it and can rule out a technical problem, you definitely have a security problem.

Your website redirects to other pages

If your WordPress website redirects to an unknown page (usually with a query for user data or to a sales page), then it is relatively clear that your WordPress installation has been taken over.

Your website shows third-party content that does not come from you

Likewise, a clear indication that your website has been hacked is if you suddenly find third-party content on your website.

If you want to access your website, your browser will warn you before you can enter the site

The situation is also quite clear if your browser warns you before visiting the site.

Warning: If it is just an SSL error, it is possible that only the certificate has expired. This alone is not an indication of a hack, but you should inform your host about this.

Search results on Google contain hits on unfamiliar content

Mostly this is SEO spam for dubious products or services.

The advantage of this type of hack is that you can usually continue to use the site normally. You should still remove the hack and secure your instance, because it still means that someone else has access and your data and that of your users are not safe.

Your hoster warned you or took your website offline

Strato, Domainfactory and 1 & 1, in particular, take websites offline when they discover uncertainties.

Usually the hosters do this for good reasons, for example to prevent spam or the access to bank data.

Activating it again can take a long time and the staff sometimes find it difficult to reactivate the instance to laypeople.

Step-by-step instructions

Secure the infected instance via .htaccess

So that we can work in peace and the WordPress hack can no longer cause harm, you first have to take the site offline for a short time without restricting your own access.

Unfortunately, at this point in time, we don't know how your site was compromised, so simply activating maintenance mode is not enough!

Please do not skip this step - it can ruin parts of your work if you do not completely secure the site against unauthorized access.

The best thing to do is to change your .htaccess file; You can find this in the main WordPress directory on your web space.

To do that, visit wieistmeineip.de and find out your own IP.
Now add the following lines to your .htaccess file right at the beginning.

You have now secured your WordPress site against further access and can now get yourself something to drink.

Check your own computer

Before we continue with your WordPress page, we first have to make sure that your own computer is not infected.

So if you have an anti-virus program, make sure it is up to date and if you don't have an anti-virus program, you should get one urgently.

There is a free program that covers the basic needs

Change passwords from the web space

So that we can be sure that the hacker does not destroy all your work again, it is important to change the access to your web hosting. In most cases, the hackers do not have access to the FTP, but WordPress saves, among other things, the user names and passwords to the databases and these must now be changed in any case.

Exactly how this step works depends on the administration of your provider. So please have a look around your hosting panel or contact your hoster to find out how you can change these things.

You have to change the following login details:

  • FTP access
  • MySQL credentials

If you suspect that the hacker gained access via the server instead of your web space, you should urgently inform your provider!

Create backup & save logs

Maybe it sounds weird to you to even save a hacked WordPress website.

But the reason is pretty simple:

We use it to document the status on the server before our clean up - this can be important if there are any questions afterwards or if you should delete files that later turn out to be very important.

I personally recommend the free plugin “Akeeba Backup” for backing up your WordPress site, which you can download here:
Akeeba Backup Download

https://www.akeeba.com/products/akeeba-backup-wordpress.html

Optional: Backup Restore

If you already have a backup of your WordPress instance, which was created before the hack, this will make your work extremely easier - all you have to do is import an uncompromised backup and feed it with the new data for user name and password.

Some service providers offer you such a service and it is actually worthwhile, since the saved working time in the event of errors on the blog quickly costs more than the backup service for your WordPress blog.

Cleanup & Update WP & Plugins

I am assuming that you may not have a backup available.
So let's start cleaning up your WordPress instance now!

The first thing you have to do is to go to the administration area and then reinstall WordPress under the Update option.

After the core files have been rewritten, we can assume that they are working properly.

We now have to update all plugins & themes - by the way, hacked plugins and themes are responsible for over 55% of all WordPress hacks. It is therefore worthwhile to regularly import the latest versions or to commission a service for them.

After all extensions and also the templates & themes have been brought up to date, we now have to check the rest of the instance and your web space.

We use the free plug-in “WordFence” for this purpose.

Scan all files for malicious code

With WordFence we can now search the rest of the entire web space, which is a very important step.

Most WordPress hacks leave extra files or modifications that allow direct access to your WP instance and your web space. That is also the reason why we modify the .htaccess file at the very beginning in step 2.1 so that only we have access to the WordPress instance.

You can get the scan of WordFence as follows

After the scan has finished, you will find a list of all files that have either been changed or contain problematic code.

You now have to either remove these files or remove the damaged areas from them. If you have no clue about code, it is advisable to back up the files one after the other via FTP and then remove them on the server. If the site doesn't work after that, you have to restore the deleted files and try to find and eliminate the malicious code.

When searching, pay particular attention to the theme files, because a lot of malicious code can easily be hidden in the theme.

Unfortunately, there are no fixed indications of what you will find in these files, and therefore we cannot provide any general information here. Hacks are not easy to track down, and changes to files are often difficult to notice. But with WordFence you have a good chance of finding and removing all changes.

Danger:
WordFence often shows differences in the text files such as the readme.txt because it differs from the English version. If you are unsure, you should simply let WordFence remove the file.

Change passwords of all users in WordPress

To make sure that there is no further damage and that your WordPress instance is hacked again, the passwords of all users in the database should be reset. This prevents the attacker from being able to publish incorrect orders or comments, for example.

You should also check whether there are other user accounts with extended (administration) rights.

You can do this with the standard WordPress tools or, if you have a few users, with the following plugin.

Put WordPress site back online

You're almost done now!

If you have followed all the steps exactly as described here, you should go back to your .htaccess file and remove the content we added in step 2.1.

Including the "order deny, allow" & "deny from all"

After that, your WordPress blog or your WordPress website can be accessed again and should work properly again.

Further measures

Now you've removed the hack and repaired the WordPress site again.

Well done!

To prevent you from being hacked again in the future, there are a few additional steps you should take:

Passwords

Your password is always a first point of attack for any website, long before exploits of any kind are used.

So make sure that you always use sufficiently complex passwords and never use them in multiple places.

WordPress updates against security holes

Regular updates are one of the best measures you can take against hackers, exploits & malware.

So either set up a weekly appointment in your calendar or consider whether it makes sense to hire someone outside to take care of it.

In addition, it is also advisable to use a software firewall (such as WordFence, which you have already installed during this guide), or to use a specially secured server. The latter is a bit more expensive to host, but it reduces the chance of something happening many times over.

For retailers and companies, it is definitely advisable to think about an all-round service - the failure of the site and the embarrassing information to customers that personal data has been disclosed is so damaging to business that the costs of a premium service are very low!

You can find out which services we offer and what they contain here

I hope this guide was able to help you - if you like write me your experiences in the comments.

Which plugins can make my website more secure?

The following plugins partly fulfill the same purpose, but they are all slightly different and offer different functions for security.

Wordfence

We already got to know Wordfence in this article and is definitely a good all-round plugin.

It offers good protection against hacking attacks, a scan engine and the really useful 2 factor authentication via e.g. Google Authenticator.

Unfortunately, it can also cause the website to slow down, which is why permanent use is not suitable for all pages.

iThemes Security

iThemes Security offers universal protection that is not limited to the theme or template used, but also secures the entire WordPress installation. We maintain websites with iThemes Security and have only had positive experiences so far.

Sucuri Security

Sucuri offers many functions free of its premium service in this plugin - unfortunately the firewall is only reserved for premium users.
Nevertheless, it is one of the plugins we don't want to miss when it comes to malware and theme exploits.

What was the cause of the hack?

That is always difficult to answer without a precise analysis, because there is no general answer.
What I can give you as a guide are the common reasons.

Insecure password for an admin account or FTP

Sad but true. There are still many who don't keep their passwords secure or use the same passwords everywhere.

If you are one of them, you should inform yourself about the topic and change your approach, because what happened to you here with WordPress can then also happen to your e-mail or your bank account.

Incidentally, I can warmly recommend the free password manager LastPass.

https://www.lastpass.com/de/pricing

Outdated versions of WordPress, Theme & Plugins

Like any software, WordPress also needs updates; these are not only for new features, but above all for the security of the software.

In the case of WordPress, WordPress itself as well as all plugins and themes have to be updated regularly.

If you are responsible for a company website then we recommend our professional maintenance service.

During this process, we regularly scan the instance for files with malicious code and take care of all updates and technical problems.

Unsafe code in the implementation of the project

Some projects are simply implemented sloppily - unfortunately that is a reality and often a security problem. Because the plugin with 50,000 users is usually more secure than the plugin with 50 users.

Also some operators of WordPress websites want to save license costs and install so-called “nulled” software packages in which the licensing is deactivated.

What they forget is that a deactivated license also means that you will not receive any notifications about security problems or updates.

Questions & Answers [FAQ]

Why are WordPress sites hacked?

Many wonder why they are hacked in the first place.
Unfortunately, the reason is not always obvious, it could simply be a teenager who wanted to see if he could take over the blog or a spammer who used or wanted to use your blog to distribute spam emails.

It is also possible that the hacker wanted to access your users' data in order to reuse them later, e.g. to compromise their e-mail accounts.

It also seldom happens that a competitor wants to make sure that the page is devalued from a SEO-technical point of view or is interested in certain customer data.

What do I have to consider for the GDPR after a hack?

According to the GDPR, you have to inform users if someone else had access to their personal data. If your WordPress site has been hacked, this could be, for example, access data for a member's area or the email and IP addresses of commentators.

Unfortunately, I cannot tell you here whether and how this should be done in your particular case. However, you can get a brief overview from our partners at eRecht 24.

Error: white screen

Sometimes it happens that after a hack you have a blank page and you don't know what to do.
WordPress has been able to cope with such errors better since version 5.2. In the event that this “recovery” fails, there is a simple trick that you can use to get error messages in a meaningful way.

Go to your wp-config.php via FTP and change the following line:

to

Now you can see the error message and act accordingly.
Unfortunately, I can't tell you exactly how to fix every error message, this can be very complex at times, but it is often trivial and you can solve it with a little skill.

Remember to change the wp-config of your WordPress site again after troubleshooting!

Error: redirection / redirect

Sometimes hackers redirect your page to another page.

This is often used to redirect your users to a download, which then usually also contains malicious code.
The best thing to do is to fix this redirection as normal, as described in the guide. - But start with step 2.1 so as not to endanger your users while troubleshooting.

Why do so many recommend updating the PHP version?

The PHP version that your WordPress runs with should always be the most up-to-date that is possible for you. On the one hand, PHP can also contribute to exploits or malware in your theme or on your WordPress site, on the other hand, current PHP versions offer a speed advantage for your WP installation, which Google definitely rewards.

If you want to know more about it, you can get more information here: