How to Recover a Hacked WordPress Site

how to recover a wordpress site after a hack

It’s hard to find a site admin (excluding the ones just starting out) that hasn’t dealt with some attack on their site, or at the very least, an attack attempt. While this certainly is a most stressful thing to go through, it’s nowhere near the issue it was a couple of years ago.

Because of the attacks’ frequency (and creativity), the branch of the industry dedicated to security and backup has blossomed. You’ll be hard-pressed to find an established site that doesn’t employ multiple daily backups in addition to layers upon layers of security scripts.

While startup sites must make some compromises because of their constricting budget, security should not be one of the things to just glance over, especially if you’re running a website that deals with highly sensitive information (both on your end and the customers).

Even with the budget constrictions, there are plenty of solutions out there to recover a hacked WordPress site that will help you prevent attacks entirely. Minimize the damage if something does get through and ultimately offer backup services that bring back your data in the unlikely event all else has failed.

How to recognize if your site’s been hacked

So, you want to recover a hacked WordPress site. But you need to be sure that the site is hacked.

A couple of signs can show up if something wrong happens on your site. Some of them are clear as day, while others require you to invest some time to figure out minor bugs or glitches. Because these incremental changes are too many and too specific to mention, we’ll focus on covering the most common and easily recognizable cases.

Note that everything we say will be based on using WordPress as your preferred platform, some of the issues and solutions may apply to other platforms, but the focus is on WordPress.

Unable to log in

If you’re the admin of a site and aren’t able to log into the backend, you’ll instantly know something is wrong. This is also probably the most infuriating kind of issue since there’s virtually no way to access the dashboard actually to see what’s gone wrong – you’re simply locked out. There are ways around this, but you’ll need the proper tools which aren’t part of your default selection of WordPress features – we’ll go over these in a bit.

A notification

Even if you aren’t an admin, you’ve probably seen this type of notification before. With global changes to internet security procedures in the last couple of years, these notifications have become commonplace. The one you’re most likely to encounter is the Gmail notification that informs you whenever your account has been accessed through a new (or previously unfamiliar) IP address.

A similar notification can also be received directly in the dashboard or by mail when there is a hack attempt on your site. Upon receiving the notification, you’re then able to act before any further harm can be made.

Google Chrome warning

Much like the “regular” notification you receive from the backend, there’s also the possibility of receiving a warning from the frontend. Chances are, being hacked raises some red flags on your site, and since browsers like Chrome check sites automatically before a user accesses them, more often than not, if something is detected, the site is blocked. You can check the status of a live site by yourself, or you can receive feedback from your users and/or the browser itself.

Overlays/redirections

When hacked, your site might get infected by an overlay that redirects your users every time they click on something on the page. This can often be seen when browsing stream sites where you have first to close a bunch of windows before you get to play the stream and each time you try to close, a new window pops up, most commonly advertising some kind of product.

A hacker could potentially set up an invisible overlay or add advertisements on top of your pages that lead to other sites once clicked. As you would expect, this makes browsing your pages impossible and should be dealt with expressly.

best elementor addons

How to recover a hacked WordPress site?

As we’ve mentioned earlier, there are many ways to recover from an attack on your site. You can preemptively put specific measures in place that can then be called upon after the hack. Alternatively, some actions can be done after the hack to bring your site back to normal. We’ll cover both, and you can decide which ones will work best for you.

The free ERS Script

The Emergency Recovery Script, or ERS is essentially your “get out of jail free” card designed to combat even the worst situation that might arise after a hack.

With such a lofty introduction, you’re probably wondering what’s so special about this. Well, the ERS was made to combat the very first sign of a hacked site we’ve mentioned – being locked out of your site. Generally, most problems can be solved with plugins or addons when you’re able to access the dashboard, but there’s very little you can do if you can’t.

recover a hacked WordPress site

The ERS doesn’t need you to be logged into show its magic. It’s a WordPress-independent, standalone PHP file that lets you access the backend without the need to log in.

From that access point, you can do a plethora of things to put the site back into working order without too much loss, making it the ultimate failsafe.

The screenshots below show the part of the plugin where you can find all the info about your WordPress and server.

recover a hacked WordPress site with ERS

You would expect that something like this needs to be installed beforehand, gathering data in the background, so there’s something to fall back on once you need it. You’d be wrong. While it is recommended to install the ERS, especially for developmental sites while you’re building it up, there’s no need to do so, and you’ll have full functionality even if you download it after the hack has already happened.

Access everything

With the ERS installed, you’ll get access to basic WordPress and server information – these include, among other things, the wp-config.php location, WP, PHP, and MySQL versions, site URL, core files, etc. Usually, some of these will be affected by the hack, so you’ll be able to identify the problem easily.

If the problems still persist, you’ll also be able to check on the installed themes and plugins (enabling and disabling them if that’s the issue), user roles, including the admin account (if you’re locked out, this feature is crucial), and the URL (having a compromised SSL certificate can also cause issues), disable maintenance mode and delete or reset the .htaccess file.

These changes can be done separately, so disabling one thing shouldn’t affect another.

The Core Files section lets you scan all the core files to find if any of them is changed or missing. Once the scan is finished, you are provided with the scan report and suggested actions. Besides the scan and suggested actions, you have an option for reinstalling all core files and you will end up with clean core files as you get them with the fresh WordPress installation.

The Reset WordPress section allows you to reset the database and start from the beginning, including the creation of a new admin account. Important note for the reset is that all the plugins, themes and files will remain intact.

core files of a WordPress site

Resetting and backup

If more decisive actions are in order, there’s always the option to reset your WordPress entirely. Now, this you could probably do even without ERS on your side, so it really should be considered as a last resort.

The difference with resetting with ERS is the fact that no files are deleted (plugins, themes, uploads, etc., all stay). Instead, only the database is brought back to the default values, including the user accounts, meaning you’ll need to create a new admin account, which will almost certainly circumvent the locked-out status you’ve been experiencing. If you’ve previously made snapshots, you’ll also be able to restore them. While ERS does offer much in this regard, there are more elegant solutions you can use for backup and resetting your site after you’ve used ERS to access it.

find the malicious files to recover a WordPress site

The WP Reset plugin

The perfect “more elegant” solution that complements the ERS script in all the right ways is the WP Reset plugin. The WP Reset plugin expands your options to minute details when it comes to reset and backup. Let’s get the reset options out of the way first – there are three options to choose from –

  • 1. A site reset that doesn’t include the files, just the database (the same feature ERS provides directly);
  • 2. Segmental reset of just a specific part (for example, reset just the plugins or just the themes, everything else remains unchanged);
  • 3. “Nuclear option” that wipes the slate clean, and you can start fresh. Naturally, the data loss is absolute.
how to recover a hacked WordPress site with ERS

Moving away from resetting the site through the plugin, you’ll also be able to create the snapshots mentioned above (which can be restored with ERS). These functions are simpler versions of backup files where the database is saved and the files omitted.

They are fantastic to use while testing the site, but they can prove invaluable for restoring the database after an attack, preventing data loss. You can make as many snapshots as you wish, combining those made through automatic scheduling and manually made.

All the snapshots are independent, so if one is lost or deleted, the others remain untouched if there’s ever a case. The usefulness of snapshots goes beyond just backing up data. They can also be used as an activity log – a snapshot every time core changes are made, making it easier to track and pinpoint when something went wrong and restore the site to that point. As you would expect, the storage of the snapshots isn’t limited to just the plugin repository. They can be uploaded to the cloud or on a hard drive. This ensures you are secure if anything happens to the site or the plugin.

how to delete junk files to recover a WordPress site

Backups

Speaking of backups, it goes without saying you should always back up your site, on multiple devices and in multiple ways – cloud storage, backup on your computer, external drive, etc. You won’t know the true value of having up-to-date backups until your data is compromised and lost. Remember that if you’re running an online store or any site that requires/offers users the option to leave their information, it’s not just your data that’s at risk, but also theirs.

Having extensive backups will put them at ease as much as you, if not even more so. Luckily, most hosting services nowadays offer regular backups within their plans. Be sure to look for at least daily backups from your hosting service, which shouldn’t be that hard, quickly becoming the industry standard even for low-budget hosting services.

Reach out to your hosting service

If you lack the required knowledge or simply want to forward the issue to the pros right away, this could potentially be the first thing you do after your site’s been hacked. It’s only natural you want to contact and seek help from your hosting service since they’re responsible for the bulk of your backup and security.

While they do have dedicated teams of people whose job is solely to deal with these situations, you’ll probably be able to get things done faster by going through some of the other steps mentioned here, simply because of the volume they have to deal with. Regardless of the priority you put on reaching out to your hosting service. They should be notified sooner or later, if for nothing else, to incorporate changes that won’t let the same thing repeat.

Find maintenance companies that can fix your site

A step further than just contacting your hosting service and forwarding the recovery work to them would be to contact a third party that will fix your site for you. With so many businesses requiring an online presence, many of which don’t have dedicated people working solely on maintenance, a whole industry has grown of companies getting you up and running after problems occur.

These maintenance services aren’t free, but when you calculate the amount of time you’ll lose fixing the hack and the damage (financial and reputation) your site being down for an extended period will cause, these options look more and more enticing. There are various solutions to choose from. You can opt for full maintenance or simply use them when needed. The choice is entirely up to you.

How to make sure a hack doesn’t happen again

It’s hard to highlight the one main thing you can do that guarantees nothing of the sort will happen again. Instead, it’s a combination of things that can improve your chances, but you’ll always be chasing that 100%, never reaching it. The most straightforward answer would be to invest in security plugins/software – antimalware, antivirus, basically anything with “anti” in its name can’t hurt.

Aside from that, try to acquire plugins that will enhance your stability and failsafe options like WP Reset, a tool with features that work just as well in the good times and the bad times. Find a good hosting service, one that offers high speeds, frequent backups, and state-of-the-art server infrastructure that won’t leave you hanging if your traffic spikes unexpectedly. Don’t be afraid to spend some money on any or all of these.

There’s a noticeable difference between the features you get with premium services as opposed to the ones you get with free solutions.

Wrapping up

Getting hacked is a very stressful time, regardless of the circumstances. In these times, two things are crucial – remaining calm and having the right tools to recover. Since we can’t influence your calmness level, the least we can do is offer you solutions regarding the tools.

Something like WP Reset and/or the ERS Script could be the difference between recovering in a matter of hours or a matter of days. The very best you can do is do everything you can to put your contingencies in place and hope for the best.

Comments

  1. Hardono Domitian Avatar

    Hi. Thanks a lot for all WP crew. My website is blocked (deceptive site ahead) Please help to fix that. Thank you

    1. Hasib Avatar
      Hasib

      You can follow the things I have discussed in this blog. You might solve the issue following the guide I have shared here. Also, don’t forget to update the installed plugins.

  2. mukesh Avatar

    Great information. My site is hacked today and i was wondering to make it safe for future. thanks for this valuable peace of information.

    1. Hasib Avatar
      Hasib

      Thank you mukesh for your feedback.

  3. Andy Globe Avatar
    Andy Globe

    Amazing! thank you so much. you make us aware of risks.

Leave a Reply

Your email address will not be published. Required fields are marked *