Quick Answer Section
What is a hacker attack?
A hacker attack is an action resulting in a breach in your website’s security. Thus, attackers can access your site’s content, sensitive data stored on it, as well as possible mailing lists. A hacker attack can have different goals – from simply destroying your site to stealing sensitive data or infiltrating your site with viruses to sending out mails on your behalf.
Why can't I access my website after a hacker attack?
Often, hackers use brute force to gain access to your website. This means, simply put, that they try to guess the password for one or all of the users, registered on the site. Once they are in, they can choose to either change the email address and password of your user or completely delete the user, making it impossible for you to log in with your credentials or to reset your password.
Once successfully attacked by hackers, can I really regain full control over my site?
Yes. It does, however, involve some database edits, requiring that you have access to the server. A prerequisite is that you have a full backup of your site and database and your hosting account hasn’t been compromised (you can still log in and are certain that your password is secure) or your hosting company can help you identify and remove any malicious files from the server and reset your password.
Do I need to be able to code, in order to regain control over my site?
No. But you must dare to tweak your database settings (step-by-step guide is provided in this post).
Hackers made changes to my site. Are they reversible?
If hackers deleted images or pages, you cannot restore them with one click. You have, however, the option to clean the site from eventual viruses and restore a backup copy from the period right before the attack. Hacker attacks are one of the most serious reasons why you must back up your site regularly.
As long as you don’t have a backup, turn to your hosting provider. Hosting companies tend to back up their servers up to several times a day, so, as long as your site wasn’t excluded from the backups for some reason, there should be a ready backup to restore. Some hosting providers make you pay for this service but this is hardly a situation, where it’s worth it to be cheap.
Is it necessary to purchase security subscriptions or services in order to clean my site from viruses?
The short answer is no.
After checking your site thoroughly (find out how in the post) and/or restoring it to a previous version, all malicious programs will be deleted. Most of the time, viruses are contained on the website itself. As long as you are worried that viruses have spread to your hosting account, it is in most cases the hosting provider that is responsible for keeping your account clean and safe (check your plan’s features).
Would a security plugin have helped against the attack?
Most security plugins help against general threats and may prevent amateur attacks. However, installing a security plugin can also give you a false security feeling, as most advanced hacker attacks nowadays use methods that are beyond any security plugin.
Instead, you can try to harden WordPress, making the job of hackers truly difficult (not impossible though!), at no additional cost.
Regaining full control over your website after a hacker attack isn’t that difficult but can be scary or feel chaotic, as long as one has never tried it before. This post will guide you step-by-step thorough the process of cutting off all access to your website to mitigate the attack, restoring the site to a clean version, and securing it. More specifically, you’ll learn to carry out these crucially important tasks:
- Cut off unauthorized access to your site and hosting account
- Access your website
- Check for malicious programs and scripts
- Restore your site and database to a previous version to recover from the attack
- Make your website difficult to hack
Important to Know Before You Begin
Once you’ve been hit by a hacker attack, you can only think about how fast you can regain control of your site and contain the damage. However, it’s recommended that you stop a second and go through this list of preparation tasks, helping you avoid further data loss or unnecessary damage to your system and your business:
- Contact immediately your hosting provider and inform them about the attack (if they aren’t aware of it already) and ask for advice. Most hosting companies have security systems in place and it would be smart to take advantage of their established procedures and professional tools. Ask them specifically to check your hosting account and mail accounts for malicious scripts or unusual activity, as well as to check the activity logs. Ask them to close all “gates”, such as FTP, cron jobs, automated mailing systems, etc. If deemed necessary, suspend the account to contain the damage. If you suspend the account though, you won’t be able to access your website. In this case, the only thing you can do would be to clean your account and upload a backup copy of your site and database with the assistance of the hosting provider. Thereafter, you can ask the hosting provider to open your account again.
- Together with your hosting provider, identify the moment of the attack, agree on an action plan, including removal of found threats, restoring your site and database to earlier version, and securing your account again with new passwords.
- Close all your email accounts temporarily, if you detect suspicious activities.
- Find either a fresh local or server-side backup that you can use to restore your website.
- Before you start the actual recovery, scan the devices you have been using to access the server for viruses and remove eventual threats. Trojans on individual computers are often used to steal passwords and attack other systems, such as your server and/or website.
Even though you can, in theory, skip these steps, coordinating the process with your hosting provider gives you the best chances of regaining full control over your website after a hacker attack.
Regain the Control Over Your Website
The first thing you should do, when your site has been hacked, is to cut off the hacker’s access to your website and hosting account. Here are the steps you must take – in the order you must take them – to immediately secure your site and account:
Scan Your Computer and Website for Viruses
You should use reliable antivirus program or online scanner to check all of the devices, including PCs, laptops, iPads, and phones, that you have used to access your hosting account, FTP accounts, and website, as well as any devices you store passwords on. If you stumble upon any threats, remove them before continuing.
You can also scan your website for viruses with a remote scanner as Sucuri SiteCheck or VirusTotal. Alternatively, you can try some of the available security plugins, such as WordFence. Be though aware that site scanners can only help you identify threats, not remove them.
Reset Your WordPress Password
One of the passwords that is very important to reset right away, is your WordPress password. To regain the control over your website after the attack, you must log into WordPress and cut off the hacker’s access to the site.
As long as it wasn’t your user that was hacked, you can likely use your username and password to log in. This implies that the user hasn’t been deleted or modified though. If you can’t log in normally and it seems that you can’t reset your password from the login screen, it’s likely that the user was modified and the contact email was changed or the user was deleted altogether.
In such cases, you’ll have to hijack your own site (requires access to the server and more specifically to your site’s database). To do this, follow these steps (cPanel-based guide, can be used on other control panels with modifications as well):
- Log into cPanel on the server
- Locate phpMyAdmin (phpMyAdmin can in rare occasions be called something like Database Management on other control panels than cPanel)
- In phpMyAdmin, locate your WordPress database. If you are in doubt, which one is your site’s database, you can check that by taking a look at wp-config.php. You can find this file in the File Manager on the server, under the directory public_html. Locate the following lines and note specifically the value for DB_NAME. This is the name of your database:
- Click on the WordPress database in phpMyAdmin and locate the tab called wp_users. Be aware that the prefix wp_ can variate, as it is user defined. Click on wp_users.
- If you have more than one user registered, review them carefully. Can you identify any unusual registration? It is recommended that you change the passwords of all users, so you don’t take any chances. You do that by clicking on Edit in the beginning of the line and replacing the current passwords with new ones. Note all users’ credentials down. You might need to try them all out, when trying to access your site, as long as you don’t know, which user has an admin role. The username is found under user_login and the password, under user_pass. In addition to changing all passwords, consider to also change all user email addresses to your own for now – in order to make it impossible for hackers to reset their passwords and regain access to the site.
- That’s it. You have successfully changed user passwords. Now you should log in as an admin (admin users have usually 0 or 1 as an ID).
Once you are logged in, check again the Users tab. As long as your website has multiple users, make sure to temporarily suspend all access to all accounts. Thereafter, contact your users and request them to check their devices for viruses. Only after this is done, send new login credentials to them. Require that they use strong passwords. Use a plugin such as Force Strong Passwords, if nothing else can help.
If possible, check manually, whether there haven’t been any suspicious user registrations around the moment of the attack or afterwards. Remove such users permanently.
Change All Other Passwords
If you have even the slightest suspicion that your hosting account has been compromised, you must change all of your passwords, including your account password, your FTP passwords, cPanel (or another control panel’s) password, MySQL passwords (database), and your mail passwords.
By doing this, you’ll cut off the immediate access to your hosting account and will make it possible to start the recovery in somewhat secure environment. As not all systems do that automatically, turn to your hosting providing for help to log out everybody else, currently connected to your account, and terminate any ongoing data transfers.
Your main FTP account shares a password with your hosting account. This means that you only need to change the passwords of additional accounts, if such have been opened.
You are advised to change all email passwords, as sending spam from hacked websites’ emails is very common practice. Check also recent activity (sent mails) from each mail account and react promptly, as long as you detect unauthorized use.
The database credentials are managed from within Databases->MySQL Databases. There, you have the options to rename your database (1), create new database user (2), add the new user to an existing database (3), rename or delete users, as well as change user password (4).
It is recommended that you rename your database. Choose a random name that doesn’t mean anything, just letters and numbers. Then, jump to (4), rename the database user, and change the user password.
Alternatively, you can delete the existing user and create a new one. Remember to add the new user to the database and give it all privileges, when prompted.
Once you’ve done that, you should once again find the database settings in wp-config.php, as described earlier in this post, and enter the new database name, user, and pass by replacing the text in red (it’s in red in the screenshot only, in the file it’ll be in black as the rest of the text) and leaving all other characters and text as they are.
Important! Keep in mind that the connection between WordPress and the database is vital for your website. Even the smallest spelling error will cause your site to crash. If this happens, you don’t need to panic, though. Your website is intact and your data is safe. You only need to enter the correct database credentials to get the site up and running, so simply try to do it again and double-check for errors.
You can track recent changes in your account by checking its logs. Logs can help you map the hacker’s activities and the eventual changes they applied to your system. Note each individual file that has been accessed or uploaded under or after the attack and make sure to clean it or remove it manually from the server. As long as we are talking about some of the account’s service files, that is the files outside of public_html, you should send the list to your hosting provider and ask them to handle it on their end. This is due to the fact that simply deleting such files can cause malfunctions.
As long as all of the affected files are a part of your WordPress site or database, you do not need to take any action for now. Later on in the process, you can choose to manually clean them or remove the whole installation, as long as you have a full backup of the website files and the database.
Logs will also be very helpful to pinpoint the moment of the attack, which you can use to choose a backup copy, once you reach the recovery phase.
Keep in mind that not all hosting accounts have logging activated by default. Some hosting providers disable logging for security reasons, while others require an additional fee to enable it.
Check the Cron Jobs
Cron is a job scheduler, making it possible to schedule jobs, such as the execution of commands and scripts, to run at specific times or intervals. Cron jobs are often utilized by hackers, at they allow them to only execute certain commands at specific points in time, making it very difficult to detect unusual behavior of a website or its elements.
You can find all active Cron jobs under Advanced->Cron Jobs in cPanel. As long as you or someone working with you on the website hasn’t scheduled any jobs, there shouldn’t be anything on the list of cron jobs (see screenshot below).
As long as there is something on the list that you haven’t scheduled and you aren’t sure what it is, please contact your hosting provider to make sure that the cron job isn’t something set up by them for administrative purposes. Most of the time though, you must delete any cron jobs you can’t account for. Cron jobs are indeed not an acceptable way to manage customers’ accounts.
Clean Your WordPress Site
Once you’ve gained access to the site and revoked other users’ access, you can start inspecting it. The most obvious way to infect a site would be by installing an extra program that would work as a plugin and make your site behave in a certain way. Check therefore for recent installs and remove them. You can do that from within WordPress, by clicking on Plugins in the Admin panel and reviewing installed plugins.
Unfortunately, this is only one of the ways to infect a site. More often, you’ll experience that a piece of code has been injected into one or more files, such as uploads or theme/plugin files. As long as you have access to logs, you can identify specific files that the hacker has accessed. You can then inspect them and remove any code alterations. This operation is, however, quite technical and requires high level of coding skills.
You should remove all malicious programs and code that you can identify on your site. Chances are, though, that, as long as you aren’t really proficient at what you do, you’ll overlook something or damage your site’s files beyond recovery. Sometimes, your site has already taken a serious hit due to the hacker attack and cannot be repaired.
All this makes it recommended to remove the infected website, that is all core files, uploads, and the database, and replace them with a fresh virus-free backup copy.
Restore to Previous Version
I have discussed before backup creation and why it is so important. A hacker attack is one of these things that really make having a backup a must. Without a clean backup copy, your chances to regain full control over your website after a hacker attack fall drastically.
For restoration of a site after a hacker attack, I recommend to follow these steps that will minimize the risk of spreading the virus further:
A prerequisite is that you have a full copy of your site’s files and your database, downloaded manually, as described in the post on backing up WordPress, mentioned above, not created via the backup manager! You can, in theory, also use the backup manager’s files, just upload them, and follow the restore instructions, instead of uploading the files and the database, as described below. This method gives, though, often errors and requires help from your hosting provider, so work closely with them on the recovery of your website, if the backup manager’s backups are the only ones you have!
- Remove all files from within public_html completely. Ask the hosting provider, whether there isn’t a file you must keep. Usually, there is a file with the php settings for the account that must not be removed.
- Delete your database
- Ask your hosting provider to scan the rest of the account for viruses. It is indeed the hosting company’s responsibility to keep your account clean, as long as you are on shared or managed hosting and your contract doesn’t exclusively mention that you are responsible for security.
- Once the account is secure, change your password for it again. It might seem unnecessary but can be critical, if hackers were keeping an eye with you via a script or cron job.
- Create a .zip archive of all directories and loose files, comprising your website’s file system.
- Upload the .zip archive to public_html or the root of your site, if it is hosted in a subdirectory. Once uploaded, unzip. If the archive gets too big and upload limits for the hosting account prevent you from uploading, you should use FTP to upload the files unzipped. Just select all folders and files at once and drag and drop them into public_html.
- Create a new database. You create a database from within cPanel. Find the MySQL icon and click on it. Follow the steps for database creation. Choose a name for the database and confirm that you want to create it.
- Next, you have to create a new user and add it to the database, as described earlier in this post. Choose secure, random name and password.
- Remember to note down the database name, user, and password.
- Find wp-config.php and enter the new database credentials, as explained earlier in this post.
- In cPanel on the server, navigate to phpMyAdmin and click on it.
- Click on the newly created database and, once you can see its contents (you should get a message that it’s empty), find the function Import at the top of the screen. Browse your computer for the database backup file. Make sure the chosen format in the settings on the page fits your database format. Leave all other settings as they are. Click on Go.
- Now, try to access your website in the browser. It should be completely restored at this point. You can log in with your old password and username. As long as you get an error, double-check that you entered the database credentials correctly in wp-config.php. If this doesn’t help, try uploading all files and the database again to make sure that the error isn’t caused by failed transfer somewhere on the way. If your website is still broken, check the wp_options table in your database (you can find it the same place as wp_users that we discussed earlier). Make sure that the values for siteurl and home point respectively to the homepage of your site and the WordPress installation directory (they should be the same, as long as you haven’t installed WordPress in a subdirectory). If none of this helped, it’s likely that there is something wrong with your backup files.
Change Your Passwords Again
Once the backup is restored, you must go through the process of changing your WordPress password(s) and all other account related passwords, as described earlier. The reason is that the backup is set up with all the old passwords. None of the password changes you carried out earlier has been transferred to the restored copy of the site.
While some might argue that it’s pointless to change the passwords twice, it’s highly recommended to take the time to do it in order to keep away any hackers that might still be sniffing around your site. The second complete change of passwords is necessary as a way to make sure they are secure, no matter when in the cleanup process you managed to close the hacker’s access to your site and hosting account.
Check for Blacklisting
The last step in the process or regaining control over your website after a hacker attack is to make sure that it hasn’t been blacklisted – or request a review of your case, if it has been blacklisted.
Depending on the type of malicious activity on your site, there are different agents that can detect and blacklist your site as dangerous. If we are talking about sending out spam mails, it is likely that some mail servers and filters that have caught mails from your accounts, have blacklisted you. Unfortunately, it is impossible to identify such servers and spam filters and just as impossible to request that your IP is whitelisted again, once the threat is under control.
When it comes to search engines, the situation is less hopeless. You can usually track all security warnings directly from within your Webmaster Tools. In addition, you can request a case review to help restore your site’s reputation. This guide by Google Developers will help you comply with the requirements for a review. Just remember to request a review, only after your website is clean and secure, and from as many search engines as possible (requires that you have confirmed the ownership of your site via their webmaster tools).
You can indeed do a lot to make your website much more difficult to hack than it is out of the box. It doesn’t cost anything and doesn’t require any plugin installations but is surprisingly effective. Here you can find a detailed guide on basic security considerations and advanced hardening of WordPress.