Compromised Wordpress Cleanup and Recovery

Our shared servers employ an extensive set of security modules to protect accounts from server-level (and, to a certain extent, known application-level) threats, including, but not limited to, CageFS via CloudLinux, ModSecurity, OSSEC, CSF (ConfigServer Security & Firewall), and several virus scanning modules.

The possibility of any account-level compromise having come from an attack that was preventable at the server-level is extremely low. While many customers who have experienced an account-level compromise question how this could have happened on our servers, the reality of the situation is that an overwhelming majority of compromises stem from outdated or otherwise insecure software in the customer's account.

We put a lot of effort into balancing the security of the servers with enough flexibility to allow customers to install a wide variety of software. Accordingly, it is the responsibility of the customer to maintain the security of the web applications within their account.

Disclaimer: This is a simplified guide for recovering from a compromised wordpress installation. Due to it's popularity Wordpress is the single most targeted PHP application on the web. Failure to keep your installations secured and up to date often results in compromised installations. If you do not feel comfortable completing these steps on your own, we recommend seeking the assistance of an experienced web developer.

1. Take a full backup of your account, files and databases.


2. Remove all plugins and themes which are not in use and replace the affected files

Any out-of-date themes or plugins can allow attackers access to your Wordpress installation, even if they're not in use, so we advise removing all files for themes and plugins that are no longer used, including older default WordPress themes, like TwentyFourteen, TwentyTwelve, etc.

You'll want to check your current Wordpress version and download the files for that same version here:

https://wordpress.org/download/release-archive/

and overwrite the files in your installation with the original, uncompromised copies, aside from your wp-config.php file, which should be preserved since this includes your database connection information. This is best done with an (S)FTP program.

You'll also want to do the same for all remaining themes and plugins. These files are usually found via their respective plugin pages through WordPress.org, (ex. https://wordpress.org/plugins/wordfence/ for the Wordfence Security plugin) or from the plugin developer's website. Theme and plugin files are stored in the /wp-content/ directory under /themes/ and /plugins/, respectively.


3. Update All Modules

Please note, WordPress versions 3.7+ have offered automatic update options. If you don't have a custom theme or a large variety of plugins that may be affected by updates, it's best to enable all updates, major and minor. If you choose not to enable automatic updates, you should be checking for available updates and applying them regularly.

Update the core Wordpress files, and all themes and plugins to their latest versions.

Once the installation and all themes/plugins have been replaced, we recommend installing Wordfence and running a full scan which will look for further compromised files which were added outside of the standard wordpress files.

 

4. Scan your files for malware
While wordpress has it's own popular security plugins such as Wordfence, we also strongly recommend regularly scanning your websites and files for malware with programs such as the following:

ClamAV
Linux Malware Detect / Maldet
CXS
ISPProtect

There are also many options in regards to server side security, additional options can be found here:

ModSecurity
OSSEC
CHRootKit
RKHunter

 

5. Read the following Wordpress documentation
https://codex.wordpress.org/Hardening_WordPress
https://codex.wordpress.org/Brute_Force_Attacks

Please note that Wordpress is the most targeted web application on the internet. Failing to keep the software and plugins up to date leaves you susceptible to having your installation compromised and defaced. By keeping the installation up-to-date and following the aforementioned security steps will help keep your Wordpress website secure. You may also want to subscribe to the developers mailing list for future software update notifications.

Please be sure to take regular backups of your content, and store them in a secure, off-server location.

 

More Information
As nearly all of the types of vulnerabilities in Wordpress are well-documented online, we recommend conducting further research on the particular themes and plugins that are specific to your installation. If you do not feel comfortable completing these steps on your own, we recommend seeking the assistance of an experienced web developer.

For further information, we recommend reviewing the following links regarding Wordpress security. Here is a repository of known vulnerabilities and the versions of Wordpress which are affected:

https://www.cvedetails.com/vulnerability-list/vendor_id-2337/Wordpress.html

You can also find information about the security vulnurabilities that were patched in each core Wordpress release here:

https://wordpress.org/news/category/security/

We also highly recommend regularly checking for Wordpress information on the Sucuri blog, which has excellent, succinct, and up to date information on a wide variety of security issues:

https://sucuri.net/wordpress-security/
https://blog.sucuri.net/

For addition information about keeping your website and account secure, please refer to the following:
General Web Security Resources
WordPress Resources

  • wordpress, compromise, hacked, cleanup
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

utf8mb4 requires a newer client library error

While checking the WordPress ‘Site Health’ status page, you may see ‘utf8mb4 requires a newer...

WordPress Resources

Getting StartedWordPress Codex - New To WordPress - Where to StartWordPress Codex - First Steps...

Optimizing WordPress Sites

For a more general information on shared hosting resource limits, please refer to the following...

What Should I Do If I Receive a ‘Resource Limits Reached’ Error?

Why are there limits in place?Resource limits on shared servers are set and enforced with...

Wordpress Brute Force Attempts / Restrict wp-admin by IP Address

Default installations of wordpress do not include any brute force protection so it is strongly...