One of WordPress’ major problems is its vulnerability to attack. This does not necessary have to do with poor security but with the fact that WordPress is the most popular website building software in the world with millions of users, making it a major target from hackers. If you are thinking, “Oh, I should stay away from WordPress then,” you should know this, No software on the internet is hack-proof – and when you come to think of it, the benefit of using WordPress to build your website far outweighs this dark-side.
My WordPress websites have been hacked on two occasions. The first time was easily fixed by my host’s technical support – Hostgator – they have an ever supportive team you can always count on. The second hack, which was more severe, got most files on my WordPress site infested, leaving me with a much dreaded choice. This time the technical support from Hostgator declared they did not find any malicious codes on the site. I had to figure out a way to fix it myself.
Here is what this hacker achieved – he, she, they gained access to add and rotate links pointing to some ‘Payday Loan’ sites to the header section of my site’s front and admin section. The additional trick was that these links are not readily visible (hidden) unless you visit the page source code or through WordPress Jetpack mobile view – in which case, you may not even know you site has been hacked.
How to fix WordPress hack – Fresh Installation
This time, I was left with the dirty job of deleting the entire sites and running fresh installations. Don’t let that give you the cold-feet; it’s not as scary as it may seem at first.
I host my sites on Hostgator, so I’ll be explaining the process from my host’s perspective. Your host may look a bit different in terms of arrangement and whatever else.
Step 1: Backup database
First thing: backup database(s) of affected site(s). You should take this step before doing anything else, so you don’t end up head on desk when something breaks – you can just restore the whole thing.
How to backup Database
You can use plugin to backup your site’s database but I prefer (recommend) backing up your site from your host cPanel. On Hostgator cPanel, go to Backups.
On the backup page, click the database you want to backup, download and save to your computer. The backup file is usually in the format – database_name.sql.gz
Step 2: Zip and Download /wp-content/uploads/ folder
For some reasons, the database backup process does not include images and uploaded files. I had to separately backup images and files. To do this, from ‘File Manager’ in cPanel, locate the /wp-content/ folder for the domain you want to clean, zip (compress) and download the /uploads/ folder to my computer. With this you are sure to not lose your uploaded images and files.
Step 3: Zip and Download Theme
If you have made changes in the theme, you don’t want to start tweaking all over again after your new install. For this reason what I did is to download and save the current theme.
This part is optional. I could take this step because I am using a Child theme for Genesis framework. So it was easy for me to go through the code of the Child theme to make sure it is clean of malicious codes. If you are not sure of your current theme’s cleanness as a result of the attack, you’ll rather upload a fresh version of your theme and re-tweak than risk using the existing version which may have been infected.
The Zip and download process is similar to step 2 – go to /wp-content/themes/ folder, zip and download the theme(s) you want to retain.
Step 4: Keep record of all your plugins
After you fresh site goes live, you don’t want to waste time thinking about the plugins you previously had installed. Write a list of them somewhere. For me, I simply opened ‘Installed Plugins’ page from WordPress admin section on a separate window in my browser before uninstalling WordPress.
Step 5: Uninstall WordPress
With all in place, it’s time to delete everything. Uninstall WordPress from the affected domain(s). I uninstalled through Fantastic. Fantastico offers quick and seamless installation process of popular website building software on most hosting companies, so you don’t have to do anything but click a few links to install or uninstall.
Step 6: Install WordPress Afresh
On a fresh foundation, install WordPress like you are installing for the first time. I also used Fantastico easy installation.
Step 7: Upload your theme
With a brand new WordPress site, I installed Genesis and my previous child theme (downloaded from step 3). The same process of installing any WordPress theme from admin dashboard
Step 8: Restore backup
Backup restoration can be performed on the same page from where you perform your backup on cPanel in step 1. Click browse button to select you backup (database_name.sql.gz) file from your computer, click Upload button to upload. Do not interrupt the process. Once done, check you site to see that everything is working fine. All you previous posts, pages, comments and links should working fine by now.
Step 9: Delete the new /wp-content/uploads/ folder
To restore uploaded images and files on your site, delete the new (empty) /wp-content/uploads/ file to add the previously downloaded one in step 2.
Step 10: Install previous upload file and unzip
Select upload button in your cPanel – File Manager – and upload the zip file (uploads.zip) you downloaded in Step 2. Unzip (extract) it to replace the deleted uploads folder in step 9. (Make sure the unzipped folder is named /wp-content/uploads/).
Step 11: Install Fresh Plugins you need
Now start installing the plugins you need. Because you have your database restored, some plugin settings will be retained while some will need that you revisit and re-configure them.
You now have a clean WordPress site like nothing happened. Depending on the size of your site, internet speed, and whatever factor, the entire process can take less than 30minutes. Enjoy your fresh site.
In my next post, I’ll be sharing wordpress security measures I am taking to protect my site from future attack. Nothing is guaranteed but a man gotta do what a man gotta do.
Have any questions? You can ask me on the comment section below.
Remember to keep increasing lives. It’s what advancing people do!
PS: If you are having difficulties with any part of the process or don’t just want to get your hands dirty with the technical side of things, you can contact me for help.
Nathan Rogers says
Unpack the WebsiteBaker 2.8.1 installation package on your local computer. Please make sure you have followed all the steps listed in the section Prerequisites above (including backups).
[email protected] says
Now, for the other side. You should be backing up your site all the time- in case folks actually attack you blog. And, that’s great advice about the themes and images.
Ikenna Odinaka says
Hello Mr. Ron. It’s nice to hear from you again.
I’ve been backing up the site but make the mistake of not saving copies to my PC. I’ve adopted the tradition now.
Thanks for the extra tips sire 🙂
Ryan R. Walker says
You need to backup both your database and the var folder if you want to prevent data loss.
Silver Price says
This is why backing up data is so important, and the good news is that it is so easy to do. So incredibly easy in fact I really don’t understand why people fail to back up their data. There are two main methods of data backup. Online backup, and backup using an external hard drive. Both have their advantages and disadvantages. If possible and you have the money I recommend a combination of both.
Ikenna Odinaka says
Thanks for your input