- Step 1 - Change passwords
- Step 2 - Contact One.com support
- Step 3 - Create a backup (Recommended)
- Step 4 - Restore a backup (Optional)
- Step 5 - Remove malware
- Step 6 - Add a tempory password login to your site
- Step 7 - Have your site checked by our support
- Step 8 - Secure site to prevent future hacks
In this guide, we show you how to repair a WordPress site that has been hacked and infected with malware. WordPress is the most used CMS in the world. Unfortunately, this also means that it is very popular with hackers.
When we notice that a site has been compromised, we take it offline to make sure that the hackers no longer have access. It also helps to protect your Google ranking and your visitors, since they might get infected just by visiting your site.
As soon as all malware has been removed and WordPress has been updated, you can contact our support to have your site reopened.
Step 1 - Change passwords
The first thing to do if (you suspect) your website has been hacked is to change your passwords. That way you deny hackers access to your web space.
You should change the following passwords:
- FTP: Setting or changing password (FTP)
- Database: Update your MariaDB password
Note: Remember to update your database password in the wp-config file, since that will still have your old password.
Step 2 - Contact One.com support
The next step is to contact our support. We can give you more information about the type of hack, and provide a list of files that have been infected with malware. Also, ask for FTP access to be restored, this makes it easier to fix things.
Tip: Even if FTP access is suspended, you can still access your web space with File Manager or SFTP.
Step 3 - Create a backup (Recommended)
If you don't have a recent backup of your website, we recommend you to make one, before doing any changes. That way you still have access to all your files and content if something goes wrong.
You can use Backup & Restore in the control panel and restore your site with just one click. You can also do a manual backup of your web space and database. Read the guides below for more information.
- Getting started with Backup and Restore
- Backup your web space via FTP
- Backup your web space with File Manager
- How do I make a backup of my database?
Step 4 - Restore a backup (Optional)
If you have a backup of your site, now is the time to restore it. Keep in mind that your site may have been hacked before the backup was created. In that case, you still need to remove malware manually.
You can check this by comparing the date that your backup was created, with the date the infected files on your site were last edited. If your backup is from a later date, this means your site was already hacked.
Unfortunately, hackers will sometimes also manipulate the date a file was changed. If you are in doubt whether your backup is clean, you can always ask our support to have a look.
Note: Even if the backup is from before your site was compromised, it's still very important to change passwords, update to the latest version and check for other vulnerabilities.
Step 5 - Remove malware
It is now time to remove remaining malware from your site, by going through the list of infected files in File Manager. You can always contact our support and ask for an updated list of files that are (still) infected.
In 90% of the cases the infected files belong to one of following three categories:
Core files - The core files form the admin interface of your website. They are located in the root and the wp-admin and wp-includes folders. If these files are infected, you can simply overwrite them with a fresh WordPress download.
Check out our step-by-step guide to lead you through the process: Update WordPress manually.
Plugins - If the hacker gained access through a plugin, the malware will usually be located in the plugins folder.
You can safely delete the whole folder that contains your plugin. Afterwards, you can then reinstall it from your dashboard. You find the plugins folder in wp-content > plugins.
Themes - If the hacker gained access through a theme, the malware will be in the themes folder. If the infected files are part a theme that you are not actively using, you can safely remove the complete folder.
If the infected files are part of the theme that you are using, you first need to change the theme in the database. Otherwise, your site will stop working. Afterwards, you can safely remove the folder.
Check our guide on how to do this: Change your WordPress theme from the database.
Step 6 - Add a tempory password login to your site (Recommended)
We recommend you to (temporarily) protect your site with a password. That way you can safely update all your plugins and themes. When your site is fully updated and secure, you can remove the login again.
You add a login to your site with the .htaccess file. Check out our guide for more information.
Step 7 - Have your site checked by our support
Access can be restored if all malware has been removed and you updated WordPress, and all plugins and themes, or added password protection to your site.
Our support will check your site and either reopen or tell you what still needs doing. You can contact our support via email or chat.
Step 8 - Secure site to prevent future hacks
Now that you have access again to your WordPress dashboard, it's a good idea to make sure your site is secure.
Check plugins and themes - Go through all your plugins and themes and remove the ones that you don't use. Also, check if the plugins and themes that you do use are still maintained. If you can see that a plugin hasn't been updated during the last year, it's a good idea to look for an alternative.
Check WordPress users and reset passwords - Sometimes hackers create their own users for your WordPress dashboard. Go through the users that are created and remove any users you don't recognize. It's also a good idea to change the passwords for all users.
Related articles: