How I Cleaned Up My Site After It Was Hacked and Blocklisted

How I Cleaned Up My Site After It Was Hacked and Blocklisted

You don’t expect it to happen to you and then wham! Your site gets hacked. It happens to the best of us. And I would know because it happened to me just last week.

What’s worse is that my site’s IP address was also blocklisted, which means my site and any site on my hosting account using that IP was marked as spam. I couldn’t send emails without them bouncing, my search engine ranking started plummeting and visitors couldn’t access my site without getting a virus.

What. A. Nightmare.

Luckily, I was able to test my site to identify the problem, find the hack and remove it, and then get my sites off the blocklist.

Today, I’m going to show you the process I used to clean up my site so you can fix yours, too. If you’re not too keen on DIY fixes, that’s okay because I’ll also show you some great plugins that can also do the job.

How I Was Hacked

There are many possible reasons why a site is hacked. It can be as simple as having a weak password that hackers can easily guess or something more complex, such as not having a firewall or security plugin installed.

But you may be wondering why someone would want to hack your site. This may especially be confusing if your site doesn’t generate as much traffic as, say, Twitter, or Instagram.

According to WordPress.org and W3Techs, 60 million sites across the web are powered by WordPress and that works out to about 25% of the entire web. Being such a popular CMS makes it an enticing target for hackers, especially when all its code is available to the public, and free of charge.

I know, it’s easy to get a bit squeamish with that in mind, but while WordPress seems to be a favorite for hackers, you can rest assured other CMSes like Drupal and Joomla are also affected.

WordPress Security: Facts and Figures

The difference with WordPress is its security updates. They are rolled out automatically whenever a major security vulnerability is spotted, making it a relatively safe choice for your site. Even so, you are still responsible for the security of your site and need to put in place measures to keep it safe.

According to the US National Vulnerability Database, since WordPress became public, the top security vulnerability has been with plugins available in the directory as well as from outside sources. The second largest concern was with other factors, such as custom scripts.

While there were security vulnerabilities found in the WordPress core, it only accounts for 5.5% of the total known concerns at the time this was written.

This is still a problem since W3Techs also found that over 17.8% of WordPress sites are not up-to-date, meaning recent security patches won’t mean a thing for these folks and their sites are open to attack.

For the rest of us, while most of these vulnerabilities are now completely resolved, seeing the history of WordPress from this perspective shines a strong light on the actual security concerns, which are related to WordPress and don’t have much to do with the platform itself.

Back to Why I Was Hacked…

In my case, I got hacked because a site I hosted on my VPS was not regularly updated. I let it slide because it was a site I set up for a temporary solution. I know, I know, that’s terribly irresponsible and I’m not giving an excuse, just an explanation.

Not only that, I didn’t take any special security precautions. I didn’t install a security plugin, limit the login page to only my IP address, or backup my site. In fact, the only thing I did right was choosing a username that wasn’t “admin” and set a strong password.

This was all especially dangerous since this one site that I was supposed to delete ages ago ended up affecting several other sites on my server. The hacker used this one site to gain entry into a couple of my other sites. Talk about a headache.

Luckily, I had a security plugin activated on my other sites and the exploit was quickly detected. With an hour, I was able to clean everything up. So yes, I was hacked, but I got lucky this time.

If my other sites didn’t have their security up to snuff I wouldn’t have even known anything was wrong and the hacker could have affected each and every site on the server. Not just my server, but every other site using the same VPS.

Shared hosting also comes with the same danger since many people also share the same server. The only exception is dedicated servers, although, if anyone site is infected, it could infect others that you have, even though you’re the only one using your server.

What I Should Have Done to Avoid Being Hacked

Here are some of the best (and basic) things you can do to help keep your site secure:

  • Keep WordPress, scripts, themes and plugins updated
  • Choose themes and plugins from a trusted source
  • House your site with a trusted hosting provider
  • When possible, choose a dedicated server
  • Use a strong password with a username that isn’t “admin”
  • Regularly backup your entire site, including your files and your database

These are great tips to get you started, but there are many more steps you could take to help the overall security of your site.

To learn more about them, you can check out some of our other posts: WordPress Security: Tried and True Tips to Secure WordPress, 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked, and A History of WordPress Security Exploits and What They Mean for Your Site.

So with this information at hand, let’s take a look at some of the most common ways hackers breach and compromise WordPress sites.

Backdoor Exploits

This is the nightmare I had to deal with recently. Backdoor exploits are one of the more difficult and brutal attacks to resolve since they can affect multiple sites on your server.

A hacker saves a file on your server with a script that allows them entry into your site and server whenever they want.

Instead of gaining entry into your site like everyone else – through the front-end login page – the hacker gains entry through a, well, backdoor they create.

These added files are often named to look as though they are a part of the normal WordPress core. For example, the file could be called users-wp.php, php5.php, or something similar.

It can be difficult to know when it happens if you don’t have a security plugin installed to alert you to any changes. But there are a few other things that can hint toward this kind of hack. One is that you may notice a browser error message that comes up when you try to access the front or backend of your site. You may be prompted to confirm the site is safe before continuing to load it.

A Chrome browser error message when trying to visit a site: "Your connection is not private."
If you suddenly receive error messages stating your site isn’t safe to visit when trying to reach your site, you may have been hacked.

When visiting your site, your operating software’s anti-virus may also alert you to a possible threat since backdoor exploits often include placing code in your existing files or creating new files that launch malware and even viruses such as trojans when your site is visited.

You may also notice that emails you try to send that originate from your server get bounced back to you with a basic SMTP 550 error message.

Sometimes you may get a more detailed explanation of what the issue is depending on the email’s server you’re trying to reach. The returned message may list the link to the website that blacklisted your site or IP address.

Later on, I’ll show you what you can do with this information and how to clean up this mess. But for now, let’s explore some other ways your site may be compromised.

Pharmaceutical Hacks

Have you ever visited or linked to your site and noticed there was some weird text full of links you never placed there? This is caused by a pharmaceutical or pharma hack.

The text and links often refer and point to spam sites, and often shady ones that sell various items from knock-off watches and purses to prescription drugs such as Viagra or Cialis.

This happens when a hacker injects scripts into your files, often in your page headers, but this isn’t always the case as they can appear anywhere in a file. The links and text that are injected with the scripts can also be hidden from view.

A Google search of a site that produces spam that's visible with your site link.
Searching your site in Google come up with questionable results if you have been hacked.

A tip-off to a pharmaceutical hack could be that you suddenly see ads while you’re surfing the web closely related to the injected scripts, even though you haven’t been searching for those items yourself.

Go to Google and type in site:yourdomain.com, except replace yourdomain.com with your own site’s URL and browse the results.

The results should only display titles and descriptions that are related to your site. If you see links with a description or title that are spam but your site is attached to it, this confirms you have been hacked.

If you update your Facebook status with a link to your site, you should see content appear from that page. If spam appears in the description or title of the link preview it means you have been hacked and you probably shouldn’t click that button to publish your status.

Before we move onto more advanced techniques to test your site for injected scripts and how to fix them, there’s one more common problem you may face…

Malicious Redirects

When a hacker injects scripts into your .htaccess or other core files that result in your site being automatically directed to another page or site, it’s often a malicious redirect.

Your main site or individual pages can be affected and if you’re using Multisite your whole network could also be in danger.

You'll notice a malicious redirect right away because your site will automatically load up a different URL.
You’ll notice a malicious redirect right away because your site will automatically load up a different URL.

Sometimes the redirect may not even look too obvious if the compromised file still uses your theme’s styling. In such cases, there may be a lot of ads displayed on the page, but otherwise, it looks like your site.

On the other hand, your site could be redirected to another site entirely with spam links or even content suitable only for adults.

This is often the easiest hack to spot right away since you can usually see that you’re redirected when you are trying to visit your site or even a specific page.

Luckily, this issue isn’t at all impossible to fix.

Testing and Cleaning Your Site After Getting Hacked

Before you do anything, it’s important that you backup your site. Even though you have been hacked, there could be valuable information on your site that you may need to recover later.

Snapshot is our premium backup solution.
Snapshot is our premium backup solution.

More seriously, some hosting providers may shut down or even delete your site immediately after finding out your site has been compromised, especially on shared hosting plans.

There are many quality backup plugins available including Snapshot, VaultPress, and BackupBuddy.

Once you have backed up your entire site, you’re ready to get started.

Even if you’re pretty sure you have been hacked, it can still be helpful to test your site since you may find additional files that have been affected. Once you know where there’s a problem, you can fix it by cleaning up the code.

Here are some sites that provide free scans for hacked files:

  • Unmask Parasites – This lets you know if your site has been hacked. This is a great first step in determining whether there’s a problem.
  • Sucuri Site Check – A slightly more comprehensive scan than the previous link. Also lets you know if your site has been blocklisted.
  • Norton Safe Web – You can quickly find out if there are any threats associated with your site.
  • Quttera – Scans your site for malware.
  • VirusTotal – You can scan your site or IP address for common viruses, trojans, malware, and the like. It uses over 50 different scanners to get more accurate results.
  • Malware Removal – Malware, viruses, script injections, malicious redirects and more can be checked with this site scanner.
  • Scan My Server – Scans for malware, SQL injections, XSS, and more while also offering a detailed report, but an email address is required along with adding the provided backlink to your site to verify ownership. The report is emailed to you and takes about 24 hours.

It’s best to use many or all the sites listed above since these options vary in strength and the types of infections that they can search. It’s also important to scan your computer for viruses that may be affecting your browser.

In How to Clean Up a Hacked WordPress Site, Wordfence lists some great commands to use with SSH access to help you find malicious scripts and code.

Start by listing your directory to search for recently modified files:

Don’t forget to replace /home/yourdirectory/yoursite/ with the actual file path to your site. If the search doesn’t turn up any results, enter in another search, but modified to search within the last 10 days:

Again, be sure to type in your actual file path to your site. If results don’t turn up again, continue with the search, slowly increasing the number of days to search within.

You can do this by changing the number 10 in the previous example to a slightly larger value.

You can also use the SSH tool called grep. You can use it to search your files for common values that hackers inject.

Start by entering the following command to list the affected files. Just be sure to replace value with the actual value you would like to search.

You can search for common values such as base64 and bad hacker was here.

Once you have found files that have been hacked, you can search through the actual files with the command below, replacing value with the actual search term you want to use:

Once you have identified the problem, you can start cleaning up your site.

Depending on where the offending code lies, you can manually flush it out:

  • A backdoor file created with only malicious scripts in it – Delete that file.
  • Malicious code found in a WordPress core or plugin file – Delete it and upload a fresh and clean copy of the file.
  • Malicious code found in a legitimate custom file – Remove the malicious code and save the file.
  • If you would rather bypass the daunting cleanup, you can restore your site from an unaffected backup, then update your site, plugins, themes and scripts, and increase your site’s security.

When you think you have located and removed all the malicious code, run through the sites again to make sure you didn’t miss anything. Once you’re confident you have fixed everything, it’s a good idea to contact your hosting provider.

FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

You can let them know you were recently attacked, but you cleaned everything up and would like them to double-check your site for additional vulnerabilities. They can help you verify the security of your site, but it’s also important to make them aware of the situation.

Informing your host becomes especially helpful in the event that your site is reported as a threat by third-party automatic scanners or general visitors. Since your host is already aware of the situation, they can take the appropriate steps to make sure your site is whitelisted, without you needing to anything else.

As a general rule of thumb, it may be a good idea to contact your hosting provider after you believe you have resolved your site’s security risks. Some hosts may shut down your site immediately after they hear about a threat from your site so it’s important to at least have a backup of your site before getting in touch with them.

Getting Your Site and IP Address Allowlisted

Once your site has been cleaned up, your site or IP address may still be marked as spam. The first step in resolving this is to find out where you are blocklisted.

My top choices for finding out who blocklisted you are Unmask Parasites and Spamhaus. I prefer using Spamhaus the most because it’s not only one of the sites where you could be blocklisted but, more importantly, provides links to the sites where you are blocklisted so you can get apply to get allowlisted.

In order to perform a check, you can’t go directly to the Spamhaus site. A scan needs to be performed manually. Luckily, it’s super easy and just requires you to type in a link similar to the example below:

Just type in this URL into your address bar, but replace 123.456.789.10 it with the actual IP address where your site is hosted. Visit the page and your results are listed for you.

An example IP address has been detected as blacklisted by Spamhaus and a link to the site where the IP has been blacklisted is provided.
Spamhaus directs you to the exact site that blacklisted your IP address.

If your site has been blocklisted, your IP address is displayed in red next to links of the sites that blocklisted your site’s IP address.

Open the links in a new tab, then follow the directions to apply for your IP address to become whitelisted. Each site has different instructions so be sure to follow the directions carefully.

You can usually apply in just a few clicks and once your applications are submitted, it can take up to 48 hours for your site to be processed.

Most of the time, you won’t get notified once the process has completed. This means you need to create a manual Spamhaus search after waiting a while to see if your site has been placed on the safe list.

Keep in mind that you can often only apply to be removed from the blacklist once so you need to be sure your site is clean and that you have completely resolved any threats. Otherwise, your site and IP address could risk being permanently blocklisted.

If you have been blocklisted by Google, the application process is a bit more involved and can take 12 to 24 hours to process. Luckily, they do have the instructions for requesting a review readily available.

Once your site and IP address have been reviewed and allowlisted, you’re done, right? Not exactly. There are still some critical steps left you need to take.

But Wait, You’re Not Done Yet!

After you have successfully cleaned up your site, you need to update WordPress along with any themes or plugins you have installed if any of them aren’t up-to-date already. You also need to be sure to keep a regular tab on your site to make sure you consistently keep it updated.

Another security measure you should take right away is to change your password. It’s also a great idea to have everyone in your network update their passwords as well if you are running Multisite.

Next, it’s time for you to change your WordPress security keys. What this will do is cancel any active cookies which keep you logged in for an extended period of time. Once you change them, hackers won’t have continued access to your site.

You can generate new keys using WordPress’ Random Security Key Generator. Then, replace your old keys with the new ones in your wp-config.php file.

The code you need to replace will look similar to this example:

You can also install the free ConfigServer Security and Firewall in the root of your server using SSH access. Setting it up is easy.

First, make sure you log into the root or your server since this won’t work otherwise. Then, enter the following lines, one by one:

Next, enter the following line:

If you don’t return any errors, then your firewall is good to go, but you just need to enter one more command to make sure there aren’t any conflicting scripts installed.

Once you’re done entering these commands, your new firewall is set up, but there’s one more step you should take for the security of your site and that’s to investigate how your site was hacked. As the adage goes, “Well aware is half there.”

Knowing how your site’s security was compromised can help you prevent future threats.

You can do this by checking your site’s logs. There are also helpful tools out there to help you make sense of your logs as they relate to your hacked site such as OSSEC which is free.

If you find bugs, you can also help the WordPress community by sharing your findings through opening a trac ticket as Rachel McCollin describes in her post: How to Contribute to WordPress (and Just Generally Be an Awesome Person).

Plugins to Help Test and Clean Your Site

If you would rather stick to using plugins to test and clean up your site, you have no shortage of options.

Here are the top plugins you can use for single and Multisite installs of WordPress to detect infected files, then clean them up. They’re all well-maintained so you can be sure they can help you save your site and time.

  • Wordfence

    Wordfence is my first choice when it comes to security plugins. Both the free and premium versions do a fantastic job of detecting and protecting your site from virtually every threat out there. The service’s database regularly updated so when new threats are invented you are quickly protected.

    Some of the best features in Wordfence include its ability to detect when files have been changed or created, giving you the option to restore them to their original version or delete them in a single click.

    When my site was hacked, I noticed things weren’t right when Wordfence sent me an alert. Luckily, Wordfence has the ability to scan files outside of your WordPress installation and that’s the feature that ended up saving me. Wordfence was able to detect that my other unprotected site was hacked.

    I was able to delete most of the problem files and restore the rest. For good measure, I deleted the excess files that weren’t related to WordPress just to be sure there were no more backdoors hidden away.

    Wordfence also comes with a firewall along with many more outstanding features.

    You can see our review called Securing Your WordPress Site: Wordfence Security Review or get instructions firsthand on how to clean your site from Wordfence’s own post called How to Clean a Hacked WordPress Site with Wordfence.

  • VaultPress

    VaultPress is a security and backup plugin rolled into one. You can grab a free copy from the WordPress directory or upgrade to the premium version.

    It was created by Automattic, the same folks behind WordPress.com, so you can be sure your site is in great hands when you install and activate this plugin.

    Regular backups help protect you by giving you a restore point that can easily get your site back up and running after an attack, but you are also doubly protected with many security features if you upgrade.

    The premium version includes features such as daily scans for suspicious code, viruses, malware, trojans and you name it. It’s also easy to clean your site if you do get hacked.

  • iThemes Security

    iThemes Security (formerly known as Better Security) is a great plugin that does a great job of protecting your site. It keeps up with the hackers and their latest offences so this plugin can patch up any known exploits, backdoors and other similar vulnerabilities as they come up.

    The free version is great for protecting your already clean site, but if you want to know when files change and have the ability to perform more powerful scans, you need to upgrade to the premium version.

    The good news is iThemes Security is also a backup plugin so if you find out that your site has been hacked, you can quickly restore your site to an earlier, clean version without needing to upgrade.

    For a full review of the free version, check out our post: Securing Your WordPress Site: iThemes Free Security Plugin Review.

    Interested in iThemes Security?

  • Sucuri Security

    Sucuri Security is a great free plugin that not only has the ability to strengthen your site’s security, but it also scans for malware and similar threats, checks if your site has been blacklisted and even includes clean up actions if your site does get hacked.

    You can also rest easy knowing that this plugin notifies you if something looks fishy. There is also a firewall feature available if you upgrade, but works well on its own.

    Interested in Sucuri Security?

  • Theme Check

    The Theme Check plugin can help by verifying the validity of the code used in a theme you would like tested.

    It compares a theme’s code against the latest WordPress standards. If something is off or looks suspicious, this plugin can let you know.

    It’s a great tool to have around and is especially useful to test out themes before you decide to go all out and use them on your site.

Got Hacked? It’s Not the End of the World

Now you’re armed with the information, tools, and plugins you need to kick those hackers to the curb and clean up your site.

Cleaning up your site after it’s been hacked is one thing, but you also need to work on keeping your site secure to prevent future attacks.

To learn more about security measures you can take to help protect your WordPress site, check out some of our other posts: WordPress Security: Tried and True Tips to Secure WordPress, 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked and A History of WordPress Security Exploits and What They Mean for Your Site.

 

Do you know of any other great security testing and cleaning tools or plugins that I haven't mentioned? Do you have any other security tips for cleaning up a hacked site? Share your hacking horror stories in the comments below.

Tags:

Jenni McKinnon Jenni has spent over 15 years developing websites and almost as long for WordPress as a copywriter, copy editor, web developer, and course instructor. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.