Repairing and securing hacked WordPress websites

Without regular monitoring and proper security, WordPress sites are vulnerable to hacking. The situation is urgent, but you need to stay calm and react quickly.

Discover the causes, consequences and solutions for regaining control.

"My WordPress site has been hacked"

Urgent action is needed. Let's fix it and make it safe!

If a security flaw is present on your site, then a hacker can technically take complete control of it. This is known as a "hack".

When your WordPress site is hacked, visitor and administrator data can leak, and your users can be redirected to malicious sites.

Your site can also be delisted, especially if it is blacklisted for malicious content or redirection. This also harms your online image and drives visitors away.

It is therefore urgent to take action to limit the damage. But you have to follow a rigorous procedure for clean up your site and avoid any recurrence.

Emergency hacked WordPress website

Professional repair

by Robin Labadie (LRob), WordPress security expert

Ensure efficient repair.

  • 24/7 repair
  • Analysis and security
  • Additional recommendations
  • 90-day guarantee
  • Guaranteed repaired or reimbursed

Most hacked WordPress sites are repairable

repair internet angel

If your site's data is still present, then your site is certainly repairable.

Hackers rarely delete data. Conversely, they add malicious content to your site to discreetly take control of it and serve fraudulent activities.

What to do in the event of a WordPress hack?

We must act quickly The more time a hack lasts, the greater the loss of referencing and the impact on your online image. Without rapid intervention, the infection risks worsening and further altering the content of your site, making repair more complex if not impossible.

First aid :

  • Stay calm your site is surely repairable.
  • Check that your site includes symptoms of a pirated site.
  • If your host allows it, suspend public access to the site to prevent any further alteration of the site or exploitation of your site by the hacker.

What NOT to do in the event of a WordPress hack?

Gestures to avoid:

  • Don't log in to the administration of a hacked WordPress site, as this may transmit your logins to the hacker.
  • Don't try to update via admin access, as this not only transmits your logins to the hacker, but also does nothing to erase the malicious scripts and mask the loopholes used, making it impossible to know the precise cause of the hacking and avoid it later.

My key steps for repairing and securing your WordPress site

After a hack, a complete clean-up and a thorough security check are necessary to secure your site for the long term.

WordPress repair requires a great deal of rigor and a perfect command of WordPress and web hosting. This prevents any loss of data, preserves your site's functionality and protects you from recurrences.

If you don't master these technical points, call me for advice: 06 27 37 44 92.

Here are the main steps:

  1. Save the site as is (files via FTP + database via phpMyAdmin or equivalent, from the hosting panel).
  2. Duplicate the site on a controlled, secure environment containing diagnostic tools (Plesk hosting with WordPress Toolkit and Imunify as provided on LRob hosting is ideal).
  3. Audit the site to identify vulnerabilities used by the hacker (WordPress Toolkit makes this possible)
  4. Restore the original files for all WordPress core scripts, including a complete deletion of core files to avoid added files.
  5. Identify suspicious and illegitimate scripts and remove them. To do this, browse all wp-content/ subfolders and identify files that don't belong to a native WordPress.
  6. Check that the "uploads" folder doesn't contain any suspicious HTML or PHP files (in principle, 99% files of this type in this folder are inherently suspicious).
  7. Delete any cache folders and any suspicious or apparently modified plugins or themes (check file modification dates, look at the contents of the last modified files for abnormal code).
  8. Check and clean the database for any backdoor, redirection or spam content in pages and articles.
  9. Clean up WordPress users added by the hacker (via phpMyAdmin).
  10. Secure WordPress, FTP, MySQL and SSH administrator access with new passwords. Adapt site configuration file wp-config.php.
  11. Update all scripts (WordPress core, themes, plugins).
  12. Check the integrity of all files using a plugin such as WordFence with advanced scanning.
  13. Re-audit security vulnerabilities (WordPress Toolkit) and recommend solutions to prevent recurrence.
  14. Check the various WordPress settings and .htaccess settings to prevent unsafe operation.
  15. If sensitive data may have leaked: identify this data, advise on the procedure to follow, draw up a technical file to lodge a complaint and assist law enforcement if an investigation is opened, and make the RGPD declaration.
  16. Save and archive the repaired site for 1 year
  17. Put the repaired site into production, preferably on more secure hosting such as those provided by LRob, specially designed for WordPress.
  18. Implement long-term solutions to maintain security (e.g. automatic updates and automatic backups managed directly by the server, provided by LRob).
  19. To provide the site owner with all the information he needs to intervene and ensure the long-term future of his site.
  20. A 90-day guarantee if you keep your hosting, and an unlimited guarantee if you switch to LRob with the appropriate webmastering package.

Frequently asked questions

How do I know if my WordPress website has been hacked?

If you see any of these signs, it's likely that your site has been compromised. Please contact me immediately for a free evaluation if you have any doubts.

  1. Your administrator password no longer works or seems to change unexpectedly.
  2. Advertisements or redirections to third-party sites appear on your site.
  3. You receive notifications of rejected e-mails that you did not send, indicating unauthorized use of your site.
  4. Your site displays a security alert from Google Safe Browsing, reporting malicious content.
  5. You notice the presence of unwanted content, often in foreign languages, with links likely to promote fraudulent sites.
  6. Unknown users appear in the WordPress user list, sometimes as administrators.
  7. Your site contains phishing pages that look like institutional sites and may cause a loss of referencing.

More details at this page.

Who are you and why should I trust you?

My name is Robin Labadie. I am a sole trader and my company details are available at the bottom of my website. Systems administrator since 2013, I've worked for web hosting companies and web agencies on hosting and maintenance of WordPress websites (CV available here). This led me to take charge of many WordPress sites that were not properly maintained and had been hacked. As a result, I've developed a unique set of skills and reliable, effective methods for cleaning up and securing WordPress sites over the long term. No site has ever been hacked again under my supervision.

How could my site have been hacked?

The reasons behind the hacking of your site are generally linked to security vulnerabilities. The security vulnerabilities that may have enabled your site to be hacked will be indicated in my intervention report.

WordPress, as an interactive system, includes thousands of lines of code and numerous plugins, creating opportunities for security vulnerabilities. Every day, such vulnerabilities are discovered and corrected by developers.

Since WordPress is widely used, it is often the target of attacks. Hackers test different vulnerabilities on various WordPress sites until they find one.

Reasons for intrusion may include:

  • Missing updates or obsolete scripts.
  • Weak passwords for administrator, FTP and database accounts.
  • Insufficiently secure hosting without adequate protection against attacks.

It's crucial to reinforce all aspects of security, including using secure hosting specially configured for WordPress, as well as regular maintenance, to prevent future intrusions. My offer Webmastering Critical is designed with this in mind.

Why was my site targeted?

Online attackers don't usually make distinctions: they attack all sites, including those of the self-employed, small businesses, small associations or local authorities. Truly targeted attacks are rare. That's why, if your site has security flaws, it's not a question of "if", but "when" your site will be hacked.

Whether your site is specifically targeted or not, it's essential to take all necessary measures to ensure complete security and prevent any recurrence.

I've updated my site after a hack, is that enough?

No, that's not enough, nor is it recommended. It's necessary to carry out a complete audit of the site's files and database, and to identify other potential vulnerabilities and unauthorized users.

This is because most hackers often leave backdoors in their code to maintain access, and these are not erased by an update.

Also, to perform the update, if you've gone through the hacked site's back-office, this may give the hacker access to your password, which you'll have to change wherever you use it.

If you've already performed updates after an intrusion, it's important to let me know, as file modifications are an important diagnostic indicator. Also, the update may have corrected the original vulnerability, making it impossible to retroactively detect the original flaw that enabled the hack.

Safety is our specialty. In the event of a hold, call on your safety expert LRob.

Why is WordPress being hacked?

WordPress is an attractive target for hackers due to its great popularity (43% of websites) and the mass availability of information on its security vulnerabilities.

Hackers' motivations are generally linked to illegal financial gain. They use various methods, such as data theft and resale, as well as phishing, to achieve this goal.

What is the response/recovery time?

Your site can be repaired within 24 hours, including evenings, weekends and public holidays. Such a turnaround also requires your responsiveness.

Piracy is an emergency and your request is treated as a priority.

For best results, we recommend that you fill in the form and then call us.

For rapid intervention, you need to provide access to the site files and database, and then, as soon as you have confirmation that your site is repairable, place the order.

After a preliminary diagnosis by telephone or via the contact form and payment on your part, the repair begins.

What access is required for repairs?

Full host access provides all the necessary access. For the repair, I only need access to your site's files and database. You can provide me with an archive of the files and database if you're comfortable with this option. Otherwise, FTP and phpMyAdmin access is sufficient. On a dedicated server, SSH access with sufficient permissions is recommended.

What do I pay if my site can't be repaired?

I'd like to make sure that you won't be charged if your site unfortunately can't be repaired.

The diagnosis prior to the order is designed to check the feasibility of the intervention.

However, should I notice during the repair process that your site has been too severely altered and that your content is no longer available, I undertake to reimburse you by credit card or bank transfer within 7 working days. You can also opt for a credit note deducted from the amount already paid for hosting, site creation or redesign, if you prefer.

Your warranty is for 90 days, so why not longer?

A maintenance-free site starts to run a significant risk after 3 months without updates. In other words, after 3 months, what happens to your site is no longer related to the initial security.

If you opt for LRob hosting, you'll benefit from automatic updates and security alerts.
If you opt for a Webmastering package, then security is closely monitored by me, and you benefit from the "0 hack" guarantee: any hacking is taken care of free of charge on your hosted site.

How long is the downtime during the procedure?

Usually just a few seconds.

My intervention is designed not to cause any noticeable interruption.

First, the duplication of your site to my environment has no effect on it. Secondly, the return to production is done in such a way as to minimize delays. The first few seconds of interruption are due to the renaming of the hacked site folder to a new folder with the repaired site pre-sent. Finally, importing the repaired database usually takes a few seconds, during which the site may not respond. The duration of this stage depends on the size of your site's database and the performance of your hosting provider, if you haven't chosen LRob.

If you've chosen LRob hosting, then migration to the new server won't cause any downtime thanks to perfect DNS control!

What our customers say

Very satisfied with Robin's intervention

25/01/2024

My site was badly infected and I needed a complete analysis and rapid repair. Robin was very efficient, he did a preliminary analysis of the situation in order to draw up the estimate and then carried out the repair within a few hours. He sent me a detailed report the next day with all the analysis. I recommends eyes closed.

Avatar for Coralie Laurent
Coralie Laurent
Verified

Leave your opinion on this service

See also: WordPress security audit

Don't wait for your site to be hacked before checking its security

en_US