WordPress site hacked after restore

My WordPress website got hacked after restore. Again! Why?

Quite often we hear about the repeated security incidents related to WordPress sites. This is not something specific to WordPress sites, it’s more about site maintenance and security management. Most repeated site hacks occur due to the unprofessional restore of sites after previous incidents when the consequences are fixed, but not the causes. Correct security incident repair is based on high attention to details and knowledge.

What have you forgotten?

There are a lot of standard procedures and tasks needed for proper hacked WordPress website repair. But sometimes people miss some crucial steps, and everything later goes wrong. If you want to repair your hacked website on your own, we recommend you to read this post. Also, don’t forget to make backups periodically to have a copy of your website files and database, it is crucial if you don’t want to lose all your data. Of course, make sure your computer is up to date and secured by any reliable security software.

Passwords, passwords and passwords again

Passwords are the front line of your website security. It is critically important to use the strong passwords for all your accounts. But if your site got hacked, you should change absolutely all passwords that are somehow related to your website. Any of these passwords might be compromised and pose a real threat to your site even after complete website repair. Here are the most critical passwords that you really need to change:

  • WordPress database password.
  • FTP account password.
  • WordPress users with the administrator and similar roles.
  • Hosting account password.

Check out your .htaccess and .htpasswd files

Always check these files carefully. These files are critical in the perspective of your website security. These files could contain data added by an attacker. For example .htpasswd could be modified and hold the access credentials (username and password) generated by an attacker. In this case, your .htpasswd security will be compromised.

Same principles apply to .htaccess files. An attacker could make various exceptions and add specific rules to ensure he still has access to the website files and site itself.

TIP: we make hundreds of website repairs each month, and we noticed one trick that hackers use to hide the additional .htacccess rules, they add a lot of empty lines below the original content and ads their code lines on the bottom of the file. In most cases .htaccess files contain only several lines of code, and naturally, white space looks like the end of the source code. However, you should always scroll down to the bottom of the file to make sure there are no more rules hidden on the bottom of the .htaccess file.

Multisite hosting? Check them all!

The most common reason for repeated (and successful) site hacks even after an accurate repair is the multisite hosting. Let’s take an example. You have a hosting plan that allows you to host more than one website and let’s assume that you have five sites running on this hosting plan. One day you noticed that one of your websites got hacked. You made the repair, cleaned up all the files and even made the hardening of this website by eliminating the weak part that was used for a hack. Later you noticed that the same site or another one from your account is hacked.

Well, that’s because all websites on the same hosting account share the same file space, they are not isolated from each other. An attacker gains access to all sites once he has access to one of them. He can place backdoor to any website to access the server anytime he wants to. So it’s critically important to check the security of all sites on the multisite hosting account even if even only one is hacked.

Insecure software

One of the biggest mistakes that you can do while restoring your websites is to use the insecure software. There are a lot of security breaches caused by vulnerable or nulled WordPress plugins and themes. Any WordPress plugin or theme downloaded from torrents, or other unreliable sources could endanger your WordPress website.

We highly recommend you to use only reliable software downloaded straight from the WordPress theme or plugin repository, websites of software developers and well known online catalogues like Code Canyon or similar.

Saving a few dollars could bring you a massive headache, you can lose more money due to a security incident. Remember, there are thousands of free WordPress plugins and themes that you can use safely. And don’t forget to update your software regularly.

Compromised backup archive

Restoring your website from the last back up archive could be a bad idea. If your latest WordPress back up file was generated at the time when the site was already hacked you’re going nowhere, restoring from such backup file is meaningless.

You need to make sure your backup archive is clean and safe (at least generated from the site before it was hacked). Server logs could help you to identify the date when the site was hacked.

TIP: do not refer to the last editing dates of files created by the hackers. These dates will not give the real perspective when this file was added.

Also, you need to be careful with your database backup file. It may contain various injections like unknown users with administrative rights, and you need to check the database before making the repair of the site.

Hacked at the server level?

Your website could be hacked not just by your site software vulnerabilities, it could be easily hacked by exploiting server software vulnerabilities or insecure configuration. Restoring your website will not help to solve the problem. You need to analyse the way how it was hacked, and if you still have vulnerable server software or insecure server configuration, your website could be hacked again and again.

However, it is a rare case and happens only on unmanaged systems left without any maintenance for an extended period of time, usually hosting companies update their server software on time and sets the server settings to meet specific security requirements.

Vulnerable WordPress plugins and themes

Make sure all your WordPress plugins and themes are not vulnerable. You can check the status of your plugins and themes by using ThreatPress database of WordPress vulnerabilities or by using our WordPress security plugin which makes automatic checks periodically. It will notify you as soon as it finds any outdated and vulnerable plugins or themes on your site. Please, don’t forget to update your software on time, as soon as possible.

A lot of teams and cybersecurity professionals provide information about recently discovered vulnerabilities to make the WordPress safer, so don’t miss this opportunity to secure your website.

Clean up your search index results

Don’t let anyone know that your website was compromised. Sometimes hacks are made just to use your site for black hat SEO spam and similar illegal activities. Use the Google Search Console or other similar tools provided by search engines to clean up results generated by indexing injected content. It will not make your website safer, but it’s necessary for proper site repair after the hack.

Check your website for blacklisting

Sometimes your site could be marked as malicious due to the activity of malicious software on your hacked site. Even after the website repair, it can be labelled as malicious, you need to notify managers of these blacklists (for example Google Safe Browsing servers, PhishTank, Malware domain list and Spamhaus ZEN) that you already cleaned your site and you want to remove it from the blacklist.

Finally, we would like to say that repairing the site after the hack is only part of the work. The main task is to keep it under constant surveillance and maintenance. Timely software updates, strong passwords and other simple security measures will help you to enhance the security of your WordPress site.

Darius S.

Similar Posts

ThreatPress API keys

Free WordPress Vulnerability Database API

Recently, we received a few queries related to our services, specifically for WordPress Vulnerability Database. So to make it clear we ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

Leave a Reply

Your email address will not be published. Required fields are marked *