Clean up hacked WordPress website

You never expect it to happen to your website. You think they will not be interested in such a small player like you. Why would they want to hack your website? Well, they do. Any website really and WordPress is the number one target. Just like Windows is the main operating system hack favorite, it is the largest target.

In this blog I will talk about cleaning up slash restoring options or WordPress websites. How to clean up a hacked WordPress website?

Restoring a Full Backup Scenario

If you do have a full backup of the website and one that is recent enough and clean, well by all means use that backup. That is why we always recommend using a backup plugin like BackupBuddy to backup and store copies in a third party location

Partial Backup Scenario

If you do have a backup but somewhat older you could use the theme files after a thorough check and replace:

  • wp-admin,
  • wp-includes,
  • plugins directories and
  • clean up the other wp-content directories.
  • check all the file in the web root

with new copies.

Admin and Includes

The admin and include folders are system folders that you never touch so they can easily be replaced. Do not overwrite them preferably. Remove them completely and replace them with new ones from the WordPress repository.

Web root

The files in the root tend to be similar to a basic setup too but a file like .htaccess or wp-config.php is unique and these need to be checked separately. Files that are not unique like

  • index.php,
  • wp-activate.php
  • wp-blog-header
  • wp-comments-post.php
  • wp-config-sample.php
  • wp-cron.php

need to be replaced with original ones. Always good to compare the root of a standard clean setup to yours. Sometimes files look like standard WordPress files but aren’t


The uploads folder tends to be a folder inside wp-content you also want to keep. It contains all your media after all. It does have to be checked for contamination though. Could be that a backdoor has been added there.


If you do need to keep the database as well you may need to clean that up as well. Sometimes spammy SEO data is added for example. Sometimes junk is just added to articles or products. With MS Workbench, PHPMYAdmin or another tool it is often relatively easy to run queries.


There are tools you can use to clean up. Some tools are used by your hoster like SpamAssasin, some tools you can use on your site directly like Wordfence or iThemes Security – both WordPress plugins. Other tools are good old fashioned command line tools.


Wordfence is an excellent plugin that will help you out digging up contaminated files, but there is never a guarantee it catches all. So do do some manual work with commands mentioned later on. iThemes security pretty much does the same thing and offers some login security options out of the box for which Wordfence has a separate plugin.

Sucuri and Google Webmaster Tools

Another option is online scanner tools like Sucuri, which will scan your site for you and let you know where potential issues are. Google, Chrome and Firefox will tell you when your site is infected too. But they will not show more details on this. Once they located infected pages they will also show warnings to users in the browser and that will stop most from visiting your page. And that is often how you find out and panic. Sucuri might locate the issue before you get blacklisted and won’t report it so you have time to clean up.

Google Webmaster Tools will see the same but could potentially pinpoint pages that have the issue better. It will mention whether it is phishing issue or whether there is content injection. See Google Developers article for more on that.

Search Files for Contaminated Code

As said you can also use command line tools to check files for contaminated code. Code that has been injected with malware or spam. For that we mostly use grep and find as command

grep -rnw 'directory' -e "pattern"

grep -nrl "badcode"

find inside-directory-x -name name

Base64 and Hex Code

The code or pattern we tend to look for is base64 or Hex code which is used a lot to obfuscate the code they added. But also for variations like

  • base64_decode
  • gzinflate(base64_decode
  • eval(gzinflate(base64_decode
  • eval(base64_decode

Readymade Grep Commands

Here some readymade grep commands:

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
  • grep -lr --include=*.php "eval" .
  • grep -lr --include=*.php "base64" .

Find Hex Code

The only things we did not look for yet is code hidden inside hexadecimal code. This is sometimes done to double hide stuff.. base64 inside hexadecimal code. You can search for that using

find . -type f -name '*.php' | xargs grep -il x29

Modified Code Check

It is also useful to check for files that have been changed recently. You could use something like

find /home/mywebsite -type f -ctime -7

to check for changes in the last 7 days. This is very handy as you often have loads of files that are months old and few that are very recently changed

NB Excellent article on using all these commands by Greg Freeman: How to tell if your PHP site has been compromised.

False Positives

You still need to understand that some plugins or themes, though rarely, use base64, eval, or hex code. So you cannot just search for these indicators and delete it all. Try to replace by clean copies if you can and do check what the code is about if you can.

Often is is code at the top of files before clean code and if you do decode you will see it is an online shell script for example or a way to load spam on pages. But do take some time. And always backup

File and Directory Permissions

Always good to check if file and directory permissions are in order. Sometimes they were not and sometimes a hacker adjusted these. So use the following to set these permissions correctly.

find  -type d -not -perm 755 -exec ls -ld {} \;
find  -type f -not -perm 644 -exec ls -la {} \;

The 644 for files and 755 for directories tend to work for the majority of the server setups. They make sure only root, a specific user like web often can change these files or directories. Sometimes people get stuck making WordPress work and then use 777. This is very bad as it opens that file or directory to the entire web.

File Comparison

If you do have a decent backup you can also do a file comparison to see if there are any file changes that have taken place and then check the code in detail. This is something WordFence does as well basically. Two commands are often used: diff and md5sum. The former I use the most. Here are two example commands:

diff -qr www/ backups/full-backup-20120124/


md5sum <current-page> <backup-page>


Well we have mentioned a lot of tools here. They key is of course to backup and have a host that is secure including an up to date WordPress website. Always remember that just because a website is launched it doesn’t mean your are done. You always have to remain vigilant.

Securing Your WordPress Website with SSL

We wrote about the importance of using SSL before. And we have been pushing for all our clients to get on board and get an SSL certificate. Not only is it good for SEO, but it also makes sure that browsers this year will not consider forms on your site that take user payment details or password details as insecure if they are not using https / SSL. So let’s talk about securing your website with SSL

Why do you need SSL?

So why do you need it? Well, one, it gives you more authority on the web and better SEO. But also, it is becoming more a more urgent to get an SSL certificate as more and more browsers will flag your sites / pages on your site as insecure when you ask for payment or Credit Card data in forms – think ecommerce – or password and do not use SSL. And that will look really bad on your site. Again, see earlier article on Chrome and SSL push.

What is SSL

SSL or TLS are basically two technologies to encrypt the connection from the visitor of your website to your website. So every time he enters data on your site in forms that data will be sent securely. Once a site is https secure you will see either a green lock in your browser or the lock and the word Secure.

How to get SSL

SSL can be gotten by either paying for an SSL certificate with a company that deals with it, by asking your host to arrange it or by taking care of itself. Normally your webhoster should have options available. Not all hosters have the free Let’s Encrypt option though so you may need to pay around €15-30 a year for it.

User Case

One of our long term clients Het Wapen van Enkhuizen, a hotel in the picturesque Enkhuizen, Holland has just had a lovely upgrade to a Comodo SSL certificate as well and is now completely secure. Giving it more authority on the web, better SEO and better preparation for an SSL only web in the future. Let’s Encrypt was not possible with their Dutch hoster Hostnet. So we went for a Comodo Positive SSL Certificate instead.

Now some technical details

Settings > General URL Change

Here you need to replace http by https. This will not cover all your bases but it is a good and quick start. You can do this in the database as well of course and you could even do this and all replacement in one turn, but that is a bit tougher for most.


After adding modified WordPress rewrite

<IfModule mod_rewrite.c>
# BEGIN Force http to https
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
# END Force http to https

and adding

define('FORCE_SSL_ADMIN', true);

to wp-config.php all traffic got redirected to https.

Hard coded Urls

Then we only needed to replace some hard coded urls inside header.php, style.css and replace image paths. You can do this with Search and Replace Database by Interconnectit or yourself in the database. Just be careful with serialized data.

Image Paths replacement

For replacement of image paths in the database we used the search and replace script of the awesome company Interconnectit. And then we had a great secure Wapen van Enkhuizen!


If you are interested in help with Securing Your Website with SSL we can take care of this for a very affordable fee.