WordPress – Cleanup After a Hack (Google This site may be hacked)

It happens to the best of us.  All is well and then one of your websites (or client websites) has been flagged as hacked in Google. This article is the first in a series of posts that will provide you with a few small setting changes that can make a big difference in your WordPress configuration.

NOTE: Before making any major changes, be sure to back up your complete site and database.  If you aren’t comfortable with backing up your site, reach out to your host to make sure that a backup is available to roll-back your site if needed.

There are a handful of Plugins now that can help you with backing up your site.


Step 1:  Change Your Login

Not only should you change your password, you should also change your username.   When you setup WordPress manually or with a 1-click install tool such as the one available at www.HipGlossPro.com as part of your hosting package, the recommended username is ‘admin’ (or your hosting account user name).  If your username is admin, I would recommend that you change it ASAP.

To change your username, login to your WordPress admin panel, select ‘Users’ and create a new user who has the role of Administrator.  Logout of your old admin account, login with your new account, and delete your original ‘admin’ account.  If you have created blog entries as admin, you will want to make sure to select the option to assign any content created by admin to your new Administrator username.

There is a lot of speculation over passwords and do passwords that are complex truly protect you more?  Or is a cracked password a cracked password?  Brute force, encryption……  I will investigate this further in a future post, but for now, my recommendation is to create a HIGH security password.

TIP:  To create a strong and randomized password, you can use a tool such as – http://passwordsgenerator.net/

My recommendation is to create passwords that you cannot remember and then use a software to store all of your passwords such as KeePass.

Step 2:  Update

Visit your Dashboard > Updates and immediately update your WordPress version, theme, and plugins.

Step 3:  Install McAfee TrustMark

Once a site has been flagged as potentially hacked in Google, you want to build integrity with your visitors.  The most visual way to do this is to install the McAfee TrustMark.  By installing and activating this plugin, a TrustMark with the McAfee logo will appear in the bottom right corner of your website.  Your visitor is able to click on the TrustMark and Verify your website to see that it is not full of malware or virus attacks.

This Plugin is currently free although advanced features are available in the paid version.

Step 4:  Register and Verify with Google

When your site was flagged by Google (This site may be hacked), they provided basic instructions which included a few of the files that they felt were due to a hack.   In order to see this information, you will need to register and verify your site in Google’s Search Console.

To register and verify your site, you must add the site to your Google Webmaster Account property list.

The message that will appear  is that there is hacked content and then a link to view details.   On the view details page, you will see examples of a few pages that have been flagged as a hack.

Step 5:  Delete Delete Delete

You will need to delete all files that were created by the intruder.  Be careful and understand fully any file that you are deleting.  You may want to save a few files locally in case your host wants to investigate later.  You may always want to take screen shots as a reminder of where the files were.  Last night, I was working with a WordPress site that was attacked (1 down, 30 to go!) and I had over 800 files in one directory (also created by the intruder).  Attacks can be unique and my example may not be the same as yours but for me, I found the following:

1 fake directory filled with over 800 html files

1 fake directory with a new sitemap.xml file in it telling the site to point to the new sitemap (also a created hacked file)

changes in my .htaccess file

I immediately deleted the files that were clearly additions to my site and then looked at my .htaccess file closer.

Step 6:  Google Submission

Now that you have completed the basic steps, you can resubmit your site to Google through the Google Webmaster panel.

NOTE:  The steps outlined here only clear up the issue that Google was able to find and flag your site for.  Simply put, your site may have additional issues.

Additional Steps

If you are concerned that your site may have a vulnerability that you were unable to address, our recommendation is to roll your site back to a time before it was hacked.  Your host may be able to help you figure out the time stamp and complete this task for you.

Also, for additional advanced steps, read our article – Additional Preventative Actions: Google says,”This site may harm your computer”