How to Fix Hacked WordPress Site
Here’s a great source for learning how to fix your WordPress Website. This gentleman also offers lots of other helpful videos.
How to Fix Hacked WordPress Site
in this tutorial I show you how to fix a hacked site it’s taken me a while to make this video because I needed aside those hacked that I also have access to so I can show you step by step how I fix it and I’ve done that and this is that video and this is something you can do for your clients and charge them a lot of money. Frankly you can charge up to $500 or more to recover a hacked site and you see in this video it’s actually not that difficult and if your client has backups of their website it’s even easier. Either way we’re going to fix a hacked site right now .
Welcome back to another video it’s Bjorn from WP Learning Lab but we hope you get better WordPress you can earn more for yourself for your clients and for your business.
If it’s your first time here and you like WordPress and you like learning hacks and tricks and all kinds of stuff to help you get better at it hit subscribe then hit the bell icon so you don’t miss anything and with that out of the way.
Let’s head in the screen capture and start this WordPress tutorial I’ll see you there finally happened I’ve been waiting a long time like a tutorial like this because I think it’s really helpful I’m really useful for you guys but in order for this to happen.
I had to have a site hacked and now I’m going to show you how I’m going to fix that hack this site was hacked this factor factorx.co was a site that we’re working on with a business partner a while ago we kind of left this one be for a while so working on something else but this one in the meantime was outdated it had some kind of plugin somebody got in and hacked it and in motion hosting quarantined the hack site when they did wants the detected it was hacked and they put up just this directory of these three files with no real information except for the PHP info dot PHP which seems like it gives away a lot of information about the server .
I’m not sure why they’d want that to be publicly visible but either way this is what appeared when I took the site down now I’m going to show you how I’m going to get this site back up keep in mind that your site might look different it might be two-faced might still be here maybe just your login is broken
I have on this tutorial linked to in the card above that shows you how to login or create a new login for your site when you don’t have access through the site itself and the hackers change your email address or deleted your user so you can’t use forgot password I’ll show you how to make a username right in the database so you can log into your site again but that’s how this tutorial is recovering a hacked site that’s been taken down by the host .
if we go into our hosting account had in a file manager there’s a really good chance you can’t get here. Through FTP so the website normally is in public underscore HTML this is the root folder that your FTP would probably load and what in-motion does is they quarantine your site. Here’s the quarantine into a folder that’s below the root and this is actually the entire site I can go ahead and open this folder and copy all the contents back into the public underscore HTML and the sites back up but before I do that, I’m going to investigate and do a little cleanup.
So the first thing I want to do is select all the files in here and I’m going to compress them I’m going to make a backup of all the files including the hacked files on the site so I’m going to call this quarantined backup or you call it hack backup. It’s going to wait for that zip file to be created zip file is done I have the results here if we reload we’ll have our zip file here I’m just going to download it to my hard drive just so I have a backed-up copy of the entire site because this site still works.
If I don’t back it up and I delete the wrong things I have no backup of the quarantine site so it’s always good to make a backup even of the hacked version of the site and now I’m going to look through some of the most common areas where hackers insert files or inject files and the first thing I see is this lead PHP it’s not a file that I’ve ever used there might be some custom stuff that you do have in the root of your site but I know that.
I never had lead up PHP and it’s a very big file 22 kilobytes whereas index being a WordPress 5 and this is two biggest probably an edited two but that’s only 503 bytes. Quite often the hacked files are very large like even this login dot PHP it probably shouldn’t be that big but we’re going to open this leave dot PHP the selected click on edit and hacked files or files with malware in them have very clear signatures and one of them is it looks like gibberish if you try to read this function it looks like gibberish there’s no way that the person who didn’t write this can figure out what’s going on without spending hours studying it. Whereas if you look at the regular WordPress file let’s try this one see this one is uncompromised.
This looks pretty good there’s comments at the top explaining what this files about the functions are named in ways that kind of describe what they do the URLs make sense there’s comments all throughout – to document the file and help you figure out what’s going on. Not so much in this file the entire thing is just a big pile of gibberish so I’m going to go ahead and select it and delete it because I’m fairly certain that is not a solid WordPress file that needs to be there now I’ve seen the WordPress core files a lot so all of these I’ve seen a lot over the years if you’re not sure which one of these are actual core files just go to wordpress.org let’s go here right now and then click on download and then click on download right here let’s go and download a zip to your hard drive you can unzip it and compare the files in that folder to the files that you have here you can even compare the file sizes if you wanted to so let’s go into another common area where hackers inject stuff that’s that would be content folder sometimes in the plugins this index file maybe you can just click on edit and look at these things if they look suspicious this one’s not silence is gold must just a regular index file it’s also very small only 28 bytes this one also is probably the same thing.
If you go into themes some of our themes might have hack stuff in them but it’s very hard to route through all the theme files but we found that that lead up PHP file which might have been causing all the problems and something I should have done before I deleted it was look at the date stamp because that would have helped identify possible files that were edited at the same time because every date the last modified date in this column here and sometimes you just don’t know exactly what’s been edited and you don’t want to spend time looking through it all so what I often do is I go to wordpress.org download a new version of WordPress and I’m going to replace all of the core files so I download the file down here the zip file. I’m going to open in the folder going to unzip it there’s a video coming soon right there alright so we have our WordPress folder right here with the unzipped files and i am going to zip it up again I know it sounds weird but I’m going to zip it up again what we’re going to do is replace all of the core files so inside our file manager the core files are contained within WP admin WP dash admin WP dash includes and more often than not all these files out here are the core files WP dash content is where you have your themes your plugins your uploaded images all your media it all goes into here so we’re not going to replace that and we’re not going to replace 3 P dash config which contains our database information unless you want to delete it here and then rebuild that file we can do that too just in case there’s some weird stuff we have to quickly open this in the editor. See if it has some weird stuff in the config file let’s quickly scroll through it all looks pretty legit in here so our config files probably fine so I’m not going to delete that one we couldn’t delete everything else and because we have a backup I’m not afraid at all if we didn’t have a backup I’d be a little worried but what I’m about to do right here see what this folder is empty oops but since there’s a backup I’m totally fine just coming in here selecting all these things and hitting delete you can bypassing the trash completely gone now what I’m going to do is I’m just going to come in here and select all these files except for WP content WP dash config – sample is in here what you don’t have to upload but WP dash config would not be because you create that when you install WordPress I’m going to zip up all these files I’m going to upload them to this folder here she’s going to drag and drop this into the – box – upload it once is uploaded we can close this tab and then reload our file area and we have a reply I’m going to extract it now we have our new files we’ve got the Mac OSX D Lee up here we can delete that we can delete the archive and now we have only files in here executing WP – Connie we’re not sure what’s in there but innate and all the other files we only have files that are part of the core we should be fairly safe to copy this over to the main area and in the public underscore HTML so these files that they put in here for us I’m just going to put these into a new folder it’s going to call this I don’t know host files I guess create that folder drag and drop all those guys in there take all these files select all of them so I can drag and drop them right there I can now they’re back to our main site now I’m going to come out here and refresh this page and see what happens it could be magic it’s not magic we have an error in badge os plugin so I’m just going to go ahead and I’m going to deactivate all the plugins go into VP – content go to the plugins file change its name to old or off refresh this page again now we’re getting somewhere we have visual composer code here but row composer is a plugin we just turned off so clearly they can’t render the content but the site is back online it’s not defaced at least not on this page let’s see if these pages work we have to reset our permalinks those at work after permalink reset see if we can log in to this thing there’s the login page so you can get into the main area cross your fingers there’s evening area look at that okay I’m going to go ahead and first reset the permalinks so let’s go to settings and then permalinks and then I’m just going to scroll right to the bottom click on Save Changes now if I go back up to the front that should fix the deep-linking or the non-homepage links that weren’t loading a second ago for go to about this page should load now and does again visual composer code that will load in a second when we turn that plugin on services testimonials all these things are loading now let’s go back into our file manager and change the name of the plugins folder back to what should be you can actually leave his – hold and activate all the plugins but it’s weird so I always change the name back it’s not required to activate the plugins I just do it let’s go to plugins and install plugins and now we have an issue here with again with a badge os plugin so why don’t we try just renaming badge os and see if that fixes this badge os problem that might have been the plugin that was compromised Pro panel which is a learn – plug-in that one’s now throwing an error there’s the pro panel yes – off would be better one than – old but as long as you know what it is that you change the name to those two plugins are deactivated they’re both throwing errors we deactivated them now the page loads again now we can activate plugins update plugins there’s a couple to be updated that was likely part of the problem as to why this issue occurred so I’m just going to select all click on update even I don’t all have updates it’s going to update the ones that do have updates so I’m just going to wait for these to all update and also you notice there they’re activated again because I changed the folder name from plugins old back to plugins and once as you’re updated we should be able to go back to the home page refresh.
The page and it should load as it was designed to load because visual composer or once this update happens it’s going to be called WP bakery page builder this is actually not an automatic update so I got a download this update from ThemeForest or started code Canyon which I’m not going to bore you with I have a whole playlist on this plugin actually where I can bore you with getting the plugin from code Canyon but for this tutorial I’m actually I’m going to update it see if it if the site works without updating it because the point of this video is to show you how to recover the hacked site and have the site loads then that was a success okay so seven updates successful one failed which is WP bakery because it’s not an automatic update let’s refresh this home page and see what happens look at that all the content is back everything is as it should be let’s go to about there’s a bell page no visual composer text just all content how we want it to appear services testimonials it’s all good the site is back online plugins have been updated we had an error in these two plugins so if we go back to just change these names back these will likely break the site right now let’s just try it so it wasn’t actually those plugins that broke the site possibly let’s just activate and activate all these badge OS ones there might have been a that other plugins were outdated and they conflicted that might have been the cause of the problem but when we try to activate badge OS we get a big old error so this is one of the plugins that was causing the problem probably led to a hack let’s just try activating Pro panel might throw another error and it does so those two plugins are the cause of the problem so I’m going to have to go out and find the versions of these and see if that helps so let’s find badge os badge OS is a free plug and all these the one I was using on the site is a free version so let’s just get that from the repository download it from here and the pro panel plug-in is from learn – login to my learn – account I have logged in this account in ages so hopefully still works license notice license about to expire but it’s not expired yet so let’s see if we can download these plugins oh it has expired.
Why didn’t auto renew I always said stuff to Auto renew anyway clearly I have to renew this before this will work but let’s do this badge OS 1 first when the plugins folder you are going to upload a plug-in and it is this one right here it’s going to drag and drop it into the box you can close this once it’s uploaded reload this page I’m going to turn this one off the original badge OS and then I’m going to unzip this one when we just upload it now we have that new version of the badge OS you’ll notice that this one the one we just downloaded from the repository was last modified November 7th 2017 and this one was modified November 17th so I wonder if that’s when the hack happened and it was the timestamp remember 17th appears on this plug-in this one this one so it might be wise for me to just go ahead and replace all these plugins just in case there’s some backdoor installed on one of them let’s see what happens with this badge os see if we can activate it because it should be a new clean version unless it’s tied to something else that’s not working right alright so now let’s activate let’s activate these two as well see if that still works all this plug-in activated of I traded that one hold on let’s try this one again I might have tried that one wasn’t paying attention because that’s the old one this is the old one that we are replacing at this point so now we have all our badge OS plugins installed we can delete this one that we turned off because that one is somehow compromised after we knew my learned – subscription and then I will be able to install Pro panel again or maybe pro panel maybe the problem was caused by that buddy or that badge os1 going to try activating again and see what happens yeah I know it’s not caused by badge OS it’s somehow compromised so I need to get the new version of that let’s just refresh this page and come back out to here and confirm everything still works let’s just go to the home page everything’s back online so we have now recovered our hacked site and my game plan I’m not going to bore you with it with the actual details my game plan is replaced a pro panel add-on for learn – update that we break a regional composer and then everything is back up to date latest version of WordPress because we got that from there replaced all the files manually and now our hacked site is recovered I do still want to keep an eye on it for a little while to see if something goes wrong some of these plugins in here that have the same timestamp as that badge OS one had the modified timestamp they may be compromised so I’m going to go ahead and replace all these ones that have the same timestamp in fact I’m just going to replace all the plugins it doesn’t take long to just make a list of plugins you have delete them and replace them well I actually I was not sure it might take long depending what those plugins are because sometimes we can delete them it deletes all their data from the database so you’re best served to do what I did here which was go to the repository download the plugins and then upload them to here rename the folder of the old plugin upload the new fresh one and then you don’t have to delete them but they’re all replaced with newer versions that’s the whole game plan and we just recovered the hack site in 20 minutes or less so that’s all there is to it I hope this video helps you.