Securing a Compromised WordPress Website

A compromised Wordpress site can be a very frustrating and time-consuming task to recover from. To secure and remove future threats of your site being compromised, there are several actions that we recommend being taken as soon as you are able.

The steps below will require you to have access to the site files for the site(s) in question. You can access your site files via the control panel, RDP, SSH, or via FTP Access.

Website access and connection information can be found within your hosting account’s welcome e-mail.

Currently we have guides on creating FTP users for our windows environment as well as guides on accessing your server via RDP if needed.

Steps to take in the event of a compromised wordpress site

  1. Obtain a list of all plugins/themes currently installed on the site that you would like to keep.

    Note: It is important to create this list so that you can keep track of your plugins and themes while they are deleted and reinstalled. We strongly recommend discarding any unused or unneeded plugins / themes. The more plugins and themes installed on a site, the higher the threat of a compromise. If any of your plugins or themes are not updated by their developers on a frequent basis, it may be time to replace them. Look for replacements that have more active developers and more consistent updates. Out of date plugins and themes are a significant cause of WordPress security compromises.

    • Login to your WordPress admin dashboard. (yourdomain.com/wp-admin)
    • Click ‘Plugins’ to obtain a list of currently installed plugins.
    • Click ‘Themes’ to obtain a list of currently installed themes.

  2. Delete all files on the site except for the the following:

    wp-content folder (for now)
    wp-config.php file (connection string to your database)

    Even sub-directories that contained custom code (such as development work via PHP, ColdFusion, ASP, etc.) could contain backdoor exploits that the hacker placed. Because of this, we recommend removing these custom directories from the site as well and re-uploading those from a backup you can verify doesn’t contain any bad files.

    There should be nothing in the root directory of the site except for the wp-content folder and the wp-config.php file.

  3. Navigate into the wp-content folder and delete everything except for the ‘uploads’ folder within your wp-content directory.

    Note: This includes deleting the ‘plugins’ and ‘themes’ directories.

  4. Disable script execution from the /uploads directory. To do this, refer to the Windows or Linux/cPanel sections below, depending on the operating system your website is hosted with.

    Windows If your website is on a Windows operating system, you can accomplish step #4 by creating a file called '**web.config**' within the /wp-content/uploads directory. Place the following code in this file:
    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
      <system.webServer>
        <handlers accessPolicy="Read" />
      </system.webServer>
    </configuration>
    

    Note: The above code changes the access policy for script handlers (such as PHP, ColdFusion, etc.) to ‘read-only’ which restricts them from being executed.

    This will allow common uploads (such as images) and any files created by your plugins or themes to continue working as normal.

    Linux/cPanel If your website is on a Linux/cPanel platform, you can accomplish step #4 by creating a file called '**.htaccess**' within the '/wp-content/uploads/' directory. Place the following code in this file:
    <FilesMatch ".*\.(php)$">
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    </FilesMatch>
    

    Note: The above code blocks all direct requests to PHP files. PHP files are the most commonly compromised file type in WordPress security breaches. Linux/cPanel does not offer a way to block script handlers like Windows, but this is the next best thing.

  1. Search through the /wp-content/uploads/ directory and look for any files that appear out of the ordinary. For example, you most likely should not have any .php files in this directory. Look for anything that you don’t believe should reside in this directory and delete it so that no back door access can be achieved.

  2. Download the latest version of WordPress to your local computer. The latest version of WordPress can be downloaded here, or by browsing directly to their site: https://wordpress.org/download/

  3. Extract the newly-downloaded files to a folder on your computer. Then, copy over all files to your website’s root directory. There should not be anything to overwrite as all non-custom site files should have been deleted in the above steps.

  4. It is a common practice to keep PHP updated to the latest version so that any vulnerabilities in older versions will not affect your site. It should also be noted that since we upgraded WordPress to the latest version, your website might require a higher version of PHP than it was previously using. We recommend the latest versions of PHP possible, however this is completely up to you. As before, refer to the Windows or Linux/cPanel sections below to do this, depending on the operating system your website is hosted with.

    Windows
    Log into your WCP control panel and click ‘PHP Settings’ under ‘Website Settings’ section. Then, click the drop-down next to ‘PHP Version’ and select a version that is 5.6 or above. Once selected, click ‘Save’.

    Linux/cPanel
    Login to your cPanel control panel and click ‘Select PHP Version’. Then, click the drop-down next to ‘PHP Version’ and select a version that is 5.6 or above. Click ‘Set as current’.

  5. WordPress should now be set up on your website and you should be able to access the WordPress dashboard once more. Since we haven’t touched the WordPress database you should still be able to login to WordPress with the same credentials as you could before.

    Within the WordPress dashboard, refer to the list you made earlier and re-install your plugins and themes. Do not move over or import the old files you had previously as there is a chance they are compromised.

    Important Recommendations:

    • Use plugins with an active support team.
    • Read user reviews of plugins. This will give you an idea of customer satisfaction for the plugin.
    • Check the documentation to ensure that the plugin is compatible with your version of Wordpress.
    • Check the update frequency of plugin. Regular updates and patches are important in keeping on top of security threats.

  6. At this point you should now have removed all compromised files on the site, re-installed the latest WordPress files, and updated PHP to the latest version. While still logged into your WordPress dashboard, navigate to the ‘Users’ section and ensure that there are no additional usernames/logins for the WordPress dashboard, especially with “Administrator”-level access.

    Change the password to the existing administrator user that you use. If your username is ‘Admin’ or any other predictable username, we strongly recommend changing this as well for extended security.

    Note: A strong password is a MUST for WordPress security. See our guide on meeting password requirements.

  7. We now recommend that you install a reputable WordPress security plugin, such as our following recommendations:

  8. Consider restricting access to the WordPress dashboard to specific IP Addresses. This is not only for the security of your site, but it can help protect the performance of the site and all other sites on the server.

    WordPress sites are attacked every day by malicious bots attempting to brute force your username and password. In other words, attackers attempt to guess thousands or hundreds of thousands of different password combinations on the off-chance that they guess your password and break their way into the site.

    One good method to prevent these attacks is by restricting access via the means below. As before, choose the steps based on the operating system your website is hosted upon.

    Windows On the windows environment you can create a (or edit an already-existing) file named '**web.config**' on the root directory of the website (_/wwwroot/ directory_) and place the following code:
     <?xml version="1.0" encoding="UTF-8"?>
     <configuration>
         <location path="wp-login.php">
             <system.webServer>
                 <security>
                     <ipSecurity allowUnlisted="false">
                         <add ipAddress="12.34.56.78" allowed="true" />
                     </ipSecurity>
                 </security>
           </system.webServer>
         </location>
         <location path="wp-admin">
             <system.webServer>
                 <security>
                     <ipSecurity allowUnlisted="false">
                         <add ipAddress="12.34.56.78" allowed="true" />
                     </ipSecurity>
                 </security>
             </system.webServer>
         </location>
     </configuration>
    

    The code above will allow you to lock down the WordPress Dashboard to only specific IP Addresses. You will notice that there is two parts to this rule:

    1 ) wp-admin folder lockdown

    2 ) wp-login.php file lockdown

    Both of the file references have to be present in the rule so that attackers cannot attempt a brute force on either login page (technically the same login functionality, however different URLs to lock down).

    To add your IP Address to the ‘allowed’ list you’d just make a copy of the line (below) and add your real IP Address in instead. You can find your public IP visiting here:

    <add ipAddress="12.34.56.78" allowed="true" />
    

    Note: You’ll have to do this for both sections (wp-admin and wp-login.php).

    Linux/cPanel Create a ‘**.htaccess**’ file in the root directory of the site (public_html directory) and place the following code:
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]
    

    The code above will restrict access to both the wp-admin directory and the wp-login.php file all in the same code.

    You can change the IP Address in the referenced on the line containing to your actual IP Address. For example I’ve added two different IP Addresses to the allowed list in my below code example:

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^64\.207\.234\.198$
    RewriteCond %{REMOTE_ADDR} !^8\.43\.59\.66$
    RewriteRule ^(.*)$ - [R=403,L]
    

    In the above example we added the IP Address ‘64.207.234.198’ and ‘8.43.59.66’ to the allowed list to access the WordPress dashboard.


  9. We also encourage you to consider utilizing Cloudflare for your domain(s). Cloudflare can protect against brute force type traffic. Cloudflare also provides built in firewall features (included in free plan) which protect against different injection methods used by attackers.

    Note: .htaccess rules and web.config rules above will be managed through the Cloudflare interface. Any IP limiting rules would need to be removed from your .htaccess and web.config files prior to moving behind Cloudflare.


    You can view more on Cloudflare at their website: https://www.Cloudflare.com/


Additional information on securing your Wordpress Application can be found in the following link:

Wordpress: Application Security