Fix Hacked WordPress Website | A Step-by-step Guide to unhack WordPress

Aug 16, 2023

Fix Hacked WordPress Website | A Step-by-step Guide to unhack WordPress

If your WordPress website got hacked, don’t worry. Follow the steps I do in this video and you might be able to fix your own hacked WordPress website. If you are unable to do it yourself, you can hire me! 👇🏻👇🏻👇🏻 Start here 👇🏻👇🏻👇🏻

Do you want to support my channel? Leave a like or buy Divi / Elementor Pro with 10% discount via the link below. That will help me enormously to create these free videos for you and keep going!

⇒ Software that I recommend:
✅ Divi with 10% discount ⇒ https://wp.discount/divi-discount/
✅ Elementor Pro ⇒ https://wp.discount/elementor-pro-dis…
✅ Hosting \u0026 Domain provider ⇒ https://wp.discount/hosting/
✅ Best caching plugin ⇒ https://wp.discount/wp-rocket-discount/

I want you to succeed with your website, so lets get started.

⏱️Timestamps⏱️
0:00 Intro
0:15 Check if you are really hacked
1:02 Login to hosting company
1:17 Change FTP credentials
2:05 Fix Database Error
4:06 Login to WordPress
4:46 Delete any strange Users
5:02 Inspect posts
5:24 Inspect pages
5:37 Inspect plugins
6:00 Update themes and plugins
6:12 Inspect your theme
7:04 Inspect themes
7:30 Inspect with FTP
8:28 Found Eval
9:00 Malware scan
10:36 Results of scan
13:03 Remove all malware
14:23 Restore permalink structure

Thank you for watching! 😀

✅For tips and tricks on getting the most out of WordPress, don’t forget to subscribe: https://wpressdoctor.com/sub

📖Transscript📖
In this video we’re going to clean a hacked website from a subscriber who reached out to me. If you follow my step-by-step instructions you might be able to clean your own website. We’re gonna start, right now.

So the first thing we do is actually check if your website really has been hacked. How do you know that? Well if you try to reach your website and this is what you see, there’s something wrong. But what you really need to check is go into Google over there, and type in site: and then you type in your url without www. like this feedforlifestyle.com. And I press Google search. This is weird. “Ugerichtkeit Latein Chronish” what is this? This is not supposed to be here. This is Dutch so that’s okay. We’ll go to the next one. This is oh redirects to amazon.com? So they created the blog I can see what’s going on here. Alright so there’s definitely something going on with this website. I asked my subscriber for the hosting login so we’re going to log into the hosting page right now. All right we’re at the hosting company so let’s log in over there. Let’s find out what we will see over here. We go to the dashboard I think. So I’m looking for some kind of CPanel but… oh its just this. That’s okay let’s go to FTP access. So the first thing we need to look inside of the website what is actually going on. To do this I’m gonna use FTP. If you have no experience with FTP, just follow this tutorial and I’ll show you step by step how to install it, how to use it and how to get access to your own server. Very easy, just follow the steps. Alright now we are inside of the website. Let’s go to web space in this case. Let me make this a little bit bigger for you guys. And then you need to go to httpdocs. Let’s see what’s in here. Then we have a WordPress installation I think. Yes. All right this looks good. Save it. All right then we have wp-admin, content includes. This is a normal WordPress installation which looks actually pretty fine. Let’s scroll down a bit what we see over here nothing really. But when I try to reach the website this is what we see: “a database connection” if you go over here it is actually inside of this file. So we’re going to view and edit it. Right click, and then you open up some kind of editor. In this case we have all this this. This looks actually pretty good. Let’s see if it still connects to the database. And then I go into the hosting and I’m going to look for the… I need to find a way how to get my PHP database information from here. And I scroll down and in here we can see the database name. Let’s see if this still works I’m going to copy this one. Name is actually the same. And I’m going to paste it, yes it is the same. So that’s great. And then we just go ‘Database information’ over there, great. Now we have the database name and we have to see if the user is still okay. Let’s check this user. User is great, and now when you edit the user you can also change the password. So I’m going to create a really safe password, I’m gonna save it. So now we have a new password for our database. We’re gonna fill it in over here; database password. Paste it in. I gotta blur this out of course in the video. I’m going to save this file and go back to FileZilla. If I now go back my FileZilla will say a file has been changed wpconfig.php do you want us to upload it? Yes of course. Pess yes. And I’m curious if the website is working again. Let me go back to the database error. Let’s press F5. It’s doing something…

📖 Read the rest of the transcript at https://wpressdoctor.com/

Content

0.18 -> In this video we're going to clean a hacked website from a subscriber who reached out to

4.8 -> me. If you follow my step-by-step instructions you might be able to clean your own website.

9.78 -> We're gonna start, right now. So the first thing we do is actually check if your website really

15.6 -> has been hacked. How do you know that? Well if you try to reach your website and this is what you see,

20.76 -> there's something wrong. But what you really need to check is go into Google over there, and type

26.82 -> in site: and then you type in your url without www. like this feedforlifestyle.com. And I press

34.68 -> Google search. This is weird. "Ugerichtkeit Latein Chronish" what is this? This is not supposed to be here. This is Dutch so

45 -> that's okay. We'll go to the next one. This is oh redirects to amazon.com? So they created the blog

52.62 -> I can see what's going on here. Alright so there's definitely something going on with this website.

57.6 -> I asked my subscriber for the hosting login so we're going to log into the hosting page right now.

63.42 -> All right we're at the hosting company so let's log in over there. Let's find out what we will

68.16 -> see over here. We go to the dashboard I think. So I'm looking for some kind of CPanel but... oh its

74.22 -> just this. That's okay let's go to FTP access. So the first thing we need to look inside of

79.8 -> the website what is actually going on. To do this I'm gonna use FTP. If you have no experience with

85.32 -> FTP, just follow this tutorial and I'll show you step by step how to install it, how to use it and

91.2 -> how to get access to your own server. Very easy, just follow the steps. Alright now we are inside

97.32 -> of the website. Let's go to web space in this case. Let me make this a little bit bigger for you guys.

104.22 -> And then you need to go to httpdocs. Let's see what's in here. Then we have a WordPress

109.26 -> installation I think. Yes. All right this looks good. Save it. All right then we have wp-admin, content

117.84 -> includes. This is a normal WordPress installation which looks actually pretty fine. Let's scroll down

123.78 -> a bit what we see over here nothing really. But when I try to reach the website this is what we

128.88 -> see: "a database connection" if you go over here it is actually inside of this file. So we're going to

134.22 -> view and edit it. Right click, and then you open up some kind of editor. In this case we have all this

141.72 -> this. This looks actually pretty good. Let's see if it still connects to the database. And then I

146.28 -> go into the hosting and I'm going to look for the... I need to find a way how to get my PHP database

154.98 -> information from here. And I scroll down and in here we can see the database name. Let's see if

161.94 -> this still works I'm going to copy this one. Name is actually the same. And I'm going to paste it,

166.5 -> yes it is the same. So that's great. And then we just go 'Database information' over there, great.

173.64 -> Now we have the database name and we have to see if the user is still okay. Let's check this user.

181.08 -> User is great, and now when you edit the user you can also change the password. So I'm going

186.36 -> to create a really safe password, I'm gonna save it. So now we have a new password for our database.

191.16 -> We're gonna fill it in over here; database password. Paste it in. I gotta blur this out of course in the

198.3 -> video. I'm going to save this file and go back to FileZilla. If I now go back my FileZilla will say

205.26 -> a file has been changed wpconfig.php do you want us to upload it? Yes of course. Pess yes. And I'm

212.4 -> curious if the website is working again. Let me go back to the database error. Let's press F5.

218.22 -> It's doing something... so let's see what's happening. Here we are! All right so the website

223.92 -> has been restored now. Now we can actually log into the website again and it works. Great.

229.92 -> Let's go I think it's the owner of the website in here, yeah Debbie nice Debbie.

235.32 -> Great website. All right we're going to log in the website and see if there are still traces of the

242.04 -> hack. Because I don't see it right now, but I could be wrong. What we're going to do, we're going to log

248.1 -> into this WordPress website. We're going to do this with... I think it's still /wp-admin/ let me see.

255.36 -> Yeah that's not pretty safe, but we're gonna fix it later on for this guy.

259.98 -> I'm gonna log in with the username they have given me. Let me see let me see, where are we...

266.64 -> The username is still admin. No wonder why she has been hacked, because it's just a matter of

271.38 -> time if you're using /wp-admin/ with the username admin. That's just waiting for you to get hacked.

278.58 -> Let's press login. Let's see what we're gonna find over here. All right this looks okay. The

284.88 -> first thing I'm gonna do is go to 'Users' - 'All users'. And check for any users that are not supposed to be

290.76 -> here. And if they are, check them and just press delete. Also make sure to change your own admin

297.06 -> password, just to be sure. Find nothing wrong here, let's go to posts. Now let's see over here if we

304.08 -> can find something weird that's not supposed to be here. We have only have 30 options so we

308.82 -> could be doing this pretty quick. All right in here I can only see normal pages just...

317.52 -> these are just legitimate pages I suppose. Nothing strange in here, so this is great. All right then

324.48 -> we go to the 'Pages' - 'All pages' and see if we see any weird pages in here that's not supposed to

330.9 -> be there. There are only 18 pages so that should be really easy. All legit pages nothing wrong here.

337.02 -> Then we go to 'Plugins'. Let's see if we have any malicious plugins in here. So we have a few updates

343.62 -> but they're not really extremely old. So it doesn't seem to me that this is the way they got hacked. I

350.7 -> don't actually see anything weird stuff in here. So this actually looks kind of great, but there

356.76 -> could be some stuff still going on. The next step now is to update all plugins and all themes because

362.64 -> it might be possible there's still an open gate for hackers. So we're going to select it all and

367.62 -> press 'Update plugins'. We can actually try to open the theme file editor while we are waiting.

374.16 -> Let's see if this hosting company enables us to also edit the theme while updating... yes it works.

380.52 -> What I want to see is actually if some malicious files has been added to the Kadence...

388.5 -> Kadence theme... How do you call it? I don't know... First thing you

396.54 -> go do is check the footer.php and sometimes you see here's some weird things. Header.php

404.1 -> nothing strange. Some hooks but they're okay normal I think. I can't see anything weird.

410.76 -> alright let's go back to why is this giving me a Gateway timeout? Something's fishy is going on.

418.14 -> Let's go back to updates the Kadence theme. Let's update it. Alright let's go to 'Themes'

424.74 -> and let's see which themes we already have in here. What's this? Twenty Fifteen/dlphrofiws?

434.34 -> Now this looks fishy! All right let's go check this theme what this actually is. A Twenty Fifteen by Anonymous?

443.46 -> Hmm I think we're onto something. Let's get back to FileZilla. We go to /wp-content/ because this

449.58 -> is the place where all your your themes and your plugins are. We go in here we go to themes.

456.54 -> Now we have found something malicious. Because this file is not supposed to be here.

463.92 -> Here we got something guys. Let's see what this. View / edit.

468.66 -> Yes this code all right all right. URL decode yes. Yeah whenever you see something like URL

475.26 -> decode and then they got a key in here, that means they're gonna inject some code which cannot easily

482.16 -> be detected, but it can be decoded if you have the right key, with this one. Then you can see

487.08 -> what's actually going on inside of your website. So this is definitely a malicious theme injected

494.22 -> by some automated system or a hacker. Let's see what we can find any further in this website. In

500.16 -> themes we also have another one in here, and this is also suspected. What is suspected file? Now we

508.32 -> can see that there is a 'Eval' code in here. Eval base64 decode hack is a PHP code execution attack

515.82 -> which is clouded by a base64 encoding scheme to hide the malicious code. Now we know what they did

524.22 -> with the website that placed some themes inside of the WordPress website. Of course you can clean

529.92 -> this up by selecting this and just delete it over there. However I still want to know what this is, so

536.7 -> we're not going to delete it right now but we're gonna run a scan on the website. What are we gonna

540.6 -> do? We go to 'Plugins' over here we're gonna 'Add new'. For scanning your website I always use

546.72 -> WordFence. We're gonna install WordFence then we press 'Activate.' Add your WordFence license over

552.66 -> here. We're gonna click on 'Get a free license' over here. I'm waiting 30 days, no problem. And

557.46 -> your email address over there. [email protected] And I don't want to have the alerts to my email.

564.06 -> Then I press register over here, and we're going to check our email for the license key. Here we

569.16 -> are, just click on this button. And then it's going to install the license automatically, really great.

574.38 -> Here we are, install license. Congratulations let's go to our dashboard. Press 'Close' this one. And then

581.46 -> we go to the WordFence scan over here. What we're going to do right now is press 'Start new scan' WordFence

588.18 -> will now start scanning the entire site, so now we can get a real clear image of how big this

595.2 -> hack actually is, what kind of files they'll be using, we're just gonna let this scan run.

600.06 -> And I think it's gonna take a little bit of time before the scan completes. Also in plugins we can

606.66 -> see some malicious files. These are all legitimate legitimate, legitimate and then we find something.

613.5 -> What's this? This is actually a generated file by an automated bot. If we follow all these files in

620.34 -> here again this is just the normal files that we saw earlier on with a eval decode base64

628.32 -> again. So we have malicious themes and malicious plugin that needs to be removed from this website

634.44 -> before hackers can access it again. The results are in and if we scroll down now we can see that yes

641.64 -> of course the malicious files has been filed. Just like I showed you in the themes folder and plugins

647.46 -> folder. If you click on details: this is a backdoor PHP file malicious backdoor using xor obfuscation.

656.88 -> Nice. PHP URL decode yes, a vector known as rEval C and let me see where this is actually... those

666.3 -> are the plugins we already saw, and the themes of course. But then we have a plugin 'Background image

674.16 -> Cropper'? Is it a legitimate plugin let me see if this is actually a legitimate plug-in. wp-content

681.42 -> plugins/background image Cropper. They fooled me! I thought it was a legitimate plugin but it is not!

689.88 -> um hmm. Or it was, and it has been infected, that could also be, they just placed a file in here.

698.46 -> Alright let me go down here to the themes again what is this? Its a obfuscation inclusion technique

704.94 -> yes of course we know. Again malicious code and what is this suspicion code construct.

712.8 -> Yes. Obfuscated file uploading behavior... nice! Suspicious code, suspicious code...

723.06 -> File often seen on Infected files php print upload nothing um. And again suspicious code obfuscated

734.16 -> decoding Behavior resembling malicious behavior. Yes that's what I thought.

740.64 -> Also this.. wow there are a lot of things. Look at this, great. And all in the places I.... plugins

750.78 -> 'post-layouts'? Another plugin? Also in the plugins Kirki packages. Yes they've just placed all kinds

761.4 -> of files on all kind of plugins. Happy Elementor add-ons, post layouts and then we are at the root

769.92 -> of the problem. The plugin "Background image Cropper" seems to be abandoned. Last update 30 March 2020.

778.68 -> This plugin seems to be abandoned so that's a big security risk. The next step is scroll all up and we're

785.64 -> gonna press this button 'Delete all deletable files'. Click on it, and press 'delete files'. Here we go.

792.42 -> 20 files deleted successfully. Close it. Then we're gonna check with FileZilla if these plugins has

799.98 -> been removed like we thought. Then the plugin 'Background image Cropper' has been abandoned

805.5 -> so we're gonna delete this from your website. I think this and using the admin user could be the

811.32 -> cause of all these troubles. Delete it, yes. Then we're going to scroll down is this one removed?

818.88 -> Yes all the files inside of it has been removed but this still remains, so we're gonna delete it

824.4 -> also, clean it, yes. Go all these things seems to be okay, let's go to the themes, and let's check

830.64 -> out what WordFence actually did. It deleted a lot of files, but some are still here also with this.

836.4 -> Some are still here, and this deleted all files but not everything. So what are we gonna do? We're

842.94 -> gonna delete all these themes except for Kadence which they're using... Kadence? I don't know man.

849 -> Just delete all these files except for the theme you're using. Delete it, press yes. Just wait a while

855.48 -> while it's being deleted. I think we've cleared this website out, let me see if everything still

860.46 -> works the way it should work. Wll what do we see is when we click on another page like this, you

866.52 -> see the 404 not found page. Why is this? Because of the .htaccess files has been changed by the attack.

874.74 -> You can fix this really easy. Just go to 'Settings' go to 'Permalinks' over there.

880.92 -> and then we're gonna press save changes. Make sure this is on 'post name' and press save changes again.

886.32 -> Then the permalink structure has been updated. And if all is good... when I open it now in a

891.72 -> private window and I go to another page. You will see that everything's works the way it should!

899.1 -> So we definitely cleaned this site but it still needs to be secured. Make sure to

904.2 -> follow my tutorial about WordPress Security on iThemes because this website is still a sitting

909.9 -> duck for hackers. If you have any questions or just want to say 'Thank you Matt!' drop them down

915.12 -> in the comments, I'll always reply. Subscribe over there if you want to see more WordPress related

920.22 -> videos, and check out this video which is also again completely hacked!

925.611 -> Uh hacked? I mean not hacked...

Source: https://www.youtube.com/watch?v=7UoMpX_3c_M