How to Clean Hacked WordPress Website | Step by Step tutorial 2023

How to Clean Hacked WordPress Website | Step by Step tutorial 2023

How to Clean Hacked WordPress Website | Step by Step tutorial 2023

Got hacked? I am here to help you out. In this tutorial we will fix a hacked website step by step. It’s a real case so we are about to bumb into some problems.
👇🏻👇🏻👇🏻 Start here 👇🏻👇🏻👇🏻

If you cannot get it cleaned or you lack the time, you could hire me to clean your WordPress website: 👉🏼 https://wpressdoctor.com/clean-hacked… 💪🏼

Do you want to support my channel? Leave a like or buy Divi / Elementor Pro with 10% discount via the link below. That will help me enormously to create these free videos for you and keep going!

⇒ Software that I recommend:
✅ Divi 10% discount ⇒ https://wp.discount/divi-discount/
✅ Elementor Pro ⇒ https://wp.discount/elementor-pro-dis
✅ SiteGround 70% discount ⇒ https://wp.discount/siteground-discount/
✅ WP Rocket 10% discount ⇒ https://wp.discount/wp-rocket-discount/

I want you to succeed with your cybersecurity, so lets get started.

⏱️Timestamps⏱️
0:00 Intro
0:27 Step 1 - How to check if you are hacked
1:40 Step 2 - Check for clean backups
2:08 Cleaning the site
6:13 Reinstall WordPress
12:00 How to login if you cannot login anymore
13:10 Clean up hacked users
14:50 How did this site got hacked?
16:30 Step 3 - Clean posts, pages and media
18:05 Step 4 - Do the Malware Scan
19:52 Step 5 - Check Spam on Search Result Page

Thank you for watching! 😀

✅For tips and tricks on getting the most out of WordPress, don’t forget to subscribe: https://wpressdoctor.com/sub

📖Transscript📖

📖 Read the rest of the transcript at https://wpressdoctor.com/

#Hacked #WordPress #Malware


Content

0.06 -> In this video we're gonna clean a  hacked WordPress website. If you follow this  
4.68 -> step-by-step instructions, you might be  able to clean your own website.
13.14 -> A subscriber to my channel came to me, told me he  needed help fixing his hacked website. He tried to  
19.26 -> follow my steps on the previous video, but he  could not gain access to his WordPress website.  
24.96 -> We're going to try to fix this website. First of  all, how do you really know your website has been  
30.78 -> hacked? Go to Google and type in this: site:YOURURL and press Google search. Oh this is not good.
40.88 -> 1320 pages are all with this. This is  typical Japanese SEO spam. Someone has gained  
50.7 -> access to the website and a script is filling  it. So when I click on one of these results...  
56.34 -> Potential phishing attempt. So these Japanese SEO  spam is actually redirecting me to a phishing page.  
64.62 -> If this is your website, that's not good.  Another sign is when you try to open up  
69.78 -> your website, this is what you see. These  pages is just... well like this. Oh this is  
75.18 -> not good guys. And somewhere in these pages  are of course links to other webshops or  
80.46 -> in our case, the phishing pages. If I try to  go to the front page, this is what I see.
89.28 -> Nice. On top of that also the hosting company  has pulled the website multiple times  
95.34 -> offline, because they say there's malware on your  website. Now the second thing to do is check if  
100.92 -> you have backups ready on your website if you  do have backups and they are not infected and  
107.16 -> not hacked you can put them back follow this  tutorial about items security secure your  
113.22 -> website and you should be safe from there now  and of course don't forget to change all your  
118.8 -> passwords after doing so but in this case also  the backups were infected and hacked with malware  
125.28 -> so we're going to try and clean this website  up I tried to log in the website but it's just  
130.92 -> not giving me any login page at all so what you  want to do to fix this is connect to your website  
136.8 -> with FTP if you have never done this before it's  no problem follow this tutorial and I'll show you  
143.16 -> step by step how to install an FTP client and  connect it to your website it's completely free  
149.94 -> and I'll guide you how to get your FTP password  and credentials it's gonna be all fine if you are  
156.3 -> connected to your website then go to public HTML  where you can see this run WP admin accounted and  
161.82 -> includes the first thing to check out is of  course the HD access file right click on it  
166.68 -> and press few edit now this is definitely not  from WordPress this looks like WordPress but  
173.28 -> this does not this kind of code is typical a  hacked code that these files may not be edited  
180.48 -> by someone else than the script itself and these  are not standard WordPress files except index.php  
187.32 -> you select all this press delete save and when I I  close this you will see that filezilla immediately  
194.28 -> asked a file has been changed do you want us to  upload it back to the server and let's say yes  
200.4 -> what do we see here is that it's got a response  which says permission denied critical file  
206.52 -> transfer error that means that I cannot upload  my file to this website because it is denied  
215.28 -> smart move from this hacker we go right click  and we look at the file permissions and we can  
221.88 -> see that is read only well let's change the owner  to right and press OK it seems successful let's  
228.48 -> edit it again discard local file yes delete  this press save it close it upload it again  
238.92 -> now the file transfer is successful it has been  transferred but to be absolutely sure we have  
244.98 -> the right one copy and paste this one from the  WordPress website put it in over here save it  
251.58 -> close it and then upload it so this means we now  have more access to our website however we're  
258.24 -> still not there in the HD access file they were  talking about about.php let's open this one a few  
263.88 -> edits this is what a typical hacked page looks  like we have all these things about passwords  
268.98 -> I mean scroll down you can see well this looks  like a lot of gibberish it's actually not it is  
274.32 -> code but it's hidden with a bunch of keys if  you have the right key you can read this and  
280.38 -> then it actually makes a lot of sense but what we  actually know is this about that PHP is not part  
285.84 -> of the original website so we're going to delete  this page like this yes Alpha pass I have never  
293.1 -> seen it in a WordPress website before trap has  been removed PHP obfuscated D was found in a file  
300.72 -> where file Sila tried to access now you know that  it's really important to get a really good fire  
307.02 -> scanner the problem I have with this website is  that there are too many things just do not belong  
313.44 -> here again we have viruses and now we have a web  shell a web shell is used to inject all kinds  
321.3 -> of things into your WordPress website that's  not the way it should be the only things you  
326.94 -> need to see here is CGI bin WP admin content and  includes let me open up this Alpha data fox.php  
334.8 -> I have seen [ __ ] before in my other video about  cleaning a hack website so I tried to open it but  
342.96 -> again my fire is gonna stop me because it is a web  show we're just going to delete it over there yes  
351.12 -> also the Wonder this is some sneaky code this is  actually creating a sitemap and then it's going  
358.08 -> to Ping the Google bot to for example the Google  bot and if it's a Google bot then it will see this  
364.26 -> sitemap instead of the real one sneaky codes so  let's just remove this entire folder press right  
371.7 -> click and press delete over there I could go clean  every single file and delete it but that's gonna  
377.94 -> take a very long time the best thing to do in this  case is just to download the original WordPress  
384.42 -> version copy it over this old website that way  we flush out everything immediately we go to  
392.4 -> wordpress.org and you press on get on WordPress  right there then we're going to press download  
397.74 -> WordPress 6.1.1 when you have downloaded you need  to extract all these files into the folder then  
405.12 -> we go back to filezilla go to your folder and here  you can see the WordPress folder in the WordPress  
411.06 -> folder you will find another WordPress folder  which is called WordPress and in WordPress there  
415.68 -> are these files and everything we need to have one  thing you don't need to overwrite is WP content so  
422.34 -> let's right click on it and press delete because  you do not want to upload it because that is the  
428.1 -> place where all your themes your plugins and your  images are just press yes another important one  
435.18 -> is WP config it is over there WP config contains  all the information to connect to your database we  
444.42 -> really should change those passwords later on for  now what are we going to do we're going to select  
451.14 -> everything inside the remote website so we're  going to press Ctrl a on our keyboard then we're  
457.38 -> gonna deselect WP content and also WP config like  this just select all these things and then we're  
465.18 -> going to create a new folder on our own computer  create folder alt hacked website right there open  
475.62 -> this one over here and then we're going to drag  and drop everything from this side to this side  
482.46 -> just let it go we are downloading your old website  to the new website and we have a lot of viruses in  
491.04 -> this website so what are we going to do we're  going to clean it again I got messages you want  
496.44 -> to clean it yes again I got messages you want to  clean it yes yes we have a lot of stuff going on  
503.04 -> in this website my virus gonna stop me and it's  still deleting all kind of things so now we know  
508.38 -> that inside of this WordPress installation is  a lot of malicious files that's why the hosting  
514.56 -> company warned my subscriber that there is a lot  of malware on your website you need to fix it or  
520.08 -> we're gonna put it offline oh man this is amazing  I think we do a good job with cleaning everything  
526.92 -> because it's just too much malware and infected  files inside of this WordPress website again a  
533.58 -> thread has been removed and again a thread has  been removed is is insane man the first thing  
539.88 -> we do is you go to your computer to the old web  hacked website like this and we're going to add  
544.14 -> this to a zip file foreign just make a zip  file of it delete this entire thing delete  
553.08 -> yes and also clean your trash can are you sure yes  I'm sure all right back to final Zilla we're gonna  
560.94 -> copy a clean ripples version in there but we need  to delete everything except WP config over there  
567.72 -> nwp content really important or else you lose  everything just right click on it and press delete  
573.78 -> no problem at all you have a backup so press  delete press yes if all is right and the hackers  
581.28 -> don't have FTP access to your website you won't  see any files except WP content and WP config  
588.72 -> if you're seeing now that some files are being  replaced immediately like HD access or index.php  
596.4 -> change your FTP password right away because  the hackers still have access to your website  
603.3 -> now this is the perfect time to change your  database password if they go to WP config  
609.06 -> over there right click on it and press view edit  you might just see notepad but that works great  
615.3 -> what you see over here is your database password  right here what we need to do is go back to our  
621.72 -> hosting company and a new control panel just  type in PHP like this and then you have the PHP  
627.72 -> settings I found it on this hosting company it's  with every hosting company a bit different so if  
633.3 -> you cannot find it go to your housing company  and ask them for help to change the password of  
639.36 -> your database then copy this password press copy  then when you do you just paste in the password  
645.96 -> over there then we're gonna save the file and then  file Sila will say a file has changed if you want  
652.08 -> to upload it press yes now the database password  has been changed so no one can log into it if they  
658.32 -> have saved your database password and trust me  they probably have they on the left side you go  
663.48 -> to Wordpress version you've just downloaded  the clean one open it open it select it all  
669.96 -> and we're going to copy it don't  worry WP config is not in here so it  
674.46 -> will not be overwritten that you can't be  content have been removed so press upload  
680.4 -> and now we just sit back and wait a little bit  until filezilla has moved those two thousand to  
684.9 -> 500 files to our website everything has been  copied to there this is a clean installation  
690.54 -> right now let's try to open up our website  we can actually visit their own website wow  
698.94 -> well it actually works this is great wow I'm so  happy for my subscriber let's log in and see if  
707.76 -> we need to clean up some Japanese spam SEO posts  this is really awesome now we can actually log  
714.72 -> into our own website again if you're unable to  log in because hackers has changed the username  
720.06 -> and passwords then this is what we do go back to  your hosting and in here in your control panel  
726.18 -> you type in PHP if you're looking for phpmyadmin  click on it and then it will open up a new window  
733.68 -> asking you to sign in open up WP config and here  we can find the user is this one copy this entire  
742.2 -> thing and paste it in here in your username and  also paste this password we've just changed copy  
749.4 -> it and paste it in there and press sign in don't  get overwhelmed by this interface just follow my  
756.3 -> steps in here you see information schema but what  you need to click on is your database over there  
761.1 -> it's probably some name of your website or your  account or whatever click on it there you can see  
767.76 -> all these things of your WordPress website this  is great what are we looking for is this one users  
774.42 -> underscore users the first row of letters should  be something else than this so press on users  
781.08 -> in these rows you will see all the users added to  your website for example this one is the original  
788.94 -> and it has a nickname and a email address that  actually fits but then we see this admin who is  
796.44 -> called admin this is not from my subscriber I  know that's for sure W admin w at wordpress.com  
806.76 -> support at wordpress.com and Mike devil6699  at gmail I don't think these are legit so what  
814.44 -> are we going to do select these that you don't  recognize and press this one delete don't select  
820.5 -> the first one just this one and press delete are  you sure yes I'm sure now we only have the normal  
827.52 -> user login but this one has been compromised  so we're going to press on edit the login we're  
833.1 -> gonna change it to something else make sure to  remember it and the password should be filled in  
839.1 -> over here you don't recognize this because it has  been encrypted so we're going to change this to  
846.3 -> some random password that I just will change  after this video and then you're going to copy  
854.28 -> this and don't forget to change this one to md5  over there all right and then you press go now the  
863.52 -> password and the username has been changed now to  be entirely safe you really should use the email  
868.68 -> address because people are still going to use this  email address to log in however the password is  
874.56 -> really safe right now so the chance that you  will be hacked by a brute force is very small  
880.44 -> especially when we're going to secure this website  after we cleaned it and let's see if we can still  
886.44 -> log into this website and maybe clean up some  stuff all right well done we are actually inside  
893.04 -> the first thing I notice is probably the reason  why we got hacked because of this 16 updates
903.36 -> always do your updates because they're very  important the question is how did this website get  
910.2 -> hacked if you have 36 plugins on your website you  don't update them and you don't have your security  
916.92 -> plugin in place you're just a sitting Dock and  it's just a matter of time before you get hacked  
922.56 -> so the first thing we're going to do of course  is to update all these things we have six themes  
929.34 -> we don't need six teams trust me just press update  all your plugins and all your themes right down  
936.78 -> all the updates has been completed let's go to  appearance and check out the themes because I  
942.6 -> think that there are some themes in there that  have not been there alright the active theme is  
948.36 -> oasis it is not a child theme so we can remove  all these different themes that are not part of  
955.62 -> this website if you go to your filezilla we  go to WP content over there we go to themes  
962.52 -> and we can see all these different themes we are  not using any of these themes except Oasis goju  
970.08 -> filezilla find out which one Oasis is over there  and delete the rest because it is a big security  
978.06 -> risk I don't know if hackers infected these files  on my website so I'm going to delete them all we  
985.2 -> don't need them anymore now when I go to all posts  this is what we see these are all English things  
993.06 -> however the website is created in Dutch so I know  these are all not created from the original author  
1000.5 -> to do screen options we're going to select 50 of  them apply and now we can see all of those posts  
1008.24 -> in one go select them all over there and then  we're just going to press move to trash apply it  
1015.44 -> and you can just leave them in the trash if  you're not sure if you need them or just delete  
1019.7 -> them entirely from your website destroy them all  let's check out categories do we save that they  
1027.62 -> are not created a million categories no categories  are entire empty great let's go to text and there  
1035.18 -> we have a couple of tags they're not malicious or  any kind so they're good let's keep them in there  
1040.64 -> there we go to woocommerce we also have products  maybe they have created a bunch of products which  
1047.48 -> are not real there's no sign of spam products  in there so that's good another thing we need to  
1052.16 -> check are the pages go to your pages and let's see  if there's something in here that's actually not  
1059.42 -> good well we have 41 items let's put them all in  one screen like this let's see if we find anything  
1068.3 -> Japanese all looks good let's go to Media go to  the library yeah so there's really no nothing  
1075.86 -> wrong in here so this is actually pretty great so  I think we're good on the content the next thing  
1081.56 -> we do is you go to plugins so we're gonna add a  new plugin for securing your website you really  
1086.72 -> should use items but for scanning your website  I recommend word fans I don't like word fence  
1093.8 -> a lot but for scanning it is excellent search for  word fence and press install now when it has been  
1100.22 -> installed press activate over there then we need  to register our word fans we're gonna get a free  
1105.62 -> license over there fill in your email address  Press Register then we're almost done click on  
1110.42 -> the button in your email and it will be redirected  to your website press install on license then we  
1115.52 -> go to our dashboard and then you can just press  on this icon over here across the only thing I'm  
1120.8 -> interested in is this scan over there click on  it and then press this cross icon again and just  
1126.5 -> press this blue button start new scan why is  this very important well we have cleaned a lot  
1132.86 -> of files installed a fresh WordPress system but  we didn't scan WP content so what I want is the  
1140 -> word friends to scan all my files in WP content  and see if there's anything there if there's not  
1146.78 -> well done we can continue securing our website and  then I think my subscriber will be very happy as I  
1153.98 -> suspected it there are still some results found  by our malware scan as we can see it is in WP  
1160.58 -> content plugins plugins WP content uploads all  in WP content if you see this you can actually  
1168.68 -> press this button repair all repairable files if  they are repairable or in our case just delete  
1175.82 -> them because it is not part of the system it is  just some new stuff so you're just gonna delete  
1181.28 -> them all delete files and now word fence is going  to clean up our website just like that awesome 70  
1188.78 -> files were successfully deleted and now we can  press close now of course we're wondering what  
1194.78 -> about this 1320 results let's try to open up one  right now open link in new tab this is what you  
1203 -> see because we have cleaned out the scripts that  we're creating this it is not anywhere found on  
1210.5 -> this website all these Pages result here in a 404  so I dare to say this website is completely clean  
1217.52 -> if you have any questions or you just want to say  thank you Matt drop them down in the comments of  
1222.62 -> course and if you want to make me happy hit a  like on this video And subscribe to my channel  
1228.14 -> using that link over there and maybe watch this  video because it's also a really nice one [Music]
1239.42 -> thank you

Source: https://www.youtube.com/watch?v=DvE7sNtEFg4