Compromised Wordpress Cleanup and Recovery
Disclaimer: This is a simplified guide for recovering from a compromised wordpress installation. Due to it's popularity Wordpress is the single most targeted PHP application on the web. Failure to keep your installations secured and up to date often results in compromised installations. If you do not feel comfortable completing these steps on your own, we recommend seeking the assistance of an experienced web developer.
1. Take a full backup of all involved accounts, files and databases
2. Remove all plugins and themes which are not in use/Replace the affected files
Any out-of-date themes or plugins can allow attackers access to your Wordpress installation, even if they're not in use, so we advise removing all files for themes and plugins that are no longer used, including older default WordPress themes, like TwentyFourteen, TwentyTwelve, etc.
You'll want to check your current Wordpress version and download the files for that same version here:
and overwrite the files in your installation with the original, uncompromised copies, aside from your wp-config.php file, which should be preserved since this includes your database connection information. This is best done with an (S)FTP program.
You'll also want to do the same for all remaining themes and plugins. These files are usually found via their respective plugin pages through WordPress.org, (ex. https://wordpress.org/plugins/wordfence/ for the Wordfence Security plugin) or from the plugin developer's website. Theme and plugin files are stored in the /wp-content/ directory under /themes/ and /plugins/, respectively.
3. Update All Modules
Please note, WordPress versions 3.7+ have offered automatic update options. If you don't have a custom theme or a large variety of plugins that may be affected by updates, it's best to enable all updates, major and minor. If you choose not to enable automatic updates, you should be checking for available updates and applying them regularly.
Please update the core Wordpress files, and all themes and plugins to their latest versions.
Once the installation and all themes/plugins have been replaced, I recommend installing Wordfence and running a full scan which will look for further compromised files which were added outside of the standard wordpress files.
4. Scan your files for malwareWhile wordpress has it's own popular security plugins such as Wordfence, we also strongly recommend regularly scanning your websites and files for malware with programs such as the following:
- ClamAV [https://www.clamav.net/]
- Linux Malware Detect / Maldet [https://www.rfxn.com/projects/linux-malware-detect/]
- CXS [https://configserver.com/cp/cxs.html/]
- ISPProtect [https://ispprotect.com/]
There are also many options in regards to server side security, additional options can be found here:
- ModSecurity [https://modsecurity.org/]
- OSSEC [https://ossec.github.io/]
- CHRootKit [http://www.chkrootkit.org/]
- RKHunter [http://rkhunter.sourceforge.net/]
5. Read the following Wordpress documentation
Please note that Wordpress is the most targeted web application on the internet. Failing to keep the software and plugins up to date leaves you susceptible to having your installation compromised and defaced. By keeping the installation up-to-date and following the aforementioned security steps will help keep your Wordpress website secure. You may also want to subscribe to the developers mailing list for future software update notifications.
Please be sure to take regular backups of your content, and store them in a secure, off-server location.
As nearly all of the types of vulnerabilities in Wordpress are well-documented online, we recommend conducting further research on the particular themes and plugins that are specific to your installation. If you do not feel comfortable completing these steps on your own, we recommend seeking the assistance of an experienced web developer.
For further information, we recommend reviewing the following links regarding Wordpress security. Here is a repository of known vulnerabilities and the versions of Wordpress which are affected:
You can also find information about the security vulnurabilities that were patched in each core Wordpress release here:
We also highly recommend regularly checking for Wordpress information on the Sucuri blog, which has excellent, succinct, and up to date information on a wide variety of security issues: