Last Updated on 2022-11-08 | Originally Posted on 2021-11-21
Introduction
I found my Website hacked on November 11, 2021, and spent half the night trying to recover it. I found this out by accident while I was doing some other maintenance. Before explaining more, here’s my setup: This WordPress instance is pre-loaded using what’s called WP Hosting. That means that I don’t have cPanel for this instance, which turned out to be a minor detail in how I proceeded. (I do use cPanel on a separate server that I use strictly for testing.)
Identifying the Issue
The type of hacking that I found is called a malicious redirect. It means that the hacker diverted my visitors to a ridiculous gaming site that clearly was not mine. What made the diagnosis difficult was that my admin panel seemed to be working correctly. I also was able to access my site since my browser was already logged in.
The only way I could test for this redirect as visitors experienced it was to access my site via a separate browser that I don’t have logged in for maintenance. I always keep a spare browser for testing, but I never considered it for this purpose since this is the first time I’ve been hacked.
Running Site Health under the Tools menu clearly identified the problem. I was a bit disappointed in the Sucuri security plugin because it didn’t alert me to the problem. It’s possible that the hackers diverted any emails it was trying to send, just like they made it impossible for me to restore my code from my backup software.
Relying on my Hosting Company
I have generally had a good experience with my hosting company, even though they are a smaller player that is not well known. The only issue I’ve found is that it can take a LONG time to resolve issues because they offer chat-only support. It often takes a while for them to identify the issue and get you to the person that can best help you.
My first instinct was to ask them to delete my current instance of WordPress, which I can’t do myself given that I don’t have cPanel access. Then I would have reloaded everything from a save point that was virus-free. They actually had a better solution, and in one fell swoop, disabled the malicious redirect by disabling all of my plugins.
Recovery
From that point, I installed Wordfence, on the recommendation of my hosting company desk, and uninstalled Sucuri. It has a scanning tool that will identify and quarantine malicious code, much like a standard virus scanner.
I reloaded my code from a point before I suspect I was hacked, and that worked given that the malicious code didn’t prevent it this time. Wordfence also provides a firewall that automatically activates after a week of self-learning. When I saw that happen a couple of days ago, I was even happier.
More Cleanup
I invited this attack by having way too many plugins. In a few cases, I forgot what they did and why I installed them. My old method of discovering plugins with potential was to install first, configure later. Of course, I often never ended up configuring them. Now, I log any new plugins that I read about into an Evernote document that details all of my Website changes. That way, if I really want to try something out, I can do it when I have the time to configure it properly and test whether I want to keep it installed.
I uninstalled the most recent plugin that I installed, which I think was the source of the hack, and I deleted 10 others as well. Several other plugins are targeted for future elimination in that same Evernote document. I got some great advice from the community at WPBeginner.com: Install plugins to solve a business need, not just because they’re fun to use. Less is definitely more when it comes to plugins!
Steps I’d Recommend to Prevent Being Hacked
- Install only the plugins that you need. Remember that every plugin you install is like handing a stranger a key to your house and hoping they won’t abuse the privilege.
- Keep a log of plugin or other configuration changes that you make. A plugin like Simple History will show you recent changes, but your own document will help you remember why you installed something and whether it’s still important.
- Install a plugin that does automatic backups, if you’re not already doing so. Also, remember to do some secondary backups from time to time in a separate place, just in case.
- Use Site Check from the Tools menu. It’s so easy to use and provides advice you should follow.
- Install a good security plugin that will provide scanning and firewall. Wordfence does both in its free version.
- Allow WordPress versions, themes, and plugins to update automatically. Hackers can exploit mismatches in these, or can get into your site through a recognized leak that is waiting for you to manually update.
- Install a separate Web browser that you don’t normally use, and only use it for testing. Don’t log into wp-admin from it or it will be useless in this regard.
- Rely on your hosting service to give you advice. They likely won’t solve your issues but will guide you along the way. If you’re just given a bunch of documents to read with no concrete help, ask to be boosted to a higher level of support.
In Conclusion
I hope my story can save at least one other person from getting hacked. In that case, it was well worth the time it took to flesh this out. I will update this document from time to time with best practices I learn along the way. Have you had any experiences of getting hacked? How did you deal with it?
One thing I didn’t mention was never a real possibility for me but should be considered nonetheless. The companies that make security plugins also have teams at the ready to clean infected Websites. The bad news? Prices start at $200 and go way higher. I wanted to learn how to recover from this so that I could be better prepared against future hacking attempts.
This information is very good. Now that I myself have been hacked, I will be going through and seeing what applies to me. I have UpdraftPlus and Wordfence, so the malicious code has been quarantined. Hopefully this will make it easier to clean my website. But going forward, I’m going to take your suggestions. Thank you!
I’m glad the article was helpful. It sounds like you had a malicious attack that got through but that was quickly quarantined by Wordfence. I could access your website last night, before you took action, so that’s a lot better than what happened to me. The hacker was able to infect some of my systems files and add a bunch of others, some with very interesting names, which redirected my site to their own gaming site.
Having a testing browser separate from the one I use to log into my WP admin panel was important because it demonstrated the malicious redirect. At first, I didn’t realize I had a serious problem because I could still log in to wp-admin.