User Question: What are your preferred methods of restoring a hacked WordPress site?

How to restore hacked WordPress website?

restore hacked WordPress site

This question comes from a user whose site recently got attacked with malware. Before reading the answer, please do read How to remove malware from a hacked WordPress site.

Depending on what needs restoration, this question can have multiple answers:

However considering that you have removed all your WordPress installation files, you’ll need to restore the files from a known-good backup.

Database is Intact; WordPress Files are Infected

In an ideal situation this means that your database remains intact. This includes your settings, posts, pages etc.

Instead of reinstalling WordPress you’ll need to extract the files from the WordPress core package.

  1. Make sure that wp-config.php in the root of your installation has the correct settings.
  2. Download the core files from https://downloads.wordpress.org/release/wordpress-5.8.3-no-content.zip (replace the version with the correct one). Extract and overwrite the files on your WordPress install.
  3. Point your browser to <yourwebsiteurl>/wp-admin/upgrade.php. This will make sure that a database upgrade runs.
  4. Log into the website admin area.
  5. Purge the cache.
  6. Verify that you have the required theme and plugins active.
  7. Visit the permalinks settings once. This will create a .htaccess file or verify and update it if one already exists.
  8. Visit the front-end of the website and verify that all is well.
  9. Log into Google Search Console and head over to URL Inspection Tool.
  10. Enter the URL of the homepage or select any URL of your website.
  11. Click on “Test Live URL”.
  12. Click on “View Tested Page”.
  13. Very the site in “Screenshot” and “More Info” tabs.

If you have access to WP CLI, you can also reinstall WordPress with some very easy to follow steps. This is quicker than manual extraction and uploading.

Step-by-Step guide to efficiently reinstalling infected WordPress Core using WP CLI

Database is Infected; WordPress Files are Intact

Fixing an infected database is slightly more involved and you’ll certainly need access to WP CLI.

  1. Run a malware scan with Malcure Malware Scanner.
  2. The scan will outline the infected database records.
  3. Use PHPMyAdmin to inspect the infected records and identify the malware / malicious code.
  4. Find and replace: The WordPress database contains serialized data so bare-hand find and replace will break the data integrity. Use the WP CLI to do a search and replace.
  5. Execute the following command via WP CLI replacing the malicious code with the one that you detected on your WordPress install. In case of several types of malicious code you’ll need to run it multiple times. wp search-replace 'malicious code' '' --all-tables --dry-run --report-changed-only --precise --regex --regex-delimiter='/'

If there is a large database dump, here is what you will need to do:

Removing Malware from Large Database Dumps

Different Use Cases and Scenarios for Malware Cleanup

There are different types of malware attacks, here are some of the different use cases of malware attacks with respective steps to cleaning the infection and restoring the site:

Run Another Malware Scan to Ensure Clean Site

Whatever the case, be it database infection, files infection or database and file infections both, after cleaning the infection it’s time to run another malware scan to ensure there are no remaining traces of the malicious code / malware.

Ensure that SERPS are clean

There are use cases of SEO spam and website redirects specifically via search engine results. That is why it is important to search for your site in search-engines. If you see weird results then it’s time to ask the search-engines to re-index your website. Also check your Google Search Console account for any malware warnings, etc.

That’s pretty much it! If you need help with this part of the process checkout our Malware Removal Service.