Step 3 to recover your hacked WordPress site – manually deleting suspicious files: By now you know to a certain degree of certainty the extent of the damage. Although this is not a fool-proof way, it still is a very reliable method. If you detect files like .htaccess, .error-logs etc, feel free to delete them – you can always recreate them later on. Hackers have also devised techniques to create files with extensions that look like .jpeg, .jpg etc that may look like images but contains the virus inside.
What not to do: Do not take a chance by skipping any files that looks ok by name but has different file size! If you are in doubt, Delete! If you see files with random file names (mostly jumbled letters like names generated by machines), Delete! I use Filezilla to browse directories and almost every file when I am recovering a hacked site.
Step 4 to recover your hacked WordPress site – re-loading WordPress core: If the extent of the hack is minimal, you may want to replace the deleted WordPress core files from your newly downloaded WordPress folder into the respective folders on your domain host server. If the extent is too much, delete everything in your domain! If you have your backup then you can always restore your site to the date of your backup.
I had to do this hard step of deleting everything from my server a couple of times in the past when the malware had spread for months and affected almost all the files and folders on my site. In some cases, the hack was detected very early, alerted by Google and Jetpack, and I had to clean up very little.
What not to do: The common mistake many people make at this stage, especially if the malware has spread too much, is panic & start to un-install WordPress completely. This may not be necessary and you do not need to do this, unless it appears to you that its much efficient to start from scratch with your back-up files.
Step 5 to recover your hacked WordPress site – restore your data: Once you have loaded WordPress core files again, you are almost done but not quite done. If you look up your website on a browser, in all possibility it will not show up. That is because the Uploads folder and the wp-config.php file are missing on your host. The first step is to transfer the Uploads folder as is back on your host using the FTP software.
If you have downloaded the wp-config.php file in Step 1, upload it back in your WordPress folder using the FTP software on your computer. With this, you will not need to use the backup at all. Once loaded, check your website URL on a browser again. Make sure you clear browser Cache and try your URL. Your website should come up like before.
However, I have had some situations where the content looks good for most of the posts and pages but I have had issues with Features Images and embedded images. This depends on how your theme handles attachments and there is no easy answer. But images aside, you should not have any problem bringing your website back online after this fifth step is completed.
PS: depending on how I am recovering the data, I use either the WordPress default Import function, or FTP using FileZilla or use the MySQL Admin feature in the Domain Control dashboard. I also view the wp-config.php file & recheck that the database names & passwords are correct.
What if this does not work?
There is a faint possibility that even after cleaning up everything the malware remains and your website remains hacked. In that situation, the safest thing to do is to Uninstall WordPress completely, Install WordPress back again and once your new site is up, use the Tools – Import feature in the Admin Dashboard to load your posts and pages back into the new database.
You would still have to transfer the Uploads folder back to the host and once done, your site should come online back again. I hope you do not have to go to this extreme, but then again, there is always this possibility.
I hope that between the 6 ways to prevent a WordPress hack & the 5 tips to recover your WordPress site in case you do get hacked, you should be able to protect your online business and its safety well all by yourself. Feel free to reach out to the WordPress community – its a very well respected group of technical experts who are very much willing to help and their help & support could be an enormous help in desperate situations like this.