The following two tabs change content below.
Rob Watson is a Web professional. Beginning in 1995 as a self-taught web designer, he now owns and operates a web creative agency named Webidextrous.com. If you need website coordination (a.k.a. "webmastering"), media production, social media, and SEO, ask Rob for help!

Have you ever wondered how people restore WordPress after a hack?

WordPress is a great piece of content management system technology. It allows the average, non-technical person a chance at publishing anything quickly and cost-effectively. It’s very popular for this reason, but that has a downside. The popularity of WordPress also makes it a target for hackers and data thieves. You need to know how to restore WordPress after it’s been hacked. You probably also need a better hosting company that won’t allow this to happen in the first place.

This article covers how to restore WordPress after a site is hacked. I also talk about which hosting company we recommend so that it doesn’t happen again.

The Backstory

A long time ago in a galaxy far, far away (at least in Internet years), when Webidextrous was in “bootstrap” startup mode, we launched a separate blog to chronicle some family events connected to our “digital nomad” lifestyle as we worked remotely and traveled the United States. Because we were trying to save money and the blog was not a mission-critical part of the business, we “cheaped out” and used GoDaddy’s lowest-priced shared hosting plan.

Fast forward to a few days ago, a couple years after we had established long-term roots in a community we liked and stopped working on the road. I decided to see how that long-abandoned blog was doing and whether we could do more with it after a recent vacation. Sure enough, those two years of neglect led to the site getting hacked and redirected to a foreign domain.

Even though it was a “dead” site at this point and I was already going back and forth on whether to even keep it at all, this felt like a violation and I wasn’t going to let that stand. Now I was just angry. Angry at myself for losing control over it when I knew better. Angry at the punk who hacked it. And angry at GoDaddy for continuing, after all these years, to treat security like an afterthought when other, more forward-thinking competitors were protecting their customers.

I’m gonna restore WordPress on this site if it kills me! It’s the principle of the thing!

Rather than just recovering the site and moving on, I wanted this to be an opportunity to teach others. I wanted to show the importance of first choosing the right hosting company and security precautions and how to recover in case you choose, for whatever reasons, to host it cheap.

The Investigation

First, I called GoDaddy support to see what their current process to restore WordPress would be. I’d moved other peoples’ hacked sites for them in the past. I was pretty sure what I was going to hear. The representative (I’ll call him “Bill”), responded to my stated concern with his script. He didn’t stop to ask me what I had tried to remedy the problem. Fair enough. Most of the customers GoDaddy has are non-technical. So, it makes sense that they’d cut to the chase and try to fix the problem for them right off the bat.

Instead of doing the right thing by the customer and helping me restore WordPress, Bill pivoted to the GoDaddy modus operandi of upselling. (I often joke that GoDaddy is in the business of upselling and dabbles in hosting on the side…because it’s true!) He offered me an $84/year “security” add on that would clean up the redirects the hacker had written to my files. Supposedly this would prevent such things in the future.

If I had been non-technical, I’d have been grudgingly elated that there is such a solution. Even if I have to pay for it as an “extra”. That means I can restore WordPress and get my site back quickly without much effort. Being a web professional, however, I was a bit upset. As I told Bill, GoDaddy seems truly not to care about their customers’ websites. Is the best they can do to protect people a reaction after the fact. Is it not any of a dozen more proactive things?

His response? “Yeah, well, those ideas cost a lot of money to implement. We’d have to pass along to the customer in their monthly rate.”

That’s like an insurance agent trying to sell you insurance after you get into a car accident, not before. The fact that GoDaddy is not doing everything it can up front to prevent such things feels more like a shakedown for protection money. They’re not really trying to help customers save cash. They’re inevitably going to pay either way.

Removing the Redirect

I could go for hours about GoDaddy’s shortcomings. Lest I get too deep into an anti-GoDaddy rant, here’s what I did to restore the site.

The most common WordPress hacker trick is to get access to your wp-admin dashboard or to the file system through some well-known exploit or zero-day exploit and alter a core file or database entry. In my case, they altered the index.php file in the root directory of WordPress. Normally, it looks like this:

<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/

/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define(‘WP_USE_THEMES’, true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . ‘/wp-blog-header.php’ );

But they altered mine to look like this:

<?php
header(“HTTP/1.1 301 Moved Permanently”);
header(“Location: http://www.reallybadguys.hu”);
?>

Most noteworthy, on line 2 is a directive to permanently redirect. It’s telling Google my original site is permanently now this new site. On line 3 is the site it’s relocated to. I’ve changed their real domain to keep innocent people from going there out of curiosity. No need to send them undeserved traffic, and they could be distributing malware.

In contrast, that 301 redirect is possibly going to cause me problems with Google and browsers that have cached the redirect info. If they don’t get my “messages” in my correction efforts, they’ll forever think my domain redirects to that other site.

Additionally, there was a file called track.php, which is not part of WordPress. That contained a redirect to yet another site.

<?php
header (“Location: https://www.morereallybadguys.ro”);
?>

This indicates to me that the current redirect isn’t the first time GoDaddy let the barbarians through the gates.

Check .htaccess for Redirects

Another file I checked was .htaccess. This file usually is where you put legitimate redirects and hackers like to use it for illegitimate ones. In this case, I was ok. No damage done. But I made sure to scroll all the way to the bottom of it. Sometimes hackers will insert hundreds of blank lines before putting their redirect code at the bottom. This keeps you from seeing their code right away and giving you a false sense of what’s in the file.

Finally, I log into phpMyAdmin and run a database-wide search for the reallybadguys.hu and morereallybadguys.ro domains. I’m looking for any place the hackers could have inserted redirections. Nothing, so we’re good to go.

Because I was reasonably certain my site was “clean” of all these redirects, I re-uploaded the files. But, uh oh, the site still redirects to the site burglar’s domain. What’s going on here?

Check Caching and CDNs

Seems like the only other option is to look further “upstream” to the name servers. The site uses CloudFlare as its CDN, which means it needs to point to CloudFlare’s name servers. The CDN caches content geographically “close” to users who request pages from the site. So my first task is to shut down and purge the caching to see if the bad site redirect can be purged. After waiting for a couple of hours for CloudFlare to fully purge its servers, I still had this bothersome redirect.

Therefore, it’s time to do something drastic. Go into the domain settings and switch back to GoDaddy’s name servers to see if perhaps CloudFlare is the culprit (and maybe also compromised, though that is unlikely).

Yup, a few hours after going back to GoDaddy name servers, the site was back online. Whew!

So, now I just need to change all my passwords and WordPress SALTs, then gradually reintroduce my CDN, right? Well, yes to the first part and no to the second part. Because I’m pretty much done with GoDaddy for this site at this point. I know they’re not interested in doing right by their customers in the most basic packages. Who knows how many upsells I’ll have to go through to “get to good” with them. My faith, at this point, is nonexistent.

Get Better Hosting

Now that you know how to restore WordPress after a hack, you’ll want a better hosting company than GoDaddy, BlueHost, HostGator and the rest. If you want to know which host I’ll be moving the site to, and that I recommend to you as well, see our hosting plan page.

The following two tabs change content below.
Rob Watson is a Web professional. Beginning in 1995 as a self-taught web designer, he now owns and operates a web creative agency named Webidextrous.com. If you need website coordination (a.k.a. "webmastering"), media production, social media, and SEO, ask Rob for help!