How we find and remove a WordPress hack

/0 Comments/in

If your WordPress has been hacked, you can assume that a file or piece of code has been placed in the website with which the hacker can send spam or show advertisements on your website.

There are currently 1000s of hacks developed by malicious people, the so-called hackers.
Every hack is written differently. This is to ensure that scanners do not recognize them.

How do we find that code or file among hundreds of WordPress files and all the code of plugins and WordPress?

We have various techniques with which we detect and remove hacks in WordPress

We will explain to you which methods we use to find hacks:

  1. Using the Wpsecure Detection (Plugin)
  2. We check the server in a structured way
  3. We use software that makes reading code easier
  4. We use the knowledge and experience we have built up over the past years
  5. The purpose of the hack betrays the placement
  6. We determine whether it is manual work or automation

1. Using the WPSecure Detection plugin

The WPsecure Detection plugin that we custom made scans the server and shows if there are Eval, Base64 or iFrames in the website.
Some plugins and themes also use this coding, but it’s mostly typical of hack scripts!

We check the line that follows a base64/eval line and recognize the illegal piece of code. (A matter of experience)

2. We check the server in a structured way

Folder by folder, file by file. We structurally check every folder for files that don’t belong there.
Since we have been working with WordPress for years (Since 2007) we know which folders should contain php files and which should not, we also recognize the names, junk folders and other tricks.

We check the website at file level with a checklist in which we tick which folder/files we have checked. This way we know for sure that every folder has been checked.

3. Additional software

With various programs (such as Notepad++) we can the code color reading, this makes it easier for us to read the Read important pieces of code carefully. Both file-by-file comparison and searches are among the methods to find hacks.

4. Knowledge and experience

By cleaning WordPress websites every week and working with WordPress since 2007, we know how hackers work.
We have set up, repaired and secured hundreds of WordPress websites. On various server environments.

5. The purpose of the hack betrays the placement

If there are links in the texts, you can assume that it has been placed in the content. If you can see outside the text, think of the header or footer, you can start the search in the theme.

6. We determine whether it is manual work or automation

We quickly see whether it is an automated hack script or whether someone has actually been involved in hacking the website.
With 999 out of 1000 websites, the work is automated, which means that a leak in the plugins, the theme or in an outdated WordPress version has given access to the server.

isn’t there a one-click fix?

You would expect that there are programs that detect and remove the hacks with 1 click.
Unfortunately this is not the case.

Hackers change their scripts, viruses continuously, so that a scanner will not recognize the hack.
Software simply cannot determine whether a line of code in a plugin, theme, or your WordPress core files is good or bad.

Did you know? 1 file can restore all hacks..

A hacker can use 1 line of code to ensure that backdoors, spam scripts are restored immediately after removal. That is why many web designers, server administrators and programmers cannot get rid of the hacks. They remove the consequence, but the virus remains in a different location on the server.

The hack spreads and is most likely to continue to function.

The challenge

As you may have read, there are several challenges in finding and removing hacks.
When you put us to work, we are working for a few hours, and we carry out various checks.
After that, we regularly check/monitor the website so that you are sure that you are rid of the hacks.

We guarantee that you will be rid of the hack within 10 to 48 hours, and stay that way!

Do you have a hacked WordPress website? Have your website hack-free now!