I was searching for your website, but Google says your site was hacked.
Have you ever gotten an email or phone call like that?
It can be terrifying and disorienting—where do you even begin? How did you get hacked? What does it even mean to be “hacked”? Are you in danger? How do I get that notice removed?
I can at least help you with that last question today.
We’ve had numerous customers join the Evermore platform and launch a new site while their old site was still considered hacked, so we’ve managed the process of getting the “This Site May Be Hacked” notice removed successfully. That’s a much easier process, because we know their new Evermore-powered site is clean and secure.
I’ve also helped countless others over the years deal with this on their self-hosted websites. While having to remove the hacked portion first can be especially daunting, it’s a process you can tackle.
Even more frustrating, many top search results for this process contain misinformation or don’t cover enough of the process or aren’t specific to a WordPress site. Here, I hope to give you a realistic path through this scary experience.
What happened to my website?
In terms of what’s happening to cause the issue Google is referring to: it may be any number of things, and they could be obvious to you, or may be completely hidden. Sometimes it’s extra code being loaded on your pages that does something malicious; other times, it may be creating extra spam links to get into the search results (e.g. yourdomain.com/spam-site-link).
Unfortunately, it can be really difficult to track down exactly what’s happening or what caused it. The most important thing is to stay focused on fixing the problem first. Later, I’ll mention ways you can monitor and prevent this going forward.
Check the Current Status
At this point, it’s important to get your bearings and understand a bit more about the existing problem. Check your domain at these two resources and carefully read whatever results they return.
Sucuri SiteCheck is a free website scanner that will “check the website for known malware, blacklisting status, website errors, and out-of-date software”. It gives lots of great information in a relatively short amount of time. Plus, if you want to just pay someone trusted to fix this for you, you’ll already be in the right place—just click “Clean Up My Site”.
Google Safe Browsing Site Status
Google’s own site status tool can possibly give you more insight into how the search engine and Chrome browser views your website.
With both results in hand, you’ve got some good context for digging in and fixing the issue(s). If you’ve got the problem fixed already, jump down to the “Request a Review from Google” section.
Fix the Issue(s)
Your next steps depend on your technical understanding of your website and the actions you’ve taken before now. It’s important to be honest with yourself here—this is not the time to try something you haven’t done before or learn something new. You need attention to detail and patience, and those can run very thin if you’re trying to stretch yourself at the same time.
Check Existing Services
Fire off an email or support ticket to your hosting company and any agency or contractor you have a great relationship with. Include the information you got in the previous steps and ask for help.
While many times this won’t lead to anything of value for you (because hosting companies are generally unhelpful in this situation and agencies want to be paid first), it’s worthwhile to see what can be done.
If you have a “managed” WordPress host, I certainly hope they’re willing to manage this for you.
Pay Someone Else
If the site is important to your business and you’re not very sure of yourself, consider paying Sucuri to clean up your site. They’re experts and will give you the best chance at getting things back to normal quickly.
If money is tight, you could post what you know on Codeable and hire a WordPress expert to help solve the problem. This will take a bit more time and may carry more risk—if you don’t know how to fix your own malware, you likely don’t know how to vet the security-related prowess of a developer—but it’s definitely a flexible option.
Restore from a Backup
If you’ve been working with a backup solution already, you can try restoring your site from a backup that you think isn’t “infected”. This can be a good option if you understand what the problem is currently and can check for its existence after you restore your site.
After the restoration is complete, clear any caching mechanisms you might have and run your site back through the status checkers from the previous section.
Try Common Fixes
Sucuri has a great overview of using their free plugin to really tackle the issues. If that’s not your cup of tea, I’ll give you a few major items to consider.
In many cases, an outdated version of WordPress core files, a theme, or a plugin is vulnerable to an attack and was exploited. At that point, you may find that the PHP files in these directories have themselves been infected.
To fix that, we need to upload completely fresh copies of everything from trusted sources.
Note: create a full backup of your website before beginning—especially the database and wp-content directory. Yes, you may be backing up the hacked files or database. However, not everything is compromised, and it’s important to make sure you don’t lose your data during this process.
Once you have your verified backup, you’ll want to upload completely new versions of everything.
Start with the WordPress core files: download the .zip file from WordPress.org and use FTP to override everything except your wp-config.php file and your wp-content directory.
Download the most recent versions of your theme and plugin files from the proper places. If the plugin is available in the WordPress plugin directory, download it from there. If it’s a premium theme or plugin, download it directly from the official website. Then, upload them to your server like you did with the WordPress core files.
Note: if you knowingly install themes or plugins downloaded from official websites to save a few bucks, or don’t update your WordPress site, you’re looking squarely at the likely culprit of this whole thing. Buy premium themes and plugins and download them from the real developers, and keep everything updated in a reasonable amount of time. I’ll talk more about prevention later.
Once everything is completely updated, properly set your file permissions. That’s an important last step.
Again, do not attempt to do take these steps if they’re completely foreign to you. There’s no shame in not having this knowledge right now, and your most important goal is getting your site clean and secure.
Finally, if you know that you have the “pharma hack”, Sucuri has a guide for that as well.
Look at the Files
I’ve had more than one situation where, unfortunately, the only route was to manually look at files and directories. Sometimes you’re not able to find a clean version of things to upload.
In that case, take the time to look through each file and directory. If you’re even mildly familiar with code, you’ll likely be able to see the things that are out of place—they’re often at the very top or bottom of a file, or they’ve added an additional file full of unfamiliar code.
Request a Review from Google with Google Search Console
The best and fastest way to ensure things are fixed is to use Google Search Console to verify security issues and request a review.
Add Your Site and Verify Ownership
Yoast has a great overview of adding your WordPress site to Google Search Console using their SEO plugin. If you don’t use their plugin (and don’t want to), use a different verification method for step 3.
Look for Security Issues and Verify Fixes
Once your site is verified, you can follow Google’s recommended steps for ensuring your Google Search Console account hasn’t been compromised and reviewing the security issues. Feel free to click through the next steps in their article to gain even more technical insight into what might be happening, including their recommendations for cleaning your site fully. It’s not WordPress-specific, but it can be helpful!
If you have a sitemap, go ahead and (re-)upload it to Search Console to have Google re-index your website with clean pages.
Request the Review
Under “Security Issues” in Google Search Console, if you have a button that says, “Request a Review”, click that to get started. If you don’t, request a review directly here.
In my experience, resolution can take anywhere from a few days to several weeks. But, take heart—this is the fastest means of resolution, and you’re doing the best you can.
Preventing Future Issues
Let me be clear (since, often, others aren’t willing to say this): there’s no completely foolproof way to prevent hacking. It’s very complex and constantly changing. It happens way more often than you’d think, and it can be nearly impossible to detect.
Paying for Services
You should scale your prevention methods to match the importance of your website to your business. If it’s mission-critical for you, it doesn’t make sense for you to leave your security to chance. You should be paying for a proven solution or a trusted service/contractor.
We highly recommend Sucuri and SiteLock for ongoing services. They each have various packages for monitoring, scanning, and prevention through firewalls and more. That level of protection can provide you with much more assurance that you’re taken care of going forward.
There are a few additional practices that can supplement your services, or can generally help you protect against hacking issues in the future.
Like I mentioned earlier, you must keep things updated on your site. Often, WordPress is able to automatically update itself when larger security issues come out, but leaving old versions of themes and plugins on your server are especially risky. Keep an eye on available updates and run them as soon as you can.
If you’re uploading anything by FTP, make sure you reset your file permissions each time.
And—seriously—do not download premium themes and plugins from non-official sites.
Try out some proven security-related plugins. There are plenty, but these are some options for you:
- Sucuri Security
- iThemes Security
- Jetpack by WordPress.com (requires a WordPress.com account)
- Wordfence Security
Follow their instructions to configure things as they suggest.
Cloudflare offers a free level of security and speed for your DNS. Similar to the firewall functionality I mentioned with Sucuri and SiteLock, it monitors activity “before” it hits your site to give you an extra layer of protection.
Monitoring Google Search Console Activity
Finally, be aware of the possibility that hackers can become the verified users for your website in Google Search Console in some scenarios. Consider the recommendations in that post and check in periodically.
We’re posting this on the Evermore blog in hopes that we’ll become a more reliable, up-to-date resource for this really scary scenario. If you feel something is out of date or incorrect, please touch base with us so that we can keep this article current and helpful.
If you’re interested in avoiding this entire scenario by hosting your site on a fully managed platform, Evermore would love to have you. Send us an email to get started.