WordPress is a very secure and well-coded platform. However, simply because it is so enormously popular, a lot of people try to create hacks and viruses for WordPress sites.
The Wordfence plugin is a great way to keep your WordPress site safe. Wordfence is a free plugin that scans your site for viruses, malware, trojans, malicious links and more.
In this tutorial, we're going to show you how to configure Wordfence, how to identify hacked files and what your options are for repairing them.
Step 1: Installation
You can get the Wordfence plugin from http://wordpress.org/extend/plugins/wordfence/ or search for Wordfence from the plugin page and click install.
There is a free version that does most everything you could want, and there is premium paid upgrade that gives you more functions and entitles you to priority support.
Step 2: Take the tour
Immediately after activation, you'll see the popup for a tour. It's worth the time for anyone new to web security to take this tour so you understand this plugin. After you're familiar, then you'll want to do a scan.
Step 3: Run a scan
- Click Scan on the Wordfence menu.
- Click Start a Wordfence Scan.
- Wait for it to complete.
- You will see problem areas marked in red. Don't panic this is normal on the first scan.
- And there are two features that are disabled. Click the links to enable those.
- Enable the two features to check your plugins and themes. This won't check your child themes. It will only check your original themes against the WordPress Theme repository.
- Clicking the links will take you to the configuration settings.
- It's a good idea to read all of your options and make sure you have things set the way you want.
- Setting Alerts is a useful feature. Wordfence will email you whenever there's a possible problem.
- Save your changes.
- Return to Scans on the Wordfence menu.
- Run the scan again.
- If you see Problems found scroll to the bottom of the page to view the actual problem.
Step 4: Review and fix errors or warnings
- You will most likely see these two warnings. This is nothing to worry about. These are log files. They are not dangerous, and if you view them you will see PHP warnings and actual errors.
- Check he links at the bottom of each one to see how you can deal with them.
- You have several options.
- You can actually view the log from here if you suspect there is an error that needs fixing. I wouldn't recommend deleting the file since you may need it.
- You can choose to have Wordfence ignore the file if you don't want to see this warning every time you do a scan. I decided to just leave things as they are. It just makes it easy to check the logs after a scan and I like the convenience of the handy link.
Step 5: Dealing with a hacked site
- If a core file has been hacked, and code inserted, Wordfence compares your code to the core files in the WordPress repository and issues an alert.
- This is a cause for concern, but not necessarily time to panic.
- Click the link See how the file has changed.
- You'll see the original file right next to the modified version.
- In this case, I made a correction to a file that was missing an end tag. Not serious and not something I really need to fix, since this reflects a change I made myself.
- If you see a lot of encoded characters, or any code you don't recognize, this is a very bad sign. We'll give you a todo list for dealing with it below.
- This isn't a problem so choose Ignore until the file changes.
- Since this is an index file and one that could possibly be attacked, I want to be alerted if someone else alters the file. I don't want to ignore changes forever.
Steps to clean your site after a hack
- Upgrade your site to the newest version of WordPress.
- Upgrade all your themes and plugins to their newest versions.
- Change all passwords on the site.
- Backup all your files and the database.
- Go to the Wordfence options page and make sure the options to scan core, theme and plugin files are selected. Then run a Wordfence scan. This compares your core, theme and plugin files against the original versions in the WordPress repository and lets you know how a hacker has changed them.
- When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
- Examine any suspicious files and delete them if they are dangerous. Remember that you can’t undo deletions.
- Look at any changed core, theme and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
- Look at any unknown files that are in core directories and delete them if necessary.
- Slowly work your way through the list until it is empty.
- Run another scan and confirm your site is clean.
- If you are still getting an alert from another product or from Google that says your site has a problem, get support from Wordfence and your web host.
Finally, if you do use a WordPress-only hosting company such as WPEngine or Pagely, don't be afraid to check with your hosting company and see if they have an process for cleaning your site. Many WordPress-only hosting companies help you clean up after a hack.