The WordPress Rescue Plan

So what should you do if your site has been compromised?

Well, if you have followed our WordPress Security Checklist you are well prepared.

With the monitoring tools you have employed you will be notified as soon as an intrusion is detected.

Assuming you have employed the backup plan we recommended in WordPress Backup – The Plugin and The Plan you should have a number of good backups to choose from.

Say you run a daily backup at 3am and your File Monitor Scan runs daily as well. Note that in the default setup of the File Monitor you cannot control the time of the scan. The scan will only be triggered when you have visitors to your website, so the time may vary.

Say for example that today is Thursday 21 April.

You get an alert from the File Monitor plugin that some files have been added to your site. The file dates are from Wednesday 20 April and the time of the email is 8pm.

Day Time Action
Monday 18 April 3am: BackWPup
  ??m: File Monitor Scan
Tuesday 19 April ??m: File Monitor Scan
  3am: BackWPup
Wednesday 20 April ??m: File Monitor Scan
  ??m: Suspicious Files Added
  3am: BackWPup
Thursday 21 April 3am: BackWPup
  8pm: File Monitor Scan

 

Because we do not have control over the time of the File Monitor Scan the safe choice is to work with the backup file from Monday 18 April. This places one full day between the day of the intrusion and the backup file we determine as being safe.

We do not know the order of events on the Tuesday and Wednesday. The File Monitor Scan might have taken place before the backup Tuesday. The infection could have taken place before the Wednesday backup. The file dates and times on the suspicious files are not a safe indication of when the intrusion actually took place.

Also you need to be aware of differences in time zones between your WordPress host and your own computer.

You could inspect the contents of the Tuesday backup file to see if it includes the suspicious files reported by the File Monitor Scan. If not the backup is most likely safe.

If you know that your site has not been updated with new posts or user registrations we recommend that you go a few more days back.

If your site has been updated Tuesday or Wednesday we recommend that you manually keep track of the changes, e.g. copy the contents of new posts to a file on your computer. When you have restored the backup you need to recreate the posts.

If new users have registered on your site you will need to email them and politely ask them to register again. Or you can recreate the users and email a new password to them.

Before you restore your backup you should manually run a backup of your site as it is now. Save the backup in a safe place and clearly mark is as infected. Then remove the backup file from your hosting account and from your Dropbox. You do not want to confuse this backup with a clean backup at a later point in time. You will need this backup if you wish to investigate how the intrusion happened. You should also move any other backups taken since the safe backup, and note them as being potentially infected. In our example that would be the backups from Tuesday 19 April, Wednesday 20 April and Thursday 21 April.

Now you need to restore the safe backup from before the intrusion happened. You can find instructions for site restoration in the article How To Restore A WordPress Site.

Please be aware that the WebsiteDefender scan only runs once per month unless you have a paid account.

If WebsiteDefender reports an intrusion you will have to go back at least one month to find a safe backup.

Important! You need to do a complete site restoration including your database because you do not know if the intrusion also modified the contents of your database.

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

If not you should take a look at the Table Of Contents.

This is the last article in the Checklist! Well done! Your site is now well secured.

If you found this checklist useful please consider buying us a beer!

Previous article: Securing PHP[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!


About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.


Most Popular Articles – All Time

Most Popular Articles – This Week

Speak Your Mind

   Login Using:

*

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax