So what should you do if your site has been compromised?
Well, if you have followed our WordPress Security Checklist you are well prepared.
With the monitoring tools you have employed you will be notified as soon as an intrusion is detected.
Assuming you have employed the backup plan we recommended in WordPress Backup – The Plugin and The Plan you should have a number of good backups to choose from.
Say you run a daily backup at 3am and your File Monitor Scan runs daily as well. Note that in the default setup of the File Monitor you cannot control the time of the scan. The scan will only be triggered when you have visitors to your website, so the time may vary.
Say for example that today is Thursday 21 April.
You get an alert from the File Monitor plugin that some files have been added to your site. The file dates are from Wednesday 20 April and the time of the email is 8pm.
|Monday 18 April||3am:||BackWPup|
|??m:||File Monitor Scan|
|Tuesday 19 April||??m:||File Monitor Scan|
|Wednesday 20 April||??m:||File Monitor Scan|
|??m:||Suspicious Files Added|
|Thursday 21 April||3am:||BackWPup|
|8pm:||File Monitor Scan|
Because we do not have control over the time of the File Monitor Scan the safe choice is to work with the backup file from Monday 18 April. This places one full day between the day of the intrusion and the backup file we determine as being safe.
We do not know the order of events on the Tuesday and Wednesday. The File Monitor Scan might have taken place before the backup Tuesday. The infection could have taken place before the Wednesday backup. The file dates and times on the suspicious files are not a safe indication of when the intrusion actually took place.
Also you need to be aware of differences in time zones between your WordPress host and your own computer.
You could inspect the contents of the Tuesday backup file to see if it includes the suspicious files reported by the File Monitor Scan. If not the backup is most likely safe.
If you know that your site has not been updated with new posts or user registrations we recommend that you go a few more days back.
If your site has been updated Tuesday or Wednesday we recommend that you manually keep track of the changes, e.g. copy the contents of new posts to a file on your computer. When you have restored the backup you need to recreate the posts.
If new users have registered on your site you will need to email them and politely ask them to register again. Or you can recreate the users and email a new password to them.
Before you restore your backup you should manually run a backup of your site as it is now. Save the backup in a safe place and clearly mark is as infected. Then remove the backup file from your hosting account and from your Dropbox. You do not want to confuse this backup with a clean backup at a later point in time. You will need this backup if you wish to investigate how the intrusion happened. You should also move any other backups taken since the safe backup, and note them as being potentially infected. In our example that would be the backups from Tuesday 19 April, Wednesday 20 April and Thursday 21 April.
Now you need to restore the safe backup from before the intrusion happened. You can find instructions for site restoration in the article How To Restore A WordPress Site.
Please be aware that the WebsiteDefender scan only runs once per month unless you have a paid account.
If WebsiteDefender reports an intrusion you will have to go back at least one month to find a safe backup.
Important! You need to do a complete site restoration including your database because you do not know if the intrusion also modified the contents of your database.
If not you should take a look at the Table Of Contents.
This is the last article in the Checklist! Well done! Your site is now well secured.
If you found this checklist useful please consider buying us a beer!
Previous article: Securing PHP
Please leave them below. Thanks!