How to Repair Your WordPress Website From the WP File Manager Plugin Hack

I saw the news of the WordPress plugin WP File Manager vulnerability risk while scrolling through my news feed and immediately had that sinking feeling.

Uh-oh. Is that the same plugin I use?

I checked, and sure enough – I had installed it a year ago for the same reason many bloggers have: It made life easier.

Unfortunately with the latest WordPress update, I had not changed my plugins to utilize the new auto-update feature. That was my first mistake.

I quickly updated the WP File Manager plugin and set all of my other plugins to auto-update. You should do the same. Immediately.

But had my website been compromised? Everything appeared to be in order, but I didn’t look any further into it. I assumed I was probably in the clear without further investigation. Who would want to hack someone’s tiny hiking blog, anyway? That was my second mistake.

Then I received an odd message from an Instagram user that one of the pages he had visited on the site opened up with a spammy contest page. That was weird.

Message: Hi, I saw you posted an article on Instagram "action blocked" but it's opening into a spammy fake competition - just thought I'd let you know!
I owe this guy a beer.

I checked out the website and everything looked to be in order. I decided that the Instagram message might have been spam itself.

You can see how this quickly became a comedy of errors.

I published a new blog post, and our website traffic immediately tanked. We went from several hundred pageviews a day to practically none. And, because the traffic downturn coincided with a new blog post, I thought maybe something had briefly affected my SEO. I cursed the WordPress and web hosting gods, but I figured the ship would right itself in a day or two. Just an anomaly I thought.

Google Data Studio chart showing web pageviews, sessions, users and organic searches dropping severely to almost zero.
Google Data Studio chart showing a severe drop in pageviews, sessions, users and organic search analytics for my website.

Strangely, when I checked Google Search Console, everything appeared to be normal. Impressions and clicks were unaffected. That should have been a huge clue for me that something was wrong. I definitely found it odd. Why would my web traffic decrease when the number of clicks recorded by Google Search Console remained unchanged?

Google search console screenshot showing 9k clicks and 264k impressions with fever chart showing steady data.
Google Search Console timeline showing seemingly unaffected data.

I decided to wait a day and see if things improved. They did not.

Then I had a thought: What if that Instagram user was right? I pondered it for a minute and realized he probably found my website via Google, so I searched a keyword string that I knew would return my highest-ranked page.

When I clicked on the link, I was horrified. A page that was not mine opened with animated confetti and a present. “You’ve made the 5-billionth search,” it read. It was the dreaded WordPress hack redirect malware. This was bad.

Present with confetti for the 5 billionth search malware hack. You've made the 5-billionth search WordPress redirect hack spam contest.
“You’ve made the 5-billionth search!” Uh-oh, this was bad.

Which brings me to what was probably my biggest mistake of all: I had removed my Wordfence plugin because an update last year caused the whole site to crash. I decided that was the last straw and that I really didn’t need the plugin anyway. In hindsight, the issue was likely a problem with my hosting provider.

You Absolutely Must Install Wordfence

But, after realizing the site had been hacked, I knew I needed a quick way to scan my files and survey the damage. Wordfence free version to the rescue! Note the word “free.” It does have premium features, but the free version of Wordfence is pretty great.

Wordfence plugin, securing your WordPress investment. Use this plugin after getting hacked in the WP File Manager vulnerability.
I installed Wordfence after I discovered my site had been hacked in the WP File Manager plugin vulnerability.

I conducted a scan with the “high sensitivity” setting, and WordFence quickly pointed out a dozen suspicious files showing the before/after differences.

Hackers had quickly injected code into my wp-config.php file as well as any other plugin or file they could infect.

Clean Up Your Code

Using Wordfence, you need to open the red-flagged files in the plugin interface and review the “diffs.” That is, you need to compare the original files with the updated ones (what the hackers did to them) and see what has been changed.

The injected code will stand out like a sore thumb. You do not need to know a lot about PHP. The hacked code will largely look like gobbledygook because hackers try to obfuscate what it is their malicious code is doing.

You should make copies of the files before editing them just in case you, ya know, crash your whole website. To edit the code in the files you can use any IDE (I like Adobe’s free Brackets code editor) or a simple plain text editor like Notepad, but first you need a secure way of getting to the files.

Use FileZilla

Since WP File Manager had already been compromised, I decided it was probably a bad idea to try and use it to open and clean up the infected files.

I had previously used FileZilla to connect to my site via FTP, and I guess I’d gotten away from using it because WP File Manager made everything easy. But FileZilla is just as easy, and in hindsight it is far more secure. From FileZilla you can open your infected files and edit them.

Viewing the live traffic in Wordfence, I saw that hackers were attacking my site multiple times a minute from across the globe.

Although I had updated the WP File Manager plugin security patch, I soon discovered I needed to just uninstall the stupid plugin and eliminate access altogether. After all, updating the plugin was useless because it only updated its own crappy code – it didn’t fix the garbage that had been injected into files outside of it.

The chart below shows a temporary restoration of web traffic after I updated the WP File Manager plugin, but you can see that hackers quickly regained control. How? They had access to my wp-config file. The damage was already done and the hackers had a back door.

Web traffic analytics showing a brief recovery after updating the WP File Manager plugin, but then another drop.

Only after I edited all of the infected files did my web traffic go back to normal volumes, as shown below.

Website data showing complete recovery after fixing WordPress site from the WP File Manager plugin hack.

Prevent It From Happening Again

The constant attacks on my site surprised me, and to be honest it was kind of fascinating to watch. It totally changed my way of thinking that no one would be interested in my little website. In fact, the hounds of hell had been at the door all along, waiting for just a crack …

The number of attacks on my wee hiking blog was an eye-opening reality.

Besides the WP File Manager Plugin, the hackers were constantly after two WordPress files: wp-login.php and another file I didn’t recognize called xmlrpc.php.

After reading about the purpose of xmlrpc.php (it’s boring), something occurred to me – why am I even letting anyone but my own IP address near this file or my login screen?

Let me introduce you to the .htaccess file.

Edit Your .htaccess File To Stop Hackers

This is a server configuration document, and by adding just a few lines of code you can prevent anyone without the correct IP address from ever seeing your login screen.

The .htaccess file lies in the root folder of your website. Once you locate it (using FileZilla), open it for editing by right-clicking the file and add the following code (placing it right at the top is fine). Be sure to replace the x’s and y’s with any IP addresses you want to whitelist. I whitelisted my home network and my smartphone, but be advised that your mobile device’s IP address will often change. You can use wildcards to allow a range of IP addresses, but that’s a different blog post.

<FilesMatch "wp-login\.php|xmlrpc\.php">
# set up rule order
order deny,allow
# default deny
deny from all
# be sure to change the x's and y's to the IP addresses you want to allow
allow from x.x.x.x
allow from y.y.y.y

Notice that the periods in the files need to be escaped for the regular expression to work correctly, and multiple files need to be separated by the pipe character “|” (found by pressing Shift + \ ) .

I also added rules to block access to my wp-config file and the .htaccess file itself.

<files wp-config.php>
order allow,deny
deny from all

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Take That, Hackers

And that’s that! Wait a few hours and check your Wordfence plugin under the Tools section to see if any attackers are still trying to access your site’s back end. You shouldn’t see any attempts at the files you flagged because the .htaccess file is blocking the hackers before Wordfence ever sees them!

If you don’t believe it, remove the code and wait – the hackers will find you almost immediately. I took down my code temporarily to make a small tweak, and in that one minute span a hacker tried to gain access. Like I said, the wolves are at the door!

You can also test your code updates by trying to access your site’s login page with a device whose IP address is not whitelisted in the .htaccess file. If you’ve done everything correctly, you should see the 403 Forbidden message below.

403 Forbidden - You don't have permission to access this resource - message shown for unapproved access attemp for wp-login.php

If you do see more hacking attempts in the Wordfence plugin’s Tools log, make sure your .htaccess code is free of errors, and add any additional files you see hackers trying to find.

Oh, and another reason to use FileZilla to access your .htaccess file is that if you DO have an error in it, you may actually crash not only the front end of your site but also the back end (meaning you wouldn’t be able to use, for example, the WP File Manager plugin).

So if you were to lose access to the back end, you could still connect via FileZilla to restore the old .htaccess file.

Questions or other tips? Drop us a comment below.

Good luck!

Related Posts