How To Completely Remove Defacement From WordPress Site?

Imagine this – you wake up one morning, grab your cup of coffee, and get to work. When you open your WordPress site, you’re met with the horror of defaced pages. The content of your site has been changed and your website is ruined.

You see that your site is displaying unwanted ads and popups for adult content, fake products or illegal drugs. In some cases, hackers also display religious or political propaganda on your home page.

Such an attack can be devastating. You’ll lose visitors and customers because when they see your site is defaced, they’ll leave immediately. Things get worse if Google detects the hack as they will blacklist your site immediately. Your web host will suspend your account and take down your site till you fix the hack.

Luckily, you can fix your defaced website but you need to act fast to avoid dire consequences. In this guide, we’ll show you how to remove the hack, restore your site to normal, and prevent this from happening in the future.

TL;DR – To fix your defaced site, use our MalCare Security Plugin. It will scan your site and find the malware which is causing the defacement. Not just that, MalCare will also help you clean your site instantly.

What Is WordPress Website Defacement?

When a hacker attacks your site, they make all sorts of changes. They can redirect your visitors to their own site, steal sensitive data, or launch bigger attacks on other websites. One of the things they do is change the appearance of your site. In other words, to deface your WordPress site.

This is known as website defacement where hackers make it obvious that your site is infected. They display messages and you will usually see the hacker take credit for it. Sometimes they also include disturbing images and graphics that can shock your visitors.

Defacement attacks are meant to be noticed. Why do hackers do this? We’ve listed the top reasons why hackers target WordPress sites and deface them:

1. To propagate their religious and political agenda

Hackers deface websites to promote their political or religious views. They run defacement campaigns for social justice as well. Such hackers are known as ‘Hacktivists’.

One of the most popular defacements happened recently in Jan 2020. A US federal government website was hacked and defaced to show messages vowing revenge for the death of Iran’s most powerful commander Qassem Soleimani.


wordpress defaced


2. To show that the admin has failed to take adequate security measures

Hackers break into WordPress websites and deface them to make fun of the lack of security measures of the website. They make it obvious that the site is hacked and even display a message telling the site owner that their site security is inadequate.


website defaced


3. To sell illegal and counterfeit products

Some hackers sell their products directly from your website. They do this by replacing your homepage with their own online store.


pharma hack


4. To show off their skills or get a thrill out of it

In some cases, we’ve seen that hackers do it just for the fun of hacking WordPress sites and defacing pages. Some also just want to try out their hacking skills and improve on them. There are also instances of online contests among hackers wherein the hacker who defaces the most number of sites within a stipulated time period wins.

Now that we know why hackers deface WordPress sites, we need to check how the hack occurred in the first place. This step is very important as it’ll detect how a hacker broke into your website.

How Did Your WordPress Site Get Defaced?

There are several ways in which hackers would have gained access to your site. We discuss the most popular reasons here:

1. Vulnerable WordPress Core

It’s obvious that the WordPress core is an important part of your website. But the core like any other software can develop vulnerabilities.

The core is maintained by an army of the world’s best developers so it’s rare to find major WordPress vulnerabilities.

However, in 2017, WordPress experienced a rest API vulnerability called privilege injection that allowed unauthorized users to modify a website’s content. The developers of WordPress fixed the injection flaw and released an update. This means the vulnerability was disclosed publicly and hackers were made aware of it.

Unfortunately, many website owners delayed updating their WordPress websites. This led to hackers exploiting this vulnerability and defacing more than 1.5 million WordPress websites.

Since then, WordPress hasn’t had any major vulnerabilities. Its developers work hard at ensuring the software has airtight security measures.

2. Vulnerable WordPress Themes and Plugins

Like the core, themes and plugins also develop vulnerabilities no matter how well they are built. When that happens, developers usually patch the vulnerabilities and release updates. However, website owners sometimes defer updates for a while.

This gives hackers time to seek out these websites that are using the vulnerable theme or plugin. They find the vulnerability and exploit them to hack into your site.

3. Weak Login Credentials

WordPress users tend to set usernames and passwords that are easy to remember. But this also makes it easy to guess for hackers.

Hackers use a technique called brute force in which they program bots to make thousands of attempts at guessing your login credentials.

If you are using an easy-to-guess username (like ‘admin’) and password (like ‘1234567’), these bots can crack it in no time.

4. Lack of SSL Certificate

When a visitor comes to your site, there are occasions when data will be transferred between their browser and your web server. This data can sometimes contain sensitive information such as login credentials and credit card information.

Hackers can intercept this data while it’s in transit. If the data is stored in plain text, they can read and exploit this data to further their hacks.

An SSL certificate will encrypt this data. If hackers intercept the data, they won’t be able to decipher it. If your website lacks SSL encryption, hackers can exploit data transfers to break into your site.

There are many more ways in which hackers exploit WordPress sites. We recommend reading more on WordPress vulnerabilities.

Knowing how a hacker broke in will help you seal the entry point to ensure it doesn’t happen again. We discuss this further in the next section. First, we’ll clean up the hack on your website and bring it back to normal.

How To Remove Defacement From WordPress Website?

There are different WordPress defacement tutorials that show you how to clean up a hacked website but they don’t delve into the details of how to remove the defacement and get your site restored to normal. We’ll take you through all the steps you need to take to fix the hack and then fix the content of your site as well.

1. Scan Your Site

When your website is defaced, hackers usually insert malware into your site that makes the defacement possible. The first thing we recommend doing is scanning your site for this malware.

You can do this using a WordPress security plugin. Now there are plenty available in the market and you need to choose one wisely.

In a WordPress website defacement attack, hackers do the following:

    • Insert malicious code (also known as malware) into different parts of your site.
    • Disguise and hide their codes making it very difficult to detect.
    • Create secret entry points known as backdoors which allow them to access your site even after you clean it.

Not all plugins can sniff out hidden and disguised codes, and some overlook backdoors.

You need to use a smart plugin like MalCare that overcomes these challenges. The plugin runs a complete scan of your WordPress site in under a few minutes. If there is any malicious code on your site, MalCare is guaranteed to find it.

How To Use MalCare To Scan Your WordPress Site?

Step 1: Install the plugin on your WordPress site. You can get the plugin from the WordPress repository or from its official site.

Step 2: After you activate the plugin, access MalCare on your WordPress dashboard. Enter your email address and select ‘Secure Site Now’.


free malcare scan


Step 3: The plugin will automatically scan your website. Once it detects the malware on your site, you will see an alert displayed:


malcare security


2. Clean Your Hacked WordPress Site

Now that you’ve scanned your site, you need to clean it by removing the malware present. Many malware removal solutions on the market have long turnaround times. This means it could take days before your site is clean. 

But with the WordPress defacement hack, time is of the essence and you need to clean your site immediately. You can use a WordPress malware removal plugin.

MalCare is the only plugin that offers instant clean-ups. It runs an automated process to fix the hack and remove any backdoors on your site. And it does all this in just a few minutes.

How To Use MalCare To Clean Your WordPress Site?

Step 1: After you scan your site and detect the malicious files, MalCare offers an option to ‘Auto Clean’ your site. Select this option.


malcare auto-clean


Step 2: Sit back and relax while MalCare cleans up your site. Once it’s done, it will display the following:


malcare clean site


That’s it! Your WordPress site is free of any malware.

Note: Malware removal is a premium feature in all plugins. If you’re a first-time user of MalCare, you will need to sign up for a premium plan in order to access the ‘Auto-clean’ feature.

3. Restore your Backup

Now that the hack is removed from your site, you can get your site back to normal by restoring your backup copy.

A backup is an exact copy of your website. It comes in handy during times like these in order to restore your site to its previous state. You can restore your backup in three ways:

A) Using a Plugin

If you have installed a WordPress backup plugin on your site prior to the hack, you can use the service to restore your site to normal. For instance, if you’re using the BlogVault backup plugin, the restoration process is very simple.

    • Access your site on the BlogVault dashboard.
    • Under ‘Backups’, select ‘Restore’.


blogvault restore


    • Enter your FTP credentials, select your backup copy, and restore your site.

Your site will be restored to its previous state before the hack took place.

B) Using Web Host

In case you didn’t take a backup of your site using a plugin, you can check with your web hosting provider.

Most web hosts take regular backups of the sites on their platform. Upon request, they will send you a copy of your site. You may need to upgrade to a higher plan to access your backups.

The process of restoring your site differs from host to host. You need to check with them about the restoration process after your WordPress gets defaced.

C) Using Softaculous

If you haven’t used a plugin and your host doesn’t have a backup either, we suggest one last attempt – Softaculous.

Softaculous is an app installer that is included in your web hosting account automatically by your web host.

Developers use softaculous to install WordPress on the website. During the time of WordPress installation, Softaculous provides an option of backups. If the option to backup was selected, then Softaculous would’ve maintained a copy of your website.

Now, not all web hosts have Softaculous, but you can check by following these steps.

Check If Your Hosting Provider Has Softaculous

Step 1: Login to your web host account and go to cPanel.

Step 2: Here, you will find the Softaculous app. If there is no option of Softaculous, contact your host to find out if they provide it.


web host cpanel


Step 3: Inside this app, you will find backups. Click on backups and you will see options to download the backup or restore your site.


softaculous dashboard


Lastly, if you have no backup copy, you would need to restructure your site manually. You might need the help of your website developer for this. In case you haven’t taken a backup of your site thus far, we recommend doing so immediately. You can read more about the importance of backups and how to get one for your site in our guide on how to backup WordPress site.

If you’ve followed the steps mentioned above, we’re confident that your website is now hack-free and restored to normal.

Before we wrap up, you should know that these defacement campaigns and hacks are only growing more in number! Unfortunately, your site doesn’t become immune to defacement after one attack. There are chances of more attacks occurring in the future.

According to an article published by Mark Maunder, there has been a 26% growth in the number of defaced pages. This highlights the importance of taking preventive measures on your site to ensure this doesn’t happen again.

Steps to Prevent WordPress Defacement

In the sections above, we’ve covered the importance of a security plugin and backup solution for your site. These two measures are a must when it comes to WordPress security.

A WordPress plugin such as MalCare will scan and monitor your site regularly. It also puts up a firewall that will prevent hackers from accessing your site. So they can’t break in let alone deface it.

A backup is your safety net if things go wrong with your site. You can use it to easily restore your site and get rid of the defacement fast.

Apart from this, here are additional security measures that you absolutely must implement on your site:

1. Update Your WordPress Site

Like all software, WordPress and its themes and plugins are prone to security issues from time to time. The WordPress core installation has been very secure for the past few years. However, some of its themes and plugins tend to develop vulnerabilities.

When developers discover these vulnerabilities, they promptly fix it and release an update. Once you update the plugin or theme to the new WordPress version on your site, the vulnerability will be fixed.

This is why it’s so important to keep your site updated. If you defer updating your site, it gives hackers an opportunity to hack your site and deface it.

So if you see updates available, we advise updating without any delay.


wordpress core update notification


If you find updates difficult to manage, we recommend checking out our guide on WordPress updates.

2. Harden Your WordPress Site

WordPress has a number of features that enable you to create and manage your website. Hackers try to misuse these features to break into your site. Therefore, WordPress recommends disabling some features that you most likely do not need. It also recommends implementing certain security measures to harden your site. These include:

    • Using strong usernames and passwords
    • Disabling plugin and theme installations
    • Disabling plugin and theme editor
    • Limiting login attempts
    • Enabling two factor authentication

We won’t delve deep into this here as these measures need detailed explanations. We’ve put together a guide on How to Harden your WordPress site. You can follow this guide to make your site on WordPress secure against hackers.

3. Delete Inactive Themes And Plugins

Many WordPress site owners tend to try out new plugins and themes and then forget about them. But every extra element on your site gives hackers another opportunity to hack your site. We strongly recommend deleting any themes and plugins that you don’t use.

If you’re using pirated versions of themes and plugins, you need to delete them immediately. Most pirated software contains malware that infects your site when you install it. We strongly recommend that you avoid using pirated themes and plugins at all costs.

4. Use An SSL Certificate

As we mentioned before, hackers try to intercept data that is transferred from and to your site. They exploit this data to gain access to your site.

This issue can be resolved easily by installing an SSL certificate. This will ensure your data is encrypted and hackers cannot use this data.

You can buy an SSL certificate from your web host or any SSL provider. There are different SSL certificates you can buy that offer varying levels of protection. You can also get basic SSL certificates for free on sites like LetsEncrypt.

We recommend reading more on SSL certificates for your WordPress site. This guide will show you how to get a certificate and install it on your website.

Once you’ve implemented these measures, your WordPress site security will be airtight. You can be sure that hackers will find it extremely difficult to break into your site.

Final Thoughts

The reason your WordPress site was defaced is that hackers found a way to gain access to your site. You can prevent this from happening by taking ample security measures on your WordPress site.

We strongly recommend that you keep MalCare active on your site. The plugin will scan your site every day. It will also proactively block hackers from accessing your website so they won’t be able to attempt to hack it.

You can be sure that hackers won’t be able to deface your site in future.

Secure your WordPress site with MalCare now!

How To Completely Remove Defacement From WordPress Site

The post How To Completely Remove Defacement From WordPress Site? appeared first on MalCare.

*** This is a Security Bloggers Network syndicated blog from MalCare authored by Melinda Bartley. Read the original post at: