Your Website has been Hacked
Almost every company puts up a webpage these days. Many individuals run small online business off WordPress installations too. If you have ever done this on any kind of scale your will inevitably run into hackers doing all kinds of things to your site. These things can include content removal, posting of advertising links and even hijacking your Google site verification. These actions can even disable you from registering your own site with Google and other online companies. The most touted answer to these kinds of concerns is increased security. While security is always a concern it doesn't address what to do when your site is hacked and Google is actively warning people not to go to it because of malicious software. Here is what it looks like when some hacker in Japan hijacks your site
If your website is hacked what can you do? You can try to isolate specific problems and troubleshoot them one by one. You can also fail back to the last known good state. In this post I'll show you a combination of these two philosophies that help you reliably recover a Wordpress site in a few a mins. There is no right and wrong way to do this. The only thing that matters is success. Can you recover?
In this post I lobbied for AWS as a hosting provider using Lightsail for Wordpress installations. Lightsail has gotten even better by offering snapshotting of your instances and export capability to Ec2. The snapshot should become your first line of defense for disaster recovery. If someone takes down your site and locks out your authentication you can shell into the server running it use a snapshot to spin up a potential replacement. Once your replacement is ideal you can simply use Route 53 to cut the traffic over to the new ip via it's A-record.
Locked Out Authentication
A common hack on Wordpress sites is to lock you your login. Wordpress comes with a default user. You should never use this user because it is a simple attack vector. Instead, create a new user with admin privileges and delete all the others. You can use the Wordpress command line interface to recover locked out authentication though. Use
wp user list to list the known users.
Then you can change any password with the command
wp user update USERNAME --user_pass="PASSWORD"
A Full Restore
Step by Step
If you using Light sail then you can see how I'm snapshotting my releases as I go.
If my current deployment got hacked then I can choose a snapshot and then create a new instance from it. This will be a pristine deployment that will be accessible from the public ip assigned to the server. This instance will even recover user logins and proprietary logos. At this point you can even have your current hacked version accessible from your domain name and it's potential replacement up at the same time to make sure you capture the latest content excluding exploited data. To cut the traffic over edit the A-record like this
Take note of the ttl in the DNS record because propagation can take time. Now that we are up and running you can safely kill your old instance.
Hot Back Up
If you are the paranoid type and willing to spend some extra money, you can maintain a hot back of your site. Don't do this as a subdomain though. If you are attacked, it's trivial to get to the subdomains. It is possible to maintain a hot back up with no public visibility. Doing this will leave you with the easiest recovery of all.