WordPress je hakiran — kompletan cleanup procedura korak po korak


WordPress je hakiran — kompletan cleanup procedura korak po korak

#Hosting #Email #SEO #safety #wordpress

Trenutak panike je sad. Otvoriš sajt i vidiš strane redirecte, prikrivene linkove, ili Google upozorenje 'This site may be hacked'. Možda klijent zove jer mu antivirus blokira tvoju stranicu. Ovo je operativni postupak što treba napraviti — redom, bez improvizacije.

Tri stvari na umu prije početka:

  1. Ne paničariti. Cleanup je proces, ne magija. 95% slučajeva je rješivo u 2-6 sati.
  2. Dokumentiraj sve. Screenshot-ovi, logovi, sumnjivi fajlovi — sve pohrani prije nego brišeš.
  3. Nemoj odmah brisati. Treba prvo razumjeti što se dogodilo da se ne ponovi.

Korak 1: Procjeni štetu

1.1 Provjeri javnu vidljivost

Otvori incognito tab. Posjeti svoj sajt iz oka korisnika.

  • Redirektira li na drugi sajt? Najvjerojatnije malicious redirect.
  • Prikazuju li se strani linkovi (Viagra, casino, drugi sumnjivi)? Spam injection.
  • Pokazuje li 'defaced' poruku? Defacement, hakerov ego trip.
  • Sajt izgleda normalno ali je u Google rezultatima drugačiji? Black hat SEO injection.

1.2 Provjeri Google Search Console

Pod 'Security & Manual Actions' u GSC vidiš jesu li:

  • Security issues (malware, phishing, social engineering)
  • Manual penalties
  • Sumnjivi novi URL-ovi indeksirani

1.3 Provjeri logove

cPanel → Metrics → Raw Access Logs (ili Visitors).

Što tražiš:

  • Suspicious POST zahtjevi na /wp-admin/, /wp-login.php, /xmlrpc.php
  • Pristup nestandardnim fajlovima (npr. /wp-content/uploads/x.php)
  • Spike u trafiku iz neuobičajenih countries
  • 404 spam (pokušaji pristupa različitim plugin URL-ovima)

1.4 Provjeri ima li sumnjivih admin korisnika

WordPress → Users. Ima li korisnika kojih ne prepoznaješ? Posebno s admin role-om. Često hakeri kreiraju 'wp-support' ili sličan korisnik.

Korak 2: Izoliraj sajt

2.1 Sigurnosna kopija "as is"

Prije bilo kakve akcije, snapshotiraj trenutno stanje. Imamo vodič za backup.

Razlog: forensics. Ako te haker pita za otkupninu (ransomware) ili ako trebaš dokazati štetu osiguravaju — treba ti dokaz.

2.2 Privremeno offline (opcionalno)

Ako sajt aktivno širi malware drugima, razmisli o privremenom maintenance mode-u. cPanel → File Manager → kreiraj maintenance.html, postavi u root, dodaj redirect u .htaccess:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/maintenance\.html$
RewriteRule .* /maintenance.html [R=503,L]

503 je 'service unavailable' — Google razumije i ne penalizira ako je kratko.

2.3 Promijeni sve credentials

  • cPanel password (vidi vodič)
  • WordPress admin password
  • FTP/SSH passwords
  • Database password (i ažuriraj u wp-config.php)
  • API keys (Stripe, PayPal, third-party services)

Korak 3: Cleanup

3.1 Scan s anti-malware alatima

Tri alata za WP malware scan:

  • Wordfence (free + premium) — scan jedan klikom, prepoznaje poznate malware patterne
  • Sucuri SiteCheck — external scan iz oka Google
  • MalCare — automatic cleanup feature

WMD hosting ima Imunify360 server-level scanner koji već stalno radi. Ako je nešto detektirano, već je flagged u cPanel-u.

3.2 Manual scan suspicious lokacija

Najčešće lokacije malware-a u WP:

  • wp-content/uploads/ — PHP fajlovi NE smiju biti tu (samo slike, PDF, video)
  • wp-content/plugins/[plugin-name]/ — provjeri integritet protiv original plugin code-a
  • wp-content/themes/[theme]/ — slično
  • wp-includes/ — core fajlovi, NE smiju biti modificirani
  • wp-admin/ — slično

Komanda preko SSH-a koja nalazi modificiranu PHP fajlove u uploads:

find wp-content/uploads/ -name "*.php" -type f

Sve što ide u rezultat — sumnjivo.

3.3 Replace WP core i plugine

Najsigurniji način: brisanje i ponovna instalacija.

  1. Download WP fresh iz WordPress.org
  2. Brisanje sve u wp-includes/ i wp-admin/
  3. Upload fresh verzija
  4. Za plugine: brisanje folder-a, ponovna instalacija s WP repo (svi plugini koji nisu custom)
  5. Za teme: isto

Ovo zovemo 'core fresh' — eliminira 80% malware-a koji se ugnijezdio u plugin/core fajlove.

3.4 Provjeri bazu

SQL query koji nalazi sumnjivi sadržaj:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script%' OR post_content LIKE '%base64_%' OR post_content LIKE '%eval(%';

Pregled rezultata — ručno provjeri i obriši ili clean-aj sumnjive postove.

Drugi sumnjivi mjesta:

SELECT * FROM wp_options WHERE option_value LIKE '%eval(%' OR option_value LIKE '%base64_%';

3.5 Brisanje sumnjivih korisnika

WordPress → Users → izbrisaj sve admin-e koje ne prepoznaješ. Prebaci njihove postove na svog admin user-a prije brisanja (WP nudi opciju).

3.6 Provjeri scheduled tasks (cron)

WP plugin: WP Crontrol. Vidiš sve cron jobove. Hakerov malware često ostavi cron koji se reaktivira.

Plus na server razini provjeri cPanel → Cron Jobs. Sumnjivi unosi treba brisati.

Korak 4: Vraćanje na siguran stack

4.1 Update sve

  • WP core na najnoviju verziju
  • Sve aktivne plugine
  • Temu
  • PHP verziju (vidi vodič)

4.2 Postavi sigurnosne tunere

  • 2FA za admin user (vidi cPanel 2FA + WP 2FA plugin)
  • Limit Login Attempts Reloaded
  • WPS Hide Login — promijeni /wp-admin u nestandardni URL
  • Wordfence ili Sucuri — continuous monitoring
  • Disable XML-RPC ako ne koristiš
  • Disable file editing iz wp-admin: define('DISALLOW_FILE_EDIT', true); u wp-config.php

4.3 Pregled file permissions

Standard:

  • Folders: 755
  • Files: 644
  • wp-config.php: 600 (samo owner može čitati)

cPanel File Manager → odaberi fajlove → Permissions.

4.4 SSL forsiranje

Sve preko HTTPS. U .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Korak 5: Vraćanje na Google good standing

5.1 Reindex

Google Search Console → Removals → ako su sumnjivi URL-ovi indeksirani, traži uklanjanje.

Submit fresh sitemap (Yoast/Rank Math automatski generira).

5.2 Manual action review

Ako je GSC pokazao 'Security Issues' ili 'Manual Action':

  1. Riješi problem (cleanup završeno)
  2. U GSC, Security Issues → 'Request Review'
  3. Detaljno opišite što ste napravili
  4. Čekaj 7-14 dana

5.3 Ukloni warnings iz browsera

Ako Chrome / Firefox pokazuje 'Dangerous site' upozorenje:

  • Google Safe Browsing — automatski reupdates nakon GSC review-a
  • Microsoft SmartScreen — može trebati manual report submission

Korak 6: Post-mortem

Najvažniji korak — razumijevanje kako se dogodilo:

  • Outdated plugin? — koji, koje verzije, koja je ranjivost
  • Slaba lozinka? — brute force preko /wp-login.php
  • Compromised hosting? — manje vjerojatno na quality hostingu
  • Phishing → kradje credentials? — provjeri svoj email za sumnjive linkove
  • Insider? — ex-zaposlenik s pristupom

Bez razumijevanja root cause-a, šansa za ponovni hack ostaje. Najčešći uzrok: zastario plugin s poznatom ranjivošću.

Kad nazvati profesionalca

  • Cleanup pokušan, problem se vraća — zna se da je negdje persistent backdoor
  • Sajt ima osjetljive podatke (medicinski, financijski) — forensics treba ekspert
  • Velik shop s aktivnim transakcijama tijekom napada — implikacije za kupce, GDPR
  • Specifični malware koji ne odgovara standardnim alatima

WMD podrška radi cleanup za klijente na našem hostingu. Kontaktiraj info@wmd.hr sa SSL certifikatom za pristup ili otvori support ticket.

Prevencija na duže staze

Pregledali OWASP Top 10 (vidi naš vodič) — sve mjere primjenjive za WP. Brzi recap:

  1. Strong passwords + 2FA
  2. Auto-update WP core + pluginovi
  3. Plugin audit kvartalno
  4. Limit login attempts
  5. Promijenjeni admin URL
  6. Activity log plugin
  7. WAF na razini hostinga
  8. Robni backup (JetBackup 4x dnevno + 30 dana retention)

FAQ

Koliko traje cleanup?

2-6 sati za standardni WP hack. Više za kompleksne slučajeve.

Hoću li izgubiti SEO ranking?

Privremeno da (1-3 mjeseca). Brzina recovery-ja ovisi o brzini cleanup-a i Google review-a.

Trebam li nove credentials za sve?

Da. Sve passwords, SSH key-eve, API tokens — pretpostavi da su sve kompromitirano.

Što ako sam izgubio backup pred hack?

Ako nemaš starih backup-a (pre-incident), cleanup je teži. WMD JetBackup 30 dana retention obično pokriva — restore na pre-hack verziju, pa cleanup samo da otkriješ rupu kako se desilo.

Mogu li sajt ostaviti kompromitiranom dok cleanup?

Ne. Aktivno širenje malware-a → ban iz Google Safe Browsing → blacklist. Brzo reagiraj.

Zaključak

WordPress hack nije kraj svijeta. Ali je signal da treba serijoznije pristupiti sigurnosti. 95% incidenata je rezultat zastario softver + slaba password higijena.

Cleanup proces je predvidiv. Postoji formula. Slijedi je redom, dokumentiraj, uči iz incidenta.

Trebaš pomoć? Naš support tim radi cleanup-e svaki tjedan. Za incident response — info@wmd.hr ili live chat. Dostupni 24/7.

  Kako evaluirati hosting providera 2026 — 20-točkasti checklist prije potpisivanja
Jitsi Meet — self-hosted video konferencije bez Zoom-a, bez Google Meet-a  
  News

Our users about us

Adriano Bratovic

We have been cooperating with WMD for years. We cannot recommend them enough. They went above and beyond and went the extra mile (not included in the offer) countless times. Grateful to have such support and a provider.

Joško Matušan

Apsolutno sam oduševljen WMD-om! Korisnička podrška je fenomenalna -brza i profesionalna te rješavaju probleme dok ste još na vezi. Usluga je stabilna, brza i pouzdana. Od kada sam kod njih, a to je desetak godina, nemam apsolutno nikakvih briga oko svog weba, tako da sam kod njih smjestio već 4…

ivan K

Svaka čast svima u WMD podršci, koristimo dosta usluga od WMDa i svaki puta i u bilo koje doba dana ste na usluzi. Sigurno budemo i dalje koristili vaše usluge

Goran Stevic

I have to admit, I have worked with various companies, but kudos to you, you are the best!!! Quick answers, solve the problem quickly, really professional, kudos to you greetings from Sweden

Ivana Ivanusec

WMD is our long-standing and reliable partner in the world of hosting and web design! 🚀 Their top-notch technical support, speed, and professionalism allow us to deliver flawlessly functioning websites to our users. They are always available, accommodating and ready to help, and they are extremely…

Tomislav Vrkljan

WMD offers quality web hosting services with excellent customer support. I have been using their services since 2006 and in all these years I have not come across a more reliable partner in this field. Their expert team quickly and efficiently solves any technical challenge, while the flexibility…

Portal dugoselo.info

"The speed, knowledge, and availability of WMD customer service gives me full confidence in the project, ease, and security in using the service and tools. They quickly, very communicatively, and professionally resolved every query I had."

GNOSIS Translation Agency

After experiences with various providers, we finally found a reliable hosting partner in WMD. The quality of service is at a high level, and we quickly receive an answer and an adequate solution to every question we have. I can recommend WMD to anyone who wants quality and reliable hosting.

Problems for May 1st

Since we wanted to create the content on the website ourselves, we chose WMD. And as it happens with beginners, we encountered an unsolvable problem. We sent a request for help to WMD, or rather HELP!!!!!. It was on May 1st of this year, well after midnight. And…. very quickly (really VERY quickly)…

SEO.hr

If you decide to host based on price, you will most likely end up at the back of the queue when something happens to the server. My advice is to not skimp on hosting and to get hosting where someone will always be there to help you and make sure everything is running smoothly no matter how big or…

Gamabon doo

In the economic crisis that has been on our market for a long time, every expense, whether for a good or a service, seems excessive or expensive, regardless of the specific monetary value. And when the good or service is of poor quality, then the expense is especially large and expensive, even in…

1Click - IT solutions

We switched to your hosting a while ago based on a recommendation from a colleague. Although we already had several domains with services opened with other hosting companies, we must emphasize that we are extremely satisfied with the switch. We would like to take this opportunity to commend your…

Virna, trade for IT services

I would like to take this opportunity to commend your customer service and your service in general. Your administrators are fair, kind and have enormous patience for all questions and are willing to help at any time. I have been doing this job for 20 years and I can freely say that I have only had…

Specialist practice of family medicine with diagnostics

If you want to have a beautiful and functional website that will reflect your business, I definitely recommend WMD. I have been working with this company for 7 years and I am extremely satisfied with their hosting services, web design, and especially the speed and quality of web support. It is…

Helcos doo

Dear gentlemen! I congratulate you on your idea and realization of the JUMBO posters . They are unique and useful. I suggest you make them bigger, I think they are not sufficiently known and recognized by the public. You responded quickly and professionally to my request to change the background…

SEE ALL COMMENTS FROM OUR USERS
CMS create a website yourself
400+ web scripts on click
CMS, Shop, Blog... automatic installation in 1 click

trial period of
7 days

Domain active
in 5 minutes

WordPress je hakiran — kompletan cleanup procedura korak po korak