WordPress Hacked! How Do I Fix It?

WordPress hacked?  Don’t panic, this post will help you fixyour hacked site.   In a previous post I wrote about 10 signs you have been hacked, I want to extend this post and tell you how to clean up a hacked site.

Don’t Panic!

I say don’t panic because people immediately go into crisis mode when their site has been hacked, they think the world is out to get them. I’m here to tell you it’s probably not personal and it can be fixed.  WordPress is so widespread that people spend time probing and trying to find weaknesses in WP and hosting companies that host WordPress.  It’s an easy target, that is probably why your site has been attacked.

It’s only a website, and it can be fixed, we can get this back up and running quickly.  Take a deep breath and read on, Uncle WP Dude is gonna make it all better …

UPDATE November 2012 

Feel free to read the whole post, but I recently starting working with a hack recovery specialist.

I’ve been working with Sucuri.net on a number of hacked WordPress sites for my clients.  At $80 their hack recovery and security monitoring package is absolutely excellent, get them on the case for a fast hack recovery.

Sucuri.net

 

Stop The Rot

The first thing to do is stop your site from upsetting any of your readers or clients, often a hack attack will contain a payload your site visitor does not want such as a redirection to a dubious site or a malware download.

I recommend installing the plugin Maintenance Mode, it will close down access to your site and only give a maintenance message.

If you are still getting issues, rename the file index.php in the root of your site.  Your visitors will get errors, but that is better than malware downloads.

Change Your Passwords

Your passwords may have been compromised, so immediately change all passwords.  Here is a list to check off

  • Your hosting account password – see hosting account for details
  • Your ftp password – see hosting account for details
  • All admin level WordPress passwords – change in the dashboard -> users section
  • Your WordPress database password – this will be changed on your hosting account and needs to be updated in wp-config.php

I also recommend you use strong passwords that are hard to guess, I like to use this site to create random passwords http://www.pctools.com/guides/password/

Backup The Site As-Is

Create a backup of your database and files as they are now, the rest of this process will require files to be edited and deleted, we need a fall back point just in case, even if it is to a hacked state.

Backup your database, this can be done from your hosting account

Connect to your site using FTP and copy all of the WordPress files to your pc.

WARNING: We are going to be doing some fundamental changes to WordPress you could damage your site if you do some of these changes incorrectly, you have been warned.

Install a Clean version of WP

Download a clean copy of WordPress from http://wordpress.org.  We are not going to do any auto-upgrades, we need complete control of this process to ensure all infected files are removed.

Connect to your site using ftp and delete wp-admin and wp-includes, this will make sure any rogue files in these directories are removed.  DO NOT delete wp-content, this is where all your theme, plugin and uploads are held.  We will deal with these separately.

Unpack and upload your clean version of WordPress to your site overwriting all of the existing files.

Disinfect Your Plugins

Go into the dashboard and disable all of the plugins you have installed, taking care to make a note of which are active.

Download clean versions of your plugins.

Connect to your site using ftp and delete the contents of the directory wp-content/plugins

Re-install all of your plugins, and then re-activate them from the dashboard.

Disinfect Your Theme

Get clean copies of your theme files from your theme developer.

NOTE:  If you have made changes to your theme, adding plugin code, changing footer code etc this will be removed, and will need to be re-created./

Make a note of what makes up your sidebar widgets, take copies of any code, and what types of widgets you are using.

connect to your site using ftp, and delete your theme files from wp-content/themes

Upload the clean theme files and make sure it is activated correctly, if it is not goto appearance -> themes and activate the files.

Check and correct your widgets, and re-add any changes you have made.

Check your wp-config & .htaccess files

Review all wp-config and .htaccess files on your site to ensure they do not have rogue code inserted.  Remove any unwanted code.

Audit your Uploads Directory

Sometimes hackers leave malware scripts in the uploads directory.   This is because there are so many sub directories amd files

Install WP-Malwatch

I wrote a plugin review of wp-malwatch, get this installed as soon as possible and do a scan, this is particularly helpful to audit your uploads directory.  This plugin will check various files and locations for known hack attack signature and inform you.

Audit Your Database

Get access to your database and review it for unusual entries

Things to look for

  • Unusual tables,
  • Unusual users in th wp_users tables
  • Unusual entries in wp-options table

I’m sorry I cannot be more specific, you need an understanding of the WordPress tables and what plugins you have installed to spot issues.

Re-Check after a couple of days

Re-check your site after a couple of days, you may have missed a back door and your site can get re-infected.

Do A Post Mortem

Shout at your hosting company, ask them to analyse your logs, ask them to identify how the hackers got in.  Many of the hack attacks I have fixed recently have been because of poor hosting security, the hackers found a back door on the hosting setup, and infiltrate many sites.  If it was an issue with hosting, consider migrating to a new company.

Check you logs to look for unusual activity, try and see how they got in.

Secure your system

Once the hack attack and it’s payload it gone, you need to secure your system, but that is for another post.  Please subsrive be my RSS feed or join my mailing list to be informed when that post is available.

Do You Still Need Help?

I offer a wordpress hack recovery and security review package, I would love to help you solve your WordPress hacked issue.

5 Responses to “WordPress Hacked! How Do I Fix It?”

  1. Fran December 5, 2010 at 7:06 pm #

    Hi – I had no visible signs of being hacked. This morning, I went to check my site, and was greeted by a page that said “Hacked by Protocol” with a picture of a penguin destroying a computer monitor. I tried to log into my site, and WordPress.org is rejecting my password. I tried to get a new password, and am getting nowhere. HELP!!!! I can’t do any of the things you suggested without being able to log in. Thank you – Fran

  2. TonnyAn Luijken June 14, 2011 at 8:21 am #

    Hi – I went to check my site to approve comments (till 09 June hundreds per day). I tried to log into my site, and WordPress.org is rejecting my password. I tried to get a new password, and am getting nowhere. They don’t have registered my E-mail-address anymore, which means the hacker changed the E-mail-address.
    {CONTENT REMOVED – Neil}

    Please HELP!!!! restore our site or tell us how to contact the right people at WordPress.
    Thanks and regards.

    • Neil Matthews June 14, 2011 at 9:55 am #

      You need to edit the database and find the wp_users table.

      You will find that the hackers have changed the default admin email address. Change this back and you can reset your password

      Next you need to re-install a clean version of wordpress and all of your plugins and theme.

      Then change all passwords

  3. Zach Taylor October 20, 2012 at 5:07 pm #

    My website has been suspeneded, Webhost said one of my widgets was hacked. I am unable to login to my Admin area or Cpanel. http://dynastymagazine.com/cgi-sys/suspendedpage.cgi

Trackbacks/Pingbacks

  1. Wordpress Hacked! | Toko Burung Bagus - September 14, 2012

    […] It’s only a website, and it can be fixed, we can get this back up and running quickly.  Take a deep breath and read on, Uncle WP Dude is gonna make it all better … Read here […]