If Your WordPress Blog Has Been Haked/Infected…

wordpress breach

Source: Flickr, by subcircle

So, you think your wordpress blog has been hacked/infected? Sorry to hear that. Here are some easy steps you should follow in order to get back on track. First of all you should understand the fact than any file within your hosting account is a potential threat, so unless you have the time and knowledge to manually check each and one of them, you’ll probably have to backup the whole system.

Step 1: Is your antivirus up to date? I know it sounds obvious, but trust me on this one. Malware programs are very complex these days, so once they reach or at least sense unprotected machines… it’s a matter of seconds from there. Trying to fix your site before cleaning your PC is useless. Try the ESET NOD32 Antivirus Version 6 Betawhile it’s available.

Why not just download the latest cracked version of a torrent? First of all, it’s illegal. Second thing you should know is that it only has the virus signature database for when it was uploaded. Virus signatures change automatically & rapidly which is why I mentioned the complexity of viruses these days). So, without an up to date signature, the antivirus is less to no help. Just so you get the idea of how important this is – my virus database updates every hour.

So let’s suppose you ran a scan and removed all potentially unwanted items on your machine.

Step 2:If you want to be %100 safe, it would be a good idea to change all your passwords starting:

  1. Email password.
  2. Hosting account password.

Again, there’s no point in changing the passwords if your machine isn’t virus safe.

Step 3: Let’s use the backdoor and enter your blog. Use an FTP program and enter your hosting account. In the root, create a new folder (call it any way you like “hacked”), and move all the files from public_html folder to the new folder (this way you minimize the chances of someone else getting infected by visiting your site, and the chances of the virus to find a way and duplicate itself). Filezillais a great FTP tool I’ve been using for years.

using-filezilla

Step 4: Go to your hosting account and find the database which your blog is on (MySQL Database for cPanel users), and change the database user password. If you forgot the name of the database user, open the wp_config file in  your wordpress installation folder and find   it next to “database_user:”.

sqlmydatabase-editsqlmydatabase

Step 5: It’s time to change the wordpress admin password. But we’ll do it the old fashion way (do not use the recovery form in the log in board). In case you’re suing a cPanel, find the phpMyAdmin in your panel and open the wordpress database (just like in step 4, you can find the name of the DB in wp_config file next to “database_name:”). Find wp_users table in the left bar. Find the admin user and click edit (you should see the user_pass row and an encrypted password right next to it). Use this MD5 encryption method to get a new password (just type in the new password you want, click encrypt). Copy the newly encrypted password in the wp_pass row and press GO. Great! Now you’ve changed the admin password.

Remember that the password is the one you in entered on the MD5 website, not the long code you copied. The long code is just the way the password is stored in our database.

phpmyadmin wordpress password recoveryedit password php my admin

Step 6: Get the latest wordpress version, and install it in the empty publi_html folder. Or use software services if hosting company offers one (like Fantastico or Softaculous).

Remember that no matter how you do it, you’ll still need to change the wp_config file with the database details (since Fantastico will create and use a new database).

Step 7: Check the website (visit your website).

WordPress will probably ask you to update the database (click “update database”).

You should be able to see your old content by now (without the images and theme). 

Step 8: I know most of you would like to just copy the whole wp-content file back, but in most cases the malware hide exactly within the codes of some of those files. I usually notice the signatures within the plugins and sometimes even the themes.

  • If your theme can be downloaded, or you have a backed up version, use it. If that’s not possible, check the code (ask for help in case you are not sure you have the right skills).
  • If you’re worried about the plugins, just make a list of those you need and re-install them later (their settings will be saved, since the database is still the same). Do not just copy the files back.
  • To rescue the images, you’ll have to check all the files & folders within the “uploads” dirrectory. If you find no-image files, it’s probably an infection (so delete it).

Again, all these steps are helpful  if you are sure the plugins and themes you are using are not the ones that caused the trouble in the first place. If you noticed malfunction after you installed a particular plugin, or changed a theme, you might consider having them checked (and not install them back). Here’s a plugin you do not want to use (malware): ThreeWP Activity Monitor.  

Copy the wp_uploads folder (which you accurately checked) to the new installation (in the wp_content folder).

Step 9: Run a full scan of the website. I suggest Sucuri.

Step 10: If Sucuri found no infections, you can start installing the plugins and theme you need. After which I recommend you to run a scan one more time. If this time Sucuri finds something, be sure it’s either a plugin or theme you are using that is causing the trouble.

Regards, Daniel C.

About Danielfive

What’s 3 hookers and an eight ball of coke to Charlie Sheen? A slow day.
This entry was posted in Tips Tricks &Tools, Wordpress. Bookmark the permalink.

2 Responses to If Your WordPress Blog Has Been Haked/Infected…

  1. Danielfive says:

    @Nick: Thank you for reminding me!

  2. Nick says:

    Please remember to add a link and credit to the author of images you use that are released under the creative commons licence:

    http://www.flickr.com/photos/subcircle/500995147/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>