WordPress is a great blogging platform, but also a target of hackers. Many bloggers often find out that they have been hacked long after the fact. You may notice that suddenly all your permalinks have disappeared and that you have lost a great portion of your Google traffic.
In any event, if your WordPress installation was hacked, take action immediately to control the damage. At the end of this post, I’ll give some examples of how your blog could have been hacked, but first, let’s go over the steps to clean up the mess.
The first thing you should do, is make a back-up copy of your WordPress database: Log on to you server, select databases, select the WordPress database and click on the “export” tab. Next, make sure you select all tables and click on the go button. This will download your WP database to your computer.
You could search for bad code in your database on your local computer by opening the downloaded database in your favorite text editor and use the “find” command to search for inserted code that doesn’t belong there. Or you could do it directly in mysql.
Tables that should be looked at first, is the meta users table. If you are the only person posting on your blog, then there should be only entries that pertain to you (e.g. administrator). These entries should have a tag of “1“. Anything else could be fake user accounts created by the hacker or the WordPress Worm (2009) and should be deleted.
The posts‘ and comments‘ tables should be looked at in great detail: if your blog doesn’t contain many entries, I suggest you’ll look at everything, but otherwise perform a query on the following strings:
- eval64 _decode
- iframe
- instant-zero
- d0lphin
Next, look in all directories of your site for images with the .php extension. Also look at every folder for “index.php”. These php files may contain the following code and when executed, can re-direct your visitors to rogue sites.
Another favorite location to place bad code is in the uploads folder (wp-content/uploads). Make sure that you recognize the files: these should be media files (images, videos) that you uploaded to your blog. Anything else should be deleted.
Make sure that your template (theme) files are clean: if you’re not sure, just upload a fresh copy.
The last thing you need to do, is to upload a current version of WordPress. I would suggest you manually upload a fresh copy (make sure you keep a back-up of your wp-config.php file first and any template files that were changed by you). If your blog was hacked, I would recommend that you do not update the source code from within the admin area (available in newer versions of WordPress), but rather delete everything in your blog folder and upload a new version: updating to a newer version from within the admin area will not overwrite all files. If you have SSH access to your server, it will be faster to download the WordPress tar ball and unpack it on your server.
After you have your WordPress blog back up and running, keep it secure by upgrading to the latest version whenever an updated version becomes available. Once your blog is clean, you could always update the WordPress source code from within the admin area.
A good thing to do, would be to change your FTP passwords after every WordPress update. Read my post on using secure FTP to upload files to and from your server.
The number one reason why a WordPress blog becomes hacked is that it is running outdated software. We all procrastinate sometimes and many people ignore the “there is a new version available” message, especially after just upgrading. But it is important that you always keep the source code up to date. Whenever a security hole is discovered and a new version is published, hackers have know about this issue for a long time. It isn’t so much a question of if your blog can be hacked, but when.
Here is a good source of dealing with a WordPress hack (plus many informative comments).
Here are 2 blog posts by the Unmask Parasites Blog about similar attacks that are very useful (in fact, some of the search strings mentioned in this post came from that blog):
