My Wordpress site was hacked

From DreamHost
Jump to: navigation, search
There are alternate directions found at Cleaning WordPress Hacks.


If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (for example, a content management system like WordPress or Joomla).

The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps should hold true for many CMS installs.

These instructions will allow you to put a fresh, unhacked version of WordPress in place of the current hacked version. It will also guide you through removing all copies of your current themes and plugins and installing new, fresh copies.


If you would prefer to manually uninstall WordPress, plugins and/or themes, please drop down to

But I Don't Want To Wipe Everything and Start From Scratch for information on how to fine-tune removing elements of WordPress, using our panel, FTP or SSH.


Step 1: Change your WordPress theme

If you can access your WordPress Dashboard, login and go to Appearance > Themes.

Twenty Twelve is WordPress's current default theme, and since the following steps will take your WordPress install back down to a basic install, changing your theme now will make the process easier for you later.

If the default theme is not installed now, or if you cannot access your WordPress Dashboard, there will be instructions on how to install your current theme into your clean install later in these instructions.

Step 2: Change your passwords

To change your FTP user's password, login to the DreamHost panel and go to Manage Users. Click on "Edit" for the user that owns your WordPress install, and you can change the password for that user on the following page. (If you do not know which user owns your site, you can check on the Manage Domains page and see which username is listed under the "Web Hosting" column for that domain.)

Important Tip! For greater security, if your user is currently an FTP-only user, change it to an SFTP user at the same time you change the password. Click on "Edit" for the user, and change "User Account Type" from FTP to SFTP.
Example of the DreamHost panel, showing the "User Account Type" changing from FTP to SFTP.

To change your database password (the password that WordPress uses to access the database), go to the MySQL Databases page in your web panel. Under the column "Users with Access" click on the database username that you use for your WordPress install. On the following page, you can change the password for that user.

When you change this password, you will also need to edit your wp-config.php file to reflect this new password. There is information on how to edit the wp-config.php file to change the database password at codex.WordPress.org.

If you have multiple users for your database, make sure that you are changing the correct user's password. You can check which database user logs into your database for your WordPress install by looking at the wp-config.php file. There is information on how to check (and change) the database user name in your wp-config.php at codex.WordPress.org.

Step 3: Take the hacked code offline.

  1. Login to the web server using FTP or SFTP. If your user type is FTP, it is strongly recommended to change it to SFTP, which is a more secure format. You can change your user to SFTP in the web panel under Manage Users.
  2. Find your domain's directory (folder). On DreamHost, the default name of the domain directory is yoursitesname.com. You may have WordPress installed in that main directory (you would see a list of files and directories beginning with "wp-"). If WordPress is installed in a sub-directory, it could be in a directory called /blog or /WordPress or /wp -- it depends on where you installed it. Make a note of exactly what the domain directory is named (capitalization matters!)
  3. Rename the domain directory from yoursitesname.com to something else, for example, yoursitesname.HACKED. IMPORTANT NOTE: Doing this will immediately take your site offline!
  4. Immediately create a new, empty domain directory with the same directory name as the old one (the one you noted in step 2).

Step 4: Install a clean, unhacked copy of WordPress.

  1. Reinstall WordPress to your domain either manually or via the One-Click Installer. If you previously used one-click, you will need to go to Manage Installed Applications and click on your domain's name, and then click on "Remove from List" under "Actions" to the far right.
    Example of an already installed application under "Manage Installed Applications"
  2. Connect your new WordPress install to your old database. To do this, you will need the Database Name, Username, Password, Host, and Table Prefix.
    Example of the lines just before the $table_prefix setting in a WordPress wp-config.php file

    You can find the table prefix in the previous install's wp-config.php. The line you are looking for is: $table_prefix =
    The value between the single quotes is the table prefix. For installs using DreamHost's one-click installer, the table prefix is usually wp_ followed by 5 or 6 random letters and numbers and concluding with an underscore: (so wp_1a2b3_).
  3. After you have completed the famous 5 minute install, login to FTP/SFTP and delete the wp-config.php in the live site's new Wordpress install. (If you do not want to delete it, you can rename it to something else, such as "not_working.wp-config".)
  4. Go back to your new install and reload the page. It should now say "There doesn't seem to be a wp-config.php file. I need this before we can get started."
    - Example of first screen
  5. Click on "Create a configuration file". On the next page, click on "Let's go!"
    - Example of second screen
  6. On the next page, fill in the information you gathered above. Then click on "Submit".
    - Example of third screen
  7. The next page will have a button that says "Run the install". Click it.
  8. Since you already have data, you'll probably get a message saying that WordPress is already installed. This just means that you've successfully connected your WordPress installation to your old database.

Step 5: Add your uploads, themes, and plugins.

Your WordPress is now fully installed and connected to your old database. However, it is not using your chosen theme, your chosen plugins, or your previously uploaded images.

Caution: Simply restoring a backup may not fix the hack!!!

In the event of a hacked website you may attempt to restore your files to a time prior to the hack via the DreamHost control panel. We keep backups primarily for the unlikely event of catastrophic hardware failure so we do not guarantee backups for any specific time period, or that they are necessarily available at all. Note that simply replacing the damaged code with old code from before the attack is not effective alone, as this will not address the attack vector that let the hacker in. Unless you find and fix the vulnerability that allowed this to happen in the first place, you will remain susceptible to continued hacks.


If you were able to change your theme to twentyeleven before you started, you should see it loading your posts, but without the correct theme. If your specific theme is not currently installed, you can install it through the Dashboard. There are instructions on how to install new themes through the Dashboard at codex.WordPress.org.

If you were not able to change the theme to twentyeleven before beginning, however, the site will probably load as a completely white page. This is because your database is looking for a theme that is probably no longer installed. WordPress themes are extremely vulnerable to hacking; always download and install a new copy of your theme rather than moving the theme files from your old install. Since you cannot access the Dashboard at this point, you will need to download a copy of your chosen theme (usually delivered in a ZIP format). Unzip it (if it is zipped), then log into FTP/SFTP and upload the theme to yoursitename.com/wp-content/themes, so that it occupies its own folder inside /themes. If your theme name is /my_theme, it should be inside yoursitename.com/wp-content/themes, so the path to the theme would be yoursitename.com/wp-content/themes/my_theme.

Once you have your chosen theme installed, you should be able to load your site and see your posts.

Your uploads (images and other media) are still in the other install's directory. Using FTP/SFTP, copy the contents from yoursitename.HACKED/wp-content/uploads to yoursitename.com/wp-content/uploads.

VERY IMPORTANT NOTE: Please check over the files you are moving and make sure they are all yours. If you move hacked code into your new install, it will infect your new site. The /uploads directory primarily contains media, so the files should end with extensions that indicate what kind of file they are (.jpg for a JPEG image, for example, or .mp3 for a MP3 audio file). BE VERY CAUTIOUS ABOUT FILES ENDING IN .PHP IN THE /uploads DIRECTORY.

The last step should be to install the WordPress plugins that you need for your site. Again, it is very important to install brand-new copies of your plugins, rather than copying over the files from the hacked install. You should be able to install the plugins that you need from inside your new install's Dashboard. Only install the plugins you know you need and use -- cutting down on inactive plugins limits a hacker's access to your install and makes WordPress run faster, too!

You're finished!

If everything went well, you should now have a brand-new install of WordPress, connected to your old database and with all your uploaded content, your chosen theme, and your chosen plugins!

Pitfalls, Special Circumstances and Other Oddities

Htaccess File Issues

Many hackers insert code into the standard WordPress .htaccess file. The best thing to do is to completely remove the old, hacked .htaccess and generate a new one.

  1. Delete the old hacked .htaccess file, if applicable
  2. In your WordPress Dashboard, go to Setting > Permalinks and re-choose their permalink settings and submit the page. This re-creates the base .htaccess. The direct URL for that would be http://example.com/wp-admin/options-permalink.php (replace example.com with the location of your WordPress site).
  3. If you have WP Super Cache plugin installed, you will need to go to Settings > WP SuperCache (http://example.com/wp-admin/options-general.php?page=wpsupercache) and re-choose "Use mod_rewrite to serve cache files. (Recommended)" and then click "Update Status" below. This will then pop-up a large yellow section below titled "Mod Rewrite Rules". At the bottom of that section, click a button that says "Update Mod-Rewrite Rules".
Important Tip! Most FTP programs hide files beginning with a "." by default. There are instructions on how to view hidden files for many common FTP programs in our FTP wiki article. If you don't see your own FTP program there, you should be able to check your FTP program's help file on how to view hidden files.
If you try to delete a WordPress install without first making sure that "Show hidden files" is active in your FTP program, you will most likely get an error saying that you cannot delete a directory because it is not empty, even though it appears empty to you.


But I Don't Want To Wipe Everything and Start From Scratch

If you would rather manually remove plugins and themes that you think may be insecure (either to completely remove them from the situation or to replace them with updated, secure versions), her are some tips. (It's really, really, really, really, really, really, really, really a lot safer to install everything from scratch -- you may miss vulnerable files. Only do this if you really, really, really, really, really need to!)

Upgrade or delete unused install

If you have an old install that you don't use, either upgrade it to make it secure or (even better) remove it completely.

Upgrade WordPress install via DreamHost one-click installer

If there is an upgrade available, under "Actions" for that install, it will say "Upgrade to" and give the latest version number. Click on that, and presto! Your WordPress install will be automatically upgraded.

Upgrade WordPress install via WordPress Dashboard

If there is a new version of WordPress, whenever you login to your Dashboard, there will be a notice on every screen that there is a new version. To update, click on "Updates" in the left-hand column, and follow the instructions to update WordPress through the Dashboard.

Delete a WordPress install using DreamHost's One-Click Panel

If you used DreamHost's one-click installer, only use "Delete all Files" if the install is alone in its directory and there is nothing else in that directory you want to keep. (If you have a whole other site at yourdomain.com/site and an old WordPress install at yourdomain.com, clicking on "Delete all Files" will remove everything in yourdomain.com, including yourdomain.com/site!!!)

If you can't use "Delete all Files" or you manually installed WordPress, you can delete the install using FTP or the command line (shell/SSH).

Delete a WordPress install using FTP

WordPress often uses .htaccess files (and they are commonly exploited by hackers).

Important Tip! Most FTP programs hide files beginning with a "." by default. There are instructions on how to view hidden files for many common FTP programs in our FTP wiki article. If you don't see your own FTP program there, you should be able to check your FTP program's help file on how to view hidden files.
If you try to delete a WordPress install without first making sure that "Show hidden files" is active in your FTP program, you will most likely get an error saying that you cannot delete a directory because it is not empty, even though it appears empty to you.


  1. Login to FTP
  2. Find your domain directory
  3. Find the directory that your WordPress install is in (it may be the same as the domain directory)
  4. Delete all files beginning with "wp-".
  5. Delete all directories beginning with "wp-".
  6. Delete the following files (if present):
  • .htaccess
  • index.php
  • xmlrpc.php
  • readme.html
  • license.txt

At this point, there should be nothing left in the directory but files you have uploaded. If there are files still there that you do not recognize, examine them carefully -- they may be files placed there by a hacker. If you are certain that you do not want these files, you can delete them.

Once you are done, there should be nothing left in the directory but the files you want. The WordPress install (with all themes and plugins) is completely removed, and the files that are left should be checked to make sure they don't have any hacker exploits injected into them.

Delete a WordPress install using SSH

The instructions provided in this article or section require shell access unless otherwise stated.

You can use the PuTTY client on Windows, or SSH on UNIX and UNIX-like systems such as Linux or Mac OS X.
Your account must be configured for shell access in the Control Panel.
More information may be available on the article's talk page.

The instructions provided in this article or section are considered advanced.

You are expected to be knowledgeable in the UNIX shell.
Support for these instructions is not available from DreamHost tech support.
Server changes may cause this to break. Be prepared to troubleshoot this yourself if this happens.
We seriously aren't kidding about this.

  1. SSH to your site (usually ssh username@yourdomain.com in the shell)
  2. CD to your domain directory (the default directory name for DreamHost is /yourdomain.com)
  3. CD to the WordPress install (if it is not in your main domain directory)
  4. To selectively remove just WordPress files:
    1. type: rm wp-* (that will remove all files beginning with "wp-")
    2. type: rm .htaccess
    3. type: rm index.php
    4. type: rm xmlrpc.php
    5. type: rm readme.html
    6. type: rm license.txt
  5. To remove the WordPress install's wp-admin, wp-content, and wp-includes directory in one command, type: rm -R wp-*
More Information! -- "rm" stands for "remove" -- it will delete files through the shell. "-R" tells it to delete "recursively" -- it will delete all files in all sub-directories and it will also delete files beginning with ".", like an .htaccess file.


Manage Plugins and Themes through the WordPress Dashboard

Update Plugins through WordPress's Dashboard

Update a single plugin
If you have updates for either plugins or themes available, the Dashboard will show a number in a circle of themes and plugins needing updates in the left-hand column next to "Updates".
WordPress Dashboard showing updates needed

Scroll down a bit, and the number of plugins that need to be updated will be displayed in a circle next to "Plugins".

You can either update each plugin individually by clicking on "update automatically" below the plugin or check the box at the top of the list (next to the word "Plugin", just above the name of your first plugin listed) and then select "Update" from the "Bulk Actions" dropdown, and then click "Apply" to update all plugins in that list.
Bulk update WordPress plugins





Uninstall Plugins through WordPress's Dashboard

See also: article on Uninstalling Plugins

Delete a specific plugin

To uninstall a plugin through WordPress's Dashboard, click on "Plugins" in the left-hand column in the Dashboard. You can individually delete plugins by clicking on "Delete" under the plugin's name (you will be asked if you are sure you want to do this). You can bulk-delete selected plugins by checking the box next to the plugins you want to delete and then selecting "Delete" from the "Bulk Actions" dropdown, and then clicking "Apply". You can also delete all plugins at once by checking the box at the top of the list (next to the word "Plugin", just above the name of your first plugin listed) and then select "Delete" from the "Bulk Actions" drop-down, and then click "Apply" to delete all plugins in that list.

Update Themes through WordPress's Dashboard

In the left-hand column, click on "Appearance". A list of all your currently installed themes will show in the main window. Any themes with updates available will have bold text at the bottom of their description, reading "There is a new version of This Theme available. View version details or update automatically." The "View version" and "update automatically" will be links to those actions.

To update a theme, just click on "update automatically" and it will update the theme to the latest version.

Uninstall Themes through WordPress's Dashboard

In the left-hand column, click on "Appearance". A list of all your currently installed themes will show in the main window. Under the name and short description of the theme is three links, "Activate | Preview | Delete". Click on "Delete" to remove the theme from your WordPress install. You will be asked if you are sure you want to do this.

Important Tip! It is best to always remove themes you are not using -- keep only the theme you actively use. You can always re-install removed themes, and removing themes keeps their files from being used as attack entry points!


Delete Themes through FTP.

If you cannot access the Dashboard, or you would prefer to delete the themes through FTP, you can do that!

  1. Login to FTP for your domain
  2. Navigate to the WordPress directory
  3. Go into the /wp-content/ directory
  4. Go into the /themes/ directory
  5. Delete the theme or themes you want to remove. If you want to remove all but your current installed theme, make sure you know exactly what directory that theme is in (you can check in the Dashboard -- under the "Activate | Preview | Delete" it will say "All of this theme’s files are located in /themes/your-theme".)
Important Tip! It is best to leave WordPress's current default theme as well as your active working theme in place, just to be certain that you have a good fallback theme if needed. As of March 2012, WordPress's default theme is named "Twenty Eleven" and is in /themes/twentyeleven.


Manage Plugins through FTP

Disable plugins through FTP.

You can disable one, more than one, or all plugins at once through FTP. These instructions will remove the functionality of these plugins from your WordPress install, without removing the plugin files.

To disable one plugin, or disable a few (but not all):

  1. Login to FTP for your domain
  2. Navigate to the WordPress directory
  3. Go into the /wp-content/ directory
  4. Go into the /plugins/ directory
  5. Find the first plugin you want to disable without removing the files
  6. Rename the plugin directory to something else. For example, if you wanted to turn off this_plugin, you could rename the directory to this_plugin.off, so that you know that one is turned "off".
  7. Repeat for any other plugin you want to disable.

To re-enable the plugins, just change the name back to the original name.

To disable all plugins at once without removing the files:

  1. Login to FTP for your domain
  2. Navigate to the WordPress directory
  3. Go into the /wp-content/ direc
  4. Rename the /plugins/ directory to something else, like plugins.off.
Important Tip! If you rename the plugins directory and then try to install new plugins while the name is changed, you will get an error. If you want to keep the plugin files in plugins.off and install new plugins, create a new, empty plugins directory at the same time that you rename the old one.


Delete plugins through FTP.

  1. Login to FTP for your domain
  2. Navigate to the WordPress directory
  3. Go into the /wp-content/ directory
  4. Go into the /plugins/ directory
  5. Delete the plugin or plugins you want to remove completely.
Important Tip! If you get an error saying that a directory that you are trying to delete is not empty, make sure you have "Show hidden files" enabled in your specific FTP program.


Manage Themes and Pugins through SSH

Rename themes or plugins through SSH

The instructions provided in this article or section require shell access unless otherwise stated.

You can use the PuTTY client on Windows, or SSH on UNIX and UNIX-like systems such as Linux or Mac OS X.
Your account must be configured for shell access in the Control Panel.
More information may be available on the article's talk page.

The instructions provided in this article or section are considered advanced.

You are expected to be knowledgeable in the UNIX shell.
Support for these instructions is not available from DreamHost tech support.
Server changes may cause this to break. Be prepared to troubleshoot this yourself if this happens.
We seriously aren't kidding about this.

If you prefer, you can rename plugins' and themes' directories through the command line by logging into the shell with an SSH user. This will disable active plugins and active themes without removing the files themselves.

First, make sure that the user that owns your WordPress site is set up to use SSH. You can check that under [Manage Users] in your DreamHost panel. If the user is not listed as a "shell" user, click on "Edit" for the user, and change "User Account Type" to "Shell Account".

  1. SSH to your site (usually ssh username@yourdomain.com in the shell)
  2. CD to your domain directory (the default directory name for DreamHost is /yourdomain.com)
  3. CD to the WordPress install (if it is not in your main domain directory
  4. CD to wp-content
  5. To rename a theme's directory, CD to themes. Once you are in the directory, type:
    mv old_theme_name new_theme_name
    That will change the name of the theme -- if this is the active theme in WordPress's Dashboard, it will break that theme and your install will load as a blank page.
  6. To rename a plugin, from the /wp-content/ directory, CD to plugins. Once you are in the directory, type:
    mv old_plugin_name new_plugin_name
    This will disable the functionality of the plugin without removing the files.
More Information! -- "mv" stands for "move" -- it will copy the files to the new location and remove them from the old.


Delete themes or plugins through SSH

The instructions provided in this article or section require shell access unless otherwise stated.

You can use the PuTTY client on Windows, or SSH on UNIX and UNIX-like systems such as Linux or Mac OS X.
Your account must be configured for shell access in the Control Panel.
More information may be available on the article's talk page.

The instructions provided in this article or section are considered advanced.

You are expected to be knowledgeable in the UNIX shell.
Support for these instructions is not available from DreamHost tech support.
Server changes may cause this to break. Be prepared to troubleshoot this yourself if this happens.
We seriously aren't kidding about this.

You can also delete plugins and themes through the shell. Again, make sure that the user that owns your WordPress site is set up to use SSH. You can check that under [Manage Users] in your DreamHost panel. If the user is not listed as a "shell" user, click on "Edit" for the user, and change "User Account Type" to "Shell Account".

  1. SSH to your site (usually ssh username@yourdomain.com in the shell)
  2. CD to your domain directory (the default directory name for DreamHost is /yourdomain.com)
  3. CD to the WordPress install (if it is not in your main domain directory
  4. CD to wp-content
  5. To delete themes, CD to themes and then remove the theme or themes you want to completely delete. For example, if the theme you want to remove is ugly_old_theme, type:
    rm -R ugly_old_theme
  6. To delete plugins, from the /wp-content/ directory, CD to plugins and then remove the plugin or plugins you want to remove. For example, if you want to remove nasty_old_plugin, you would type:
    rm -R nasty_old_plugin

See also:

WordPress.org: FAQ: My Site was hacked
WordPress.org: Hardening WordPress