My WordPress site was hacked
- 1 Overview
- 2 How to replace your site with a new copy of WordPress
- 2.1 Step one: change your WordPress theme
- 2.2 Step two: change your passwords
- 2.3 Step three: take the hacked code offline
- 2.4 Step four: install a new unhacked copy of WordPress
- 2.5 Step five: connect your new install to your old database
- 2.6 Step six: add your previous content
- 2.7 Step seven: finish successfully
- 3 How to manually remove/replace content
- 3.1 .htaccess file
- 3.2 How to handle unused installs
- 3.3 How to manually manage plugins
- 3.4 How to manually manage your WordPress theme
- 4 Final notes
- 5 See also
If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (such as WordPress or Joomla). The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps hold true for many CMS installs.
How to replace your site with a new copy of WordPress
This following sections describe the steps on how to manually re-install a new copy of WordPress to your hacked site and should be done in order as they appear.
Step one: change your WordPress theme
If possible, log into your WordPress dashboard at ‘example.com/wp-admin’. Once logged in, navigate to ‘Appearance > Themes’ to change your theme to the current default theme.
Twenty Fifteen is WordPress's current default theme. Changing your theme now makes the process easier for you later.
Step two: change your passwords
There are a few general notes on passwords you should always follow:
- Don't reuse passwords – Most people use the same password in multiple places. Don't do it. You should make sure that your passwords are all unique from one another. This way, if one password is compromised, your other logins will remain secure.
- Use strong passwords – You can generate them from places like Strong Password Generator. At the very least, your passwords should be 8 characters long and consist of a mix of numbers and letters.
- Use a password tool – LastPass and OnePassword are great for protecting your passwords and generating new ones.
You should change both your FTP user password as well as your database user password.
Changing the FTP user password
The following article walks you through how to change this password:
|Note:||For greater security, if your user is currently an FTP-only user, change it to an SFTP or SSH user at the same time you change the password. View the Enabling Shell Access article for further details.|
Changing the database user password
View the Finding your MySQL credentials article for instructions on how to obtain your database username and change its password.
Updating your wp-config.php file
When you change the database user’s password, you will also need to edit your wp-config.php file to reflect this new password. There is information on how to edit the wp-config.php file to change the database password at codex.WordPress.org. You can also view the WordPress wp-config article for further details.
If you have multiple users for your database, make sure that you are changing the correct user's password. You can check which database user logs into your database for your WordPress install by looking at the wp-config.php file.
Step three: take the hacked code offline
- Log into the web server via FTP.
- Find your domain's directory (folder) which is most likely a folder with your sites name. If you’re in the correct directory, you’ll see a list of files and directories beginning with "wp-". It’s also possible you installed WordPress in a subdirectory such as /blog.
- Rename the directory (folder) where WordPress is installed. If it’s your primary directory, rename it ‘example.com_HACKED’. If it’s in a subdirectory, rename it to ‘example.com/blog_HACKED’.
Important: When you rename the web directory, your site will immediately be taken offline.
- Create a new, empty domain directory with the same directory name as the old one.
Step four: install a new unhacked copy of WordPress
Reinstall WordPress in one of two ways:
- Using the One-Click Installer
Manually reinstalling WordPress
View the following page for details on how to manually reinstall WordPress:
Reinstalling WordPress using the One-Click Installer
View the How to Install a One-Click Install article for details on how to install WordPress using the One-Click Installer.
If you already have a One-Click Install active for this domain, then you must first remove it. View the How to Remove a One-Click Install article for details.
|Important:||When removing the current One-Click Install, make sure to click the Remove from List button. DO NOT click the Delete all Files as that will permanently remove your website files.|
Step five: connect your new install to your old database
You must connect the new files you’ve downloaded to your existing database. To do this, you need the following information:
- Database name
- Database username
- Database user password
- Table prefix
This information is located in your former wp-config.php file:
- Log into your server via FTP.
- Navigate to your former hacked directory which you renamed to example.com_HACKED.
- Open the wp-config.php file. You’ll find all of the values listed above.
- The table prefix line begins with $table_prefix =.
- For DreamHost installs, the table prefix starts with wp_ and is followed by a series of random numbers and letters. For example:
- Navigate to your new WordPress install directory.
- Delete or rename the wp-config.php in that new folder.
- Load your site.
- Select your prefered language, and then click Continue.
- Click Let’s go!
- Enter the required information, and then click Submit.
- Click the Run the install button.
Step six: add your previous content
Your WordPress site is now fully installed and connected to your old database. However, it is not using your former theme, plugins, or previously uploaded images.
This step describes how to add all of your previous themes, uploads, and plugins.
Installing your previous theme
|Note:||WordPress themes are vulnerable to hacking. Always download and install a new copy of your theme rather than moving the theme files from your old install.|
If you changed your theme to Twenty Fifteen before you started, your site should load your posts, but without the correct theme.
If your specific theme is not currently installed, you can install it through the WordPress dashboard. View the following page for instructions on how to install a different theme:
If you did not change the theme to Twenty Fifteen before beginning, the site may load a blank white page. This is because your database is looking for a theme that is no longer installed.
Since you cannot access the WordPress dashboard at this point, you will need to download a copy of your chosen theme (usually delivered in a ZIP format). You can upload and install the theme from within the WordPress dashboard. You can also unzip it on your computer, and then log into your server using your FTP account to upload the theme to the themes directory. It’s located in the following folder:
So, if your theme name is /my_theme, it should look like this:
Once you have your chosen theme installed, you should be able to load your site and see your posts.
Copying your previous uploads
Your uploads (images and other media) are still in the old hacked install's directory. Using FTP, copy the contents from the old folder to the new one. For example:
Installing your former plugins
The final step is to install the WordPress plugins that you need for your site. Again, it is very important to install brand-new copies of your plugins, rather than copying over the files from the hacked install.
You can install the plugins from your new WordPress dashboard. Only install the plugins you know you need and use. Cutting down on inactive plugins limits a hacker's access to your install and makes WordPress run faster as well.
Step seven: finish successfully
If everything goes well, you now have a brand-new install of WordPress, connected to your old database and with all your uploaded content, your chosen theme, and your chosen plugins.
How to manually remove/replace content
If you do not want to follow the directions above to completely replace your site, you can still manually remove and replace specific content. But this is not recommended as it’s much easier to miss any infected files.
Many hackers insert code into the standard WordPress .htaccess file. The best thing to do is to completely remove the old, hacked .htaccess and generate a new one:
- Log into your server via FTP.
- Make sure your FTP client is set to view hidden files.
- Delete the old hacked .htaccess file (if it exists).
- In your WordPress Dashboard, go to 'Setting > Permalinks' and re-save its permalink settings.
- The direct URL for the page is http://example.com/wp-admin/options-permalink.php (replace example.com with your WordPress site).
- This re-creates the base .htaccess.
- If you have WP Super Cache plugin installed, go to 'Settings > WP SuperCache' (http://example.com/wp-admin/options-general.php?page=wpsupercache), and then re-choose "Use mod_rewrite to serve cache files. (Recommended)"
- Click Update Status.
- A yellow pop-up section appears titled "Mod Rewrite Rules":
- At the bottom of that section, click the Update Mod-Rewrite Rules button.
How to handle unused installs
If you have an old install that you don't use, either upgrade it to make it secure or (even better) remove it completely.
Upgrading using the One-Click Installer
View the How to Upgrade a One-Click Install article for details on how to upgrade within the DreamHost panel.
Upgrading in the WordPress dashboard
- If there is a new version of WordPress, there is a notice on every screen that an upgrade is available:
- To update, click on ‘Updates’ in the left-hand column.
- The following page appears:
Upgrading via SSH
Deleting a WordPress install in the DreamHost panel
View the How to Remove a One-Click Install article for details on how to completely remove and delete all files associated with a WordPress installation.
|Important:||If you have the old WordPress install at example.com and another site at example.com/othersite/, clicking the Delete all Files button will remove everything including the non-WordPress site at example.com/othersite.|
Deleting WordPress using FTP
- Make sure your FTP client is set up to view hidden files.
- Delete all files beginning with "wp-".
- Delete all directories beginning with "wp-".
- Delete the following files (if present):
At this point, there should be no remaining items in the directory but files you have uploaded. If there are files still there that you do not recognize, examine them carefully as they may be files placed there by a hacker. If you are certain that you do not want these files, you can delete them.
Deleting a WordPress install using SSH
- Log into your server via SSH.
- Navigate to your WordPress install directory.
- Run the following command all on one line. This deletes all Wordpress files:
rm wp-*;rm .htaccess;rm index.php;rm xmlrpc.php;rm readme.html;rm license.txt;rm -R wp-*
|Important:||This command permanently deletes all files and there is no way to retrieve them once the command has ran. Make sure you wish to permanently delete all WordPress files before running this command.|
How to manually manage plugins
It’s very important to always keep your plugins up to date. This limits the possibility of getting hacked.
Updating plugins in the WordPress dashboard
The WordPress dashboard notifies you if there are any updates for your installed plugins. You’ll see this in the left hand column next to ‘Plugins’:
- The number of plugins that need to be updated are displayed in a circle next to ‘Plugins’.
- You can update each plugin individually by clicking the ‘update now’ link below the plugin.
- You can also click the dropdown at the top of the list (next to the word "Plugin" just above the name of your first plugin listed), select ‘Update’ from the ‘Bulk Actions’ dropdown, and then click ‘Apply’ to update all plugins in that list.
Updating plugins via SSH
You can use the WP CLI interface to update plugins via SSH. View the following page for further details and examples:
Disabling plugins via FTP
You can also disable plugins via FTP. These instructions remove the functionality of these plugins from your WordPress install, without removing the plugin files.
- Log into your server via FTP.
- Navigate to the example.com/wp-content/plugins directory.
- Find the plugin folder you wish to remove.
- Rename the plugin folder. For example if the plugin folder is named /myplugin, rename it to /myplugin_OFF. This disables the plugin.
- Rename it back whenever you wish to re-enable it.
To disable all plugins, just rename the entire /plugins directory to /plugins_OFF. If you rename the plugins directory and then try to install new plugins while the name is changed, you will get an error.
If you want to keep the plugin files in /plugins_OFF and install new plugins, create a new and empty plugins directory at the same time that you rename the old one.
How to manually manage your WordPress theme
It’s very important to always keep your themes up to date, as it limits the possibility of getting hacked.
Updating a theme in the WordPress dashboard
In the left-hand column click ‘Appearance’. A list of all your currently installed themes will show in the main window. Any themes with updates available will show ‘Update Available’ at the top of their box.
- Click on the theme’s box to expand it.
- On the right, you have the option to update it.
Deleting a theme in the WordPress dashboard
It is best to always remove themes you are not using. You should only keep the theme you actively use since you can always reinstall removed themes at any time. By removing themes, you keep their files from being used as attack entry points.
- In the left-hand column click ‘Appearance’.
- A list of themes display:
- Click the theme you wish to remove.
- On the bottom right, click the ‘Delete’ link to remove the theme.
Deleting a theme via FTP
If you cannot access the dashboard, you can still delete the theme via FTP:
- Use the steps described in the FTP article to log into your server.
- Navigate to the /example.com/wp-content/themes directory.
- Delete any theme folder you wish to remove.
It's best to leave WordPress's current default theme as well as your active working theme in place, just to be certain that you have a good fallback theme if needed.
Managing a theme via SSH
You can use the WP CLI interface to manage themes via SSH. View the following page for further details and examples:
A note on Base64
Base64 is usually bad. And yet there are legit use cases.
grep -R "base64_" /home/user/example.com/ should only give you these results for core WordPress:
./wp-admin/includes/class-wp-importer.php: $headers['Authorization'] = 'Basic ' . base64_encode( "$username:$password" ); ./wp-includes/class-smtp.php: fputs($this->smtp_conn, base64_encode("\0".$username."\0".$password) . $this->CRLF); ./wp-includes/class-smtp.php: fputs($this->smtp_conn, base64_encode($username) . $this->CRLF); ./wp-includes/class-smtp.php: fputs($this->smtp_conn, base64_encode($password) . $this->CRLF); ./wp-includes/class-smtp.php: fputs($this->smtp_conn,"AUTH NTLM " . base64_encode($msg1) . $this->CRLF); ./wp-includes/class-smtp.php: $challange = base64_decode($challange); ./wp-includes/class-smtp.php: fputs($this->smtp_conn, base64_encode($msg3) . $this->CRLF); ./wp-includes/ID3/module.audio.ogg.php: $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value'])); ./wp-includes/ID3/module.audio.ogg.php: $data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']); ./wp-includes/class-IXR.php: $value = base64_decode($this->_currentTagContents); ./wp-includes/class-IXR.php: return '<base64>'.base64_encode($this->data).'</base64>'; ./wp-includes/class-feed.php: $data = base64_decode( $data ); ./wp-includes/class-phpmailer.php: $encoded = chunk_split(base64_encode($str), 76, $this->LE); ./wp-includes/class-phpmailer.php: $encoded = base64_encode($str); ./wp-includes/class-phpmailer.php: $chunk = base64_encode($chunk); ./wp-includes/class-phpmailer.php: return base64_encode($signature); ./wp-includes/class-phpmailer.php: $DKIMb64 = base64_encode(pack("H*", sha1($body))) ; // Base64 of packed binary SHA-1 hash of body ./wp-includes/SimplePie/Sanitize.php: $data = base64_decode($data); ./wp-includes/SimplePie/File.php: $out .= "Authorization: Basic " . base64_encode("$url_parts[user]:$url_parts[pass]") . "\r\n"; ./wp-includes/class-http.php: return 'Proxy-Authorization: Basic ' . base64_encode( $this->authentication() ); ./wp-includes/class-wp-atom-server.php: explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); ./wp-includes/class-wp-atom-server.php: explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6))); ./wp-includes/class-snoopy.php: $headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n"; ./wp-includes/class-snoopy.php: $headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n"; ./wp-includes/class-snoopy.php: $headers = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
That said, you will see it in plugins and (sadly) themes. Are these safe? It's difficult to say since there are thousands of plugins in the WordPress.org database alone. The best thing to do is delete the plugins and reinstall them. Same goes for themes.
Splitting up your website users
Splitting up your user accounts is also a good idea to isolate your sites. By assigning one domain per user, you ensure that if that user gets hacked, only that site is compromised. Also you make sure that if that site is hacked, it can't infect the others.
DreamHost has One User Per Domain Policy which means each domain can only have one user assigned to it. View the article for further details on how to create a different user on your domain.
One more scan
Look 'one folder up' for an index.php and wp-config.php file. Sometimes if you install WordPress in subdirectory such as example.com/wp/ you'll run it out of example.com. When that happens, you'll have those two files in the example.com directory, and from time to time they get missed when you clean up.
Look for funny named files: Any file named ljkdhsf92328kjhsdfsdf or mai1.php (that's mai-one, not mail) is probably suspect. Delete them.
If you are still getting unwanted pop up ads from your site, please request a security scan by submitting a ticket. You can do so on the (Panel > 'Support' > 'Contact Support') page.