My Wordpress site was hacked

From DreamHost
(Redirected from WordPress Hacks)
Jump to: navigation, search

Contents

Overview

If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (such as WordPress or Joomla). The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps hold true for many CMS installs.

How to replace your site with a new copy of WordPress

This following sections describe the steps on how to manually re-install a new copy of WordPress to your hacked site and should be done in order as they appear.

Step one: change your WordPress theme

If possible, log into your WordPress dashboard at ‘example.com/wp-admin’. Once logged in, navigate to ‘Appearance > Themes’ to change your theme to the current default theme.

TwentyFifteen is WordPress's current default theme. Changing your theme now makes the process easier for you later.

Step two: change your passwords

There are a few general notes on passwords you should always follow:

  • Don't reuse passwords - Most of us use the same password in multiple places. We shouldn't. You should make sure that your passwords are all unique from one another. This way, if one password is compromised, your other logins will remain secure.
  • Use strong passwords - You can generate them from places like Strong Password Generator. At the very least, your passwords should be 8 characters long and consist of a mix of numbers and letters.
  • Use a password tool - LastPass - link to https://lastpass.com/ and 1Password - link to https://agilebits.com/onepassword are great for protecting your passwords and generating new ones.

You should change both your FTP user password as well as your database user password.

Changing the FTP user password

The following article walks you through how to change this password:

Note2 icon.png Note: For greater security, if your user is currently an FTP-only user, change it to an SFTP or SSH user at the same time you change the password. View the Enabling Shell Access article for further details.


Changing the database user password

View the Finding your MySQL credentials article for instructions on how to obtain your database username and change its password.

Updating your wp-config.php file

When you change the database user’s password, you will also need to edit your wp-config.php file to reflect this new password. There is information on how to edit the wp-config.php file to change the database password at codex.WordPress.org. You can also view the WordPress wp-config article for further details.

If you have multiple users for your database, make sure that you are changing the correct user's password. You can check which database user logs into your database for your WordPress install by looking at the wp-config.php file.

Important icon.png Important: If there is anything like the following in your file, you have definitely been hacked, and you MUST remove it ASAP.

<?php eval(gzinflate(base64_decode('dVRtb6NGE.....')));?>

Base64 hacks are insidious and leave a backdoor that hackers can use again and again on your site. Delete that section entirely, or better yet, just rebuild the wp-config.php.


Step three: take the hacked code offline

  1. Log into the web server via FTP.
  2. Find your domain's directory (folder) which is most likely a folder with your sites name. If you’re in the correct directory, you’ll see a list of files and directories beginning with "wp-". It’s also possible you installed WordPress in a subdirectory such as /blog.
  3. Rename the directory (folder) where WordPress is installed. If it’s your primary directory, rename it ‘example.com_HACKED’. If it’s in a subdirectory, rename it to ‘example.com/blog_HACKED’.
    Important icon.png Important: When you rename the web directory, your site will immediately be taken offline.


  4. Create a new, empty domain directory with the same directory name as the old one.

Step four: install a new unhacked copy of WordPress

Reinstall WordPress in one of two ways:

  • Manually
  • Using the One-Click Installer

Manually reinstalling WordPress

View the following page for details on how to manually reinstall WordPress:

Reinstalling Wordpress using the One-Click Installer

View the How to Install a One-Click Install article for details on how to install WordPress using the One-Click Installer.

If you already have a One-Click Install active for this domain, then you must first remove it. View the How to Remove a One-Click Install article for details.

Important icon.png Important: When removing the current One-Click Install, make sure to click the Remove from List button. DO NOT click the Delete all Files as that will permanently remove your website files.


Step five: connect your new install to your old database

You must connect the new files you’ve downloaded to your existing database. To do this, you need the following information:

  • Database name
  • Database username
  • Database user password
  • Hostname
  • Table prefix

This information is located in your former wp-config.php file:

  1. Log into your server via FTP.
  2. Navigate to your former hacked directory which you renamed to example.com_HACKED.
  3. Open the wp-config.php file. You’ll find all of the values listed above.
    • The table prefix line begins with $table_prefix =.
    • For DreamHost installs, the table prefix starts with wp_ and is followed by a series of random numbers and letters. For example:
    wp_17Dz9g
  4. Navigate to your new WordPress install directory.
  5. Delete or rename the wp-config.php in that new folder.
  6. Load your site.
    You are prompted to select a language:
    01 WP Hacked oneclick.fw.png
  7. Select your prefered language, and then click Continue.
    The WordPress setup page opens:
    02 WP Hacked oneclick.fw.png
  8. Click Let’s go!
    The following page appears asking you to enter your credentials:
    03 WP Hacked oneclick.fw.png
  9. Enter the required information, and then click Submit.
    04 WP Hacked oneclick.fw.png
  10. Click the Run the install button.
    Since you already have data, a message appears indicating that WordPress is already installed, which means that you've successfully connected your WordPress installation to your old database:
    05 WP Hacked oneclick.fw.png

Step six: add your previous content

Your WordPress site is now fully installed and connected to your old database. However, it is not using your former theme, plugins, or previously uploaded images.

This step describes how to add all of your previous themes, uploads, and plugins.

Installing your previous theme

Note2 icon.png Note: WordPress themes are vulnerable to hacking. Always download and install a new copy of your theme rather than moving the theme files from your old install.


If you changed your theme to twentyfifteen before you started, your site should load your posts, but without the correct theme.

If your specific theme is not currently installed, you can install it through the WordPress dashboard. View the following page for instructions on how to install a different theme:

If you did not change the theme to twentyfifteen before beginning, the site may load a blank white page. This is because your database is looking for a theme that is no longer installed.

Since you cannot access the WordPress dashboard at this point, you will need to download a copy of your chosen theme (usually delivered in a ZIP format). You can upload and install the theme from within the WordPress dahsboard. You can also unzip it on your computer, and then log into your FTP account to upload the theme to the themes directory. It’s located in the following folder:

/example.com/wp-content/themes

So, if your theme name is /my_theme, it should look like this:

example.com/wp-content/themes/my_theme/

Once you have your chosen theme installed, you should be able to load your site and see your posts.

Copying your previous uploads

Your uploads (images and other media) are still in the old hacked install's directory. Using FTP, copy the contents from the old folder to the new one. For example:

example.com_HACKED/wp-content/uploads
-to-
example.com/wp-content/uploads
Important icon.png Important: Please check over the files you are moving and make sure they are all yours. If you move hacked code into your new install, it will infect your new site. The /uploads directory primarily contains media, so the files should end with extensions that indicate what kind of file they are (.jpg for a JPEG image, for example, or .mp3 for a MP3 audio file). BE VERY CAUTIOUS ABOUT FILES ENDING IN .PHP IN THE /uploads DIRECTORY.


Installing your former plugins

The final step is to install the WordPress plugins that you need for your site. Again, it is very important to install brand-new copies of your plugins, rather than copying over the files from the hacked install.

You can install the plugins from your new WordPress dashboard. Only install the plugins you know you need and use. Cutting down on inactive plugins limits a hacker's access to your install and makes WordPress run faster as well.

Step seven: finish successfully

If everything goes well, you now have a brand-new install of WordPress, connected to your old database and with all your uploaded content, your chosen theme, and your chosen plugins.

How to Manually remove/replace content

If you do not want to follow the directions above to completely replace your site, you can still manually remove and replace specific content. But this is not recommended as it’s much easier to miss any infected files.

.htaccess file

Many hackers insert code into the standard WordPress .htaccess file. The best thing to do is to completely remove the old, hacked .htaccess and generate a new one:

  1. Log into your server via FTP.
  2. Make sure your FTP client is set to view hidden files.
  3. Delete the old hacked .htaccess file (if it exists).
  4. In your WordPress Dashboard, go to 'Setting > Permalinks' and re-choose its permalink settings and submit the page.
  5. If you have WP Super Cache plugin installed, go to 'Settings > WP SuperCache' (http://example.com/wp-admin/options-general.php?page=wpsupercache), and then re-choose "Use mod_rewrite to serve cache files. (Recommended)"
  6. Click Update Status.
    A yellow pop-up section appears titled "Mod Rewrite Rules":
  7. At the bottom of that section, click the Update Mod-Rewrite Rules button.

How to handle unused installs

If you have an old install that you don't use, either upgrade it to make it secure or (even better) remove it completely.

Upgrading using the One-Click Installer

View the How to Upgrade a One-Click Install article for details on how to upgrade within the DreamHost panel.

Upgrading in the WordPress dashboard

01 WP Hacked.fw.png
  • If there is a new version of WordPress, there is a notice on every screen that an upgrade is available:
  • To update, click on ‘Updates’ in the left-hand column.
The following page appears:
02 WP Hacked.fw.png

Upgrading via SSH

You can also upgrade WordPress via SSH. View the WordPress wp-cli article for further details.

Deleting a WordPress install in the DreamHost panel

View the How to Remove a One-Click Install article for details on how to completely remove and delete all files associated with a WordPress installation.

Important icon.png Important: If you have the old WordPress install at example.com and another site at example.com/othersite/, clicking the Delete all Files button will remove everything including the non-WordPress site at example.com/othersite.


Deleting WordPress using FTP

  1. Make sure your FTP client is set up to view hidden files.
  2. Delete all files beginning with "wp-".
  3. Delete all directories beginning with "wp-".
  4. Delete the following files (if present):
  • .htaccess
  • index.php
  • xmlrpc.php
  • readme.html
  • license.txt

At this point, there should be no remaining items in the directory but files you have uploaded. If there are files still there that you do not recognize, examine them carefully as they may be files placed there by a hacker. If you are certain that you do not want these files, you can delete them.

Deleting a WordPress install using SSH

  1. Log into your server via SSH.
  2. Navigate to your WordPress install directory.
  3. Run the following command all on one line. This deletes all Wordpress files:
    rm wp-*;rm .htaccess;rm index.php;rm xmlrpc.php;rm readme.html;rm license.txt;rm -R wp-*
Important icon.png Important: This command permanently deletes all files and there is no way to retrieve them once the command is run. Make sure you wish to permanently delete all Wordpress files before running this command.


How to manually manage plugins

It’s very important to always keep your plugins up to date, as limits the possiblity of getting hacked.

Updating plugins in the WordPress dashboard

The WordPress dashboard notifies you if there are any updates for your installed plugins. You’ll see this in the left hand column next to ‘Plugins’:

03 WP Hacked.fw.png
  • The number of plugins that need to be updated are displayed in a circle next to ‘Plugins’.
04 WP Hacked.fw.png
  • You can update each plugin individually by clicking the ‘update now’ link below the plugin.
05 WP Hacked.fw.png
  • You can also click the dropdown at the top of the list (next to the word "Plugin" just above the name of your first plugin listed), select ‘Update’ from the ‘Bulk Actions’ dropdown, and then click ‘Apply’ to update all plugins in that list.

Updating plugins via SSH

You can use the WP CLI interface to update plugins via SSH. View the following page for further details and examples:

Disabling plugins via FTP

You can also disable plugins via FTP. These instructions remove the functionality of these plugins from your WordPress install, without removing the plugin files.

  1. Log into your server via FTP.
  2. Navigate to the example.com/wp-content/plugins directory.
  3. Find the plugin folder you wish to remove.
  4. Rename the plugin folder. For example if the plugin folder is named /myplugin, rename it to /myplugin_OFF. This disables the plugin.
  5. Rename whenever you wish to re-enable it.

To disable all plugins, just rename the entire /plugins directory to /plugins_OFF. If you rename the plugins directory and then try to install new plugins while the name is changed, you will get an error.

If you want to keep the plugin files in /plugins_OFF and install new plugins, create a new and empty plugins directory at the same time that you rename the old one.

How to manually manage your WordPress theme

It’s very important to always keep your themes up to date, as it limits the possiblity of getting hacked.

Updating a theme in the WordPress dashboard

In the left-hand column click ‘Appearance’. A list of all your currently installed themes will show in the main window. Any themes with updates available will show ‘Update Available’ at the top of their box.

06 WP Hacked.fw.png
  • Click on the theme’s box to expand it.
07 WP Hacked.fw.png
  • On the right, you have the option to update it.

Deleting a theme in the WordPress dashboard

It is best to always remove themes you are not using. You should only keep the theme you actively use since you can always reinstall removed th emes at any time. By removing themes, you keep their files from being used as attack entry points.

  1. In the left-hand column click ‘Appearance’.
    A list of themes display:
  2. Click the theme you wish to remove.
  3. On the bottom right, click the ‘Delete’ link to remove the theme.

Deleting a theme via FTP

If you cannot access the dashboard, you can still delete the theme via FTP:

  1. Use the steps described in the FTP article to log into your server.
  2. Navigate to the /example.com/wp-content/themes directory.
  3. Delete any theme folder you wish to remove.

It's best to leave WordPress's current default theme as well as your active working theme in place, just to be certain that you have a good fallback theme if needed.

Managing a theme via SSH

You can use the WP CLI interface to manage themes via SSH. View the following page for further details and examples:

Final notes

A note on Base64

Base64 is usually bad. And yet there are legit use cases.

Running grep -R "base64_" /home/user/example.com/ should only give you these results for core WordPress:

./wp-admin/includes/class-wp-importer.php:	$headers['Authorization'] = 'Basic ' . base64_encode( "$username:$password" );
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode("\0".$username."\0".$password) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($username) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($password) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn,"AUTH NTLM " . base64_encode($msg1) . $this->CRLF);
./wp-includes/class-smtp.php:        		$challange = base64_decode($challange);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($msg3) . $this->CRLF);
./wp-includes/ID3/module.audio.ogg.php:		$flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));
./wp-includes/ID3/module.audio.ogg.php:		$data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']);
./wp-includes/class-IXR.php:                	$value = base64_decode($this->_currentTagContents);
./wp-includes/class-IXR.php:        		return '<base64>'.base64_encode($this->data).'</base64>';
./wp-includes/class-feed.php:			$data = base64_decode( $data );
./wp-includes/class-phpmailer.php:        	$encoded = chunk_split(base64_encode($str), 76, $this->LE);
./wp-includes/class-phpmailer.php:        	$encoded = base64_encode($str);
./wp-includes/class-phpmailer.php:        	$chunk = base64_encode($chunk);
./wp-includes/class-phpmailer.php:      	return base64_encode($signature);
./wp-includes/class-phpmailer.php:    		$DKIMb64  = base64_encode(pack("H*", sha1($body))) ; // Base64 of packed binary SHA-1 hash of body
./wp-includes/SimplePie/Sanitize.php:		$data = base64_decode($data);
./wp-includes/SimplePie/File.php:		$out .= "Authorization: Basic " . base64_encode("$url_parts[user]:$url_parts[pass]") . "\r\n";
./wp-includes/class-http.php:			return 'Proxy-Authorization: Basic ' . base64_encode( $this->authentication() );
./wp-includes/class-wp-atom-server.php:		explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
./wp-includes/class-wp-atom-server.php:		explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
./wp-includes/class-snoopy.php:			$headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";
./wp-includes/class-snoopy.php:			$headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";
./wp-includes/class-snoopy.php:			$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);

Now that said, you will see it in plugins and (sadly) themes. Are these safe? It's difficult to say since there are thousands of plugins in the WordPress.org database alone. The best thing to do is delete the plugins and reinstall them. Same goes for themes.

Split up your website users

Splitting up your user accounts is also a good idea to isolate your sites. By assigning one domain per user, you ensure that if that user gets hacked, only that site is compromised. Also you make sure that if that site is hacked, it can't infect the others.

DreamHost has One User Per Domain Policy which means each domain can only have one user assigned to it. View the article for further details on how to create a different user on your domain.

One More Scan

Look 'one folder up' for an index.php and wp-config.php file. Sometimes if you install WordPress in subdirectory such as example.com/wp/ you'll run it out of example.com. When that happens, you'll have those two files in the example.com directory, and from time to time they get missed when you clean up.

Look for funny named files: Any file named ljkdhsf92328kjhsdfsdf or mai1.php (that's mai-one, not mail) is probably suspect. Delete them.

If you are still getting unwanted pop up ads from your site, please request a security scan by submitting a ticket. You can do so on the (Panel > 'Support' > 'Contact Support') page.

See Also