My Wordpress site was hacked

If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (for example, a content management system like WordPress or Joomla).

The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps should hold true for many CMS installs.

Step 1: Change your WordPress theme
If you can access your WordPress Dashboard, login and go to Appearance > Themes.

Twenty Twelve is WordPress's current default theme, and since the following steps will take your WordPress install back down to a basic install, changing your theme now will make the process easier for you later.

If the default theme is not installed now, or if you cannot access your WordPress Dashboard, there will be instructions on how to install your current theme into your clean install later in these instructions.

Step 2: Change your passwords
To change your FTP user's password, login to the DreamHost panel and go to Manage Users. Click on "Edit" for the user that owns your WordPress install, and you can change the password for that user on the following page. (If you do not know which user owns your site, you can check on the Manage Domains page and see which username is listed under the "Web Hosting" column for that domain.)



To change your database password (the password that WordPress uses to access the database), go to the MySQL Databases page in your web panel. Under the column "Users with Access" click on the database username that you use for your WordPress install. On the following page, you can change the password for that user.

When you change this password, you will also need to edit your  file to reflect this new password. There is information on how to edit the wp-config.php file to change the database password at codex.WordPress.org.

If you have multiple users for your database, make sure that you are changing the correct user's password. You can check which database user logs into your database for your WordPress install by looking at the wp-config.php file. There is information on how to check (and change) the database user name in your wp-config.php at codex.WordPress.org.

Step 3: Take the hacked code offline.

 * 1) Login to the web server using FTP or SFTP. If your user type is FTP, it is strongly recommended to change it to SFTP, which is a more secure format. You can change your user to SFTP in the web panel under Manage Users.
 * 2) Find your domain's directory (folder). On DreamHost, the default name of the domain directory is yoursitesname.com. You may have WordPress installed in that main directory (you would see a list of files and directories beginning with "wp-"). If WordPress is installed in a sub-directory, it could be in a directory called /blog or /WordPress or /wp -- it depends on where you installed it. Make a note of exactly what the domain directory is named (capitalization matters!)
 * 3) Rename the domain directory from yoursitesname.com to something else, for example, yoursitesname.HACKED. IMPORTANT NOTE: Doing this will immediately take your site offline!
 * 4) Immediately create a new, empty domain directory with the same directory name as the old one (the one you noted in step 2).

Step 4: Install a clean, unhacked copy of WordPress.
You can find the table prefix in the previous install's wp-config.php. The line you are looking for is: The value between the single quotes is the table prefix. For installs using DreamHost's one-click installer, the table prefix is usually wp_ followed by 5 or 6 random letters and numbers and concluding with an underscore: (so wp_1a2b3_).
 * 1) Reinstall WordPress to your domain either manually or via the One-Click Installer. If you previously used one-click, you will need to go to Manage Installed Applications and click on your domain's name, and then click on "Remove from List" under "Actions" to the far right.
 * 1) Connect your new WordPress install to your old database. To do this, you will need the Database Name, Username, Password, Host, and Table Prefix.
 * 1) After you have completed the famous 5 minute install, login to FTP/SFTP and delete the wp-config.php in the live site's new Wordpress install. (If you do not want to delete it, you can rename it to something else, such as "not_working.wp-config".)
 * 2) Go back to your new install and reload the page. It should now say "There doesn't seem to be a wp-config.php file. I need this before we can get started." - [[Media:Wp-conf-step1.jpg|Example of first screen]] 
 * 3) Click on "Create a configuration file". On the next page, click on "Let's go!"  - [[Media:Wp-conf-step2.jpg|Example of second screen]]
 * 4) On the next page, fill in the information you gathered above. Then click on "Submit". - [[Media:Wp-conf-step3.jpg|Example of third screen]]
 * 5) The next page will have a button that says "Run the install". Click it.
 * 6) Since you already have data, you'll probably get a message saying that WordPress is already installed. This just means that you've successfully connected your WordPress installation to your old database.

Step 5: Add your uploads, themes, and plugins.
Your WordPress is now fully installed and connected to your old database. However, it is not using your chosen theme, your chosen plugins, or your previously uploaded images.

If you were able to change your theme to twentyeleven before you started, you should see it loading your posts, but without the correct theme. If your specific theme is not currently installed, you can install it through the Dashboard. There are instructions on how to install new themes through the Dashboard at codex.WordPress.org.

If you were not able to change the theme to twentyeleven before beginning, however, the site will probably load as a completely white page. This is because your database is looking for a theme that is probably no longer installed. WordPress themes are extremely vulnerable to hacking; always download and install a new copy of your theme rather than moving the theme files from your old install. Since you cannot access the Dashboard at this point, you will need to download a copy of your chosen theme (usually delivered in a ZIP format). Unzip it (if it is zipped), then log into FTP/SFTP and upload the theme to yoursitename.com/wp-content/themes, so that it occupies its own folder inside /themes. If your theme name is /my_theme, it should be inside yoursitename.com/wp-content/themes, so the path to the theme would be yoursitename.com/wp-content/themes/my_theme.

Once you have your chosen theme installed, you should be able to load your site and see your posts.

Your uploads (images and other media) are still in the other install's directory. Using FTP/SFTP, copy the contents from yoursitename.HACKED/wp-content/uploads to yoursitename.com/wp-content/uploads.

VERY IMPORTANT NOTE: Please check over the files you are moving and make sure they are all yours. If you move hacked code into your new install, it will infect your new site. The /uploads directory primarily contains media, so the files should end with extensions that indicate what kind of file they are (.jpg for a JPEG image, for example, or .mp3 for a MP3 audio file). BE VERY CAUTIOUS ABOUT FILES ENDING IN .PHP IN THE /uploads DIRECTORY.

The last step should be to install the WordPress plugins that you need for your site. Again, it is very important to install brand-new copies of your plugins, rather than copying over the files from the hacked install. You should be able to install the plugins that you need from inside your new install's Dashboard. Only install the plugins you know you need and use -- cutting down on inactive plugins limits a hacker's access to your install and makes WordPress run faster, too!

You're finished!
If everything went well, you should now have a brand-new install of WordPress, connected to your old database and with all your uploaded content, your chosen theme, and your chosen plugins!

Htaccess File Issues
Many hackers insert code into the standard WordPress .htaccess file. The best thing to do is to completely remove the old, hacked .htaccess and generate a new one.


 * 1) Delete the old hacked .htaccess file, if applicable
 * 2) In your WordPress Dashboard, go to Setting > Permalinks and re-choose their permalink settings and submit the page.  This re-creates the base .htaccess. The direct URL for that would be http:// /wp-admin/options-permalink.php (replace   with the location of your WordPress site).
 * 3) If you have WP Super Cache plugin installed, you will need to go to Settings > WP SuperCache (http:// /wp-admin/options-general.php?page=wpsupercache) and re-choose "Use mod_rewrite to serve cache files. (Recommended)" and then click "Update Status" below.  This will then pop-up a large yellow section below titled "Mod Rewrite Rules".  At the bottom of that section, click a button that says "Update Mod-Rewrite Rules".

But I Don't Want To Wipe Everything and Start From Scratch
If you would rather manually remove plugins and themes that you think may be insecure (either to completely remove them from the situation or to replace them with updated, secure versions), her are some tips. (It's really, really, really, really, really, really, really, really a lot safer to install everything from scratch -- you may miss vulnerable files. Only do this if you really, really, really, really, really need to!)

Upgrade or delete unused install
If you have an old install that you don't use, either upgrade it to make it secure or (even better) remove it completely.

Upgrade WordPress install via DreamHost one-click installer
If there is an upgrade available, under "Actions" for that install, it will say "Upgrade to" and give the latest version number. Click on that, and presto! Your WordPress install will be automatically upgraded.

Upgrade WordPress install via WordPress Dashboard
If there is a new version of WordPress, whenever you login to your Dashboard, there will be a notice on every screen that there is a new version. To update, click on "Updates" in the left-hand column, and follow the instructions to update WordPress through the Dashboard.

Delete a WordPress install using DreamHost's One-Click Panel
If you used DreamHost's one-click installer, only use [[Media:Image_of_installed_one_click_in_panel.jpg|"Delete all Files"]] if the install is alone in its directory and there is nothing else in that directory you want to keep. (If you have a whole other site at yourdomain.com/site and an old WordPress install at yourdomain.com, clicking on "Delete all Files" will remove everything in yourdomain.com, including yourdomain.com/site!!!)

If you can't use "Delete all Files" or you manually installed WordPress, you can delete the install using FTP or the command line (shell/SSH).

Delete a WordPress install using FTP
WordPress often uses .htaccess files (and they are commonly exploited by hackers).


 * 1) Login to FTP
 * 2) Find your domain directory
 * 3) Find the directory that your WordPress install is in (it may be the same as the domain directory)
 * 4) Delete all files beginning with "wp-".
 * 5) Delete all directories beginning with "wp-".
 * 6) Delete the following files (if present):
 * .htaccess
 * index.php
 * xmlrpc.php
 * readme.html
 * license.txt

At this point, there should be nothing left in the directory but files you have uploaded. If there are files still there that you do not recognize, examine them carefully -- they may be files placed there by a hacker. If you are certain that you do not want these files, you can delete them.

Once you are done, there should be nothing left in the directory but the files you want. The WordPress install (with all themes and plugins) is completely removed, and the files that are left should be checked to make sure they don't have any hacker exploits injected into them.

Delete a WordPress install using SSH

 * 1) SSH to your site (usually ssh username@yourdomain.com in the shell)
 * 2) CD to your domain directory (the default directory name for DreamHost is /yourdomain.com)
 * 3) CD to the WordPress install (if it is not in your main domain directory)
 * 4) To selectively remove just WordPress files:
 * 5) type:   (that will remove all files beginning with "wp-")
 * 6) type:
 * 7) type:
 * 8) type:
 * 9) type:
 * 10) type:
 * 11) To remove the WordPress install's wp-admin, wp-content, and wp-includes directory in one command, type:

Update Plugins through WordPress's Dashboard
If you have updates for either plugins or themes available, the Dashboard will show a number in a circle of themes and plugins needing updates in the left-hand column next to "Updates".

Scroll down a bit, and the number of plugins that need to be updated will be displayed in a circle next to "Plugins".

You can either update each plugin individually by clicking on "update automatically" below the plugin or check the box at the top of the list (next to the word "Plugin", just above the name of your first plugin listed) and then select "Update" from the "Bulk Actions" dropdown, and then click "Apply" to update all plugins in that list. 

Uninstall Plugins through WordPress's Dashboard
See also: |WordPress article on Uninstalling Plugins

To uninstall a plugin through WordPress's Dashboard, click on "Plugins" in the left-hand column in the Dashboard. You can individually delete plugins by clicking on "Delete" under the plugin's name (you will be asked if you are sure you want to do this). You can bulk-delete selected plugins by checking the box next to the plugins you want to delete and then selecting "Delete" from the "Bulk Actions" dropdown, and then clicking "Apply". You can also delete all plugins at once by checking the box at the top of the list (next to the word "Plugin", just above the name of your first plugin listed) and then select "Delete" from the "Bulk Actions" drop-down, and then click "Apply" to delete all plugins in that list.

Update Themes through WordPress's Dashboard
In the left-hand column, click on "Appearance". A list of all your currently installed themes will show in the main window. Any themes with updates available will have bold text at the bottom of their description, reading "There is a new version of This Theme available. View version details or update automatically." The "View version" and "update automatically" will be links to those actions.

To update a theme, just click on "update automatically" and it will update the theme to the latest version.

Uninstall Themes through WordPress's Dashboard
In the left-hand column, click on "Appearance". A list of all your currently installed themes will show in the main window. Under the name and short description of the theme is three links, "Activate | Preview | Delete". Click on "Delete" to remove the theme from your WordPress install. You will be asked if you are sure you want to do this.

Delete Themes through FTP.
If you cannot access the Dashboard, or you would prefer to delete the themes through FTP, you can do that!


 * 1) Login to FTP for your domain
 * 2) Navigate to the WordPress directory
 * 3) Go into the /wp-content/ directory
 * 4) Go into the /themes/ directory
 * 5) Delete the theme or themes you want to remove. If you want to remove all but your current installed theme, make sure you know exactly what directory that theme is in (you can check in the Dashboard -- under the "Activate | Preview | Delete" it will say "All of this theme’s files are located in /themes/your-theme".)

Disable plugins through FTP.
You can disable one, more than one, or all plugins at once through FTP. These instructions will remove the functionality of these plugins from your WordPress install, without removing the plugin files.

To disable one plugin, or disable a few (but not all):
 * 1) Login to FTP for your domain
 * 2) Navigate to the WordPress directory
 * 3) Go into the /wp-content/ directory
 * 4) Go into the /plugins/ directory
 * 5) Find the first plugin you want to disable without removing the files
 * 6) Rename the plugin directory to something else. For example, if you wanted to turn off this_plugin, you could rename the directory to this_plugin.off, so that you know that one is turned "off".
 * 7) Repeat for any other plugin you want to disable.

To re-enable the plugins, just change the name back to the original name.

To disable all plugins at once without removing the files:
 * 1) Login to FTP for your domain
 * 2) Navigate to the WordPress directory
 * 3) Go into the /wp-content/ direc
 * 4) Rename the /plugins/ directory to something else, like plugins.off.

Delete plugins through FTP.

 * 1) Login to FTP for your domain
 * 2) Navigate to the WordPress directory
 * 3) Go into the /wp-content/ directory
 * 4) Go into the /plugins/ directory
 * 5) Delete the plugin or plugins you want to remove completely.

Rename themes or plugins through SSH
If you prefer, you can rename plugins' and themes' directories through the command line by logging into the shell with an SSH user. This will disable active plugins and active themes without removing the files themselves.

First, make sure that the user that owns your WordPress site is set up to use SSH. You can check that under [Manage Users] in your DreamHost panel. If the user is not listed as a "shell" user, click on "Edit" for the user, and change "User Account Type" to "Shell Account".


 * 1) SSH to your site (usually ssh username@yourdomain.com in the shell)
 * 2) CD to your domain directory (the default directory name for DreamHost is /yourdomain.com)
 * 3) CD to the WordPress install (if it is not in your main domain directory
 * 4) CD to wp-content
 * 5) To rename a theme's directory, CD to themes. Once you are in the directory, type:  That will change the name of the theme -- if this is the active theme in WordPress's Dashboard, it will break that theme and your install will load as a blank page.
 * 6) To rename a plugin, from the /wp-content/ directory, CD to plugins. Once you are in the directory, type:  This will disable the functionality of the plugin without removing the files.

Delete themes or plugins through SSH
You can also delete plugins and themes through the shell. Again, make sure that the user that owns your WordPress site is set up to use SSH. You can check that under [Manage Users] in your DreamHost panel. If the user is not listed as a "shell" user, click on "Edit" for the user, and change "User Account Type" to "Shell Account".


 * 1) SSH to your site (usually ssh username@yourdomain.com in the shell)
 * 2) CD to your domain directory (the default directory name for DreamHost is /yourdomain.com)
 * 3) CD to the WordPress install (if it is not in your main domain directory
 * 4) CD to wp-content
 * 5) To delete themes, CD to themes and then remove the theme or themes you want to completely delete. For example, if the theme you want to remove is ugly_old_theme, type:<BR>
 * 6) To delete plugins, from the /wp-content/ directory, CD to plugins and then remove the plugin or plugins you want to remove. For example, if you want to remove nasty_old_plugin, you would type:<BR>

See also:
 * WordPress.org: FAQ: My Site was hacked
 * WordPress.org: Hardening WordPress