How to Fix a Hacked WordPress Blog

Posted by jtpratt |23 Feb 11 | 13 comments

Fixing a hacked WordPress blog isn’t easy if you’re just a blogger with little technical experience. In my experience with clients, web hosting companies usually aren’t much help – because their experience with WordPress is limited (whether they’re ‘WordPress friendly’ or not). Their experience fixing a compromised or infected WP site and hardening security is usually non-existant. Like most technical support personnel – their job is to close your ticket as quickly as possible, not to get to the “root cause” of your infected and hacked blog. Without actually figuring out how your site was hacked, odds are you’ll get re-infected again, and again, and again.

how to fix hacked-wp-blog

Consider this a 4,000+ word tutorial / lesson / guide to help you fix your compromised WP site on your own. If you still need help – feel free to contact me, but I’m hoping that this article will help a LOT of people deal with their broken site on their own. You don’t have to be a coder or developer to be able to use these techniques, but you’ll need a decent understanding of WordPress, FTP, and possibly phpMyAdmin.

This article will help:

  • prevent your web site from getting hacked, jacked, infected, injected, exploited, etc.
  • fix your hacked blog or WordPress site from any one or more of the following…
    • spam links in your theme footer
    • spam links only found google’s cache of your web pages
    • eval base64 decode hacks (eval(base64_decode)
    • iframe hacks
    • .htaccess hacks
    • malware code
    • evil 301 redirects
    • injected or compromised wordpress database
  • give you tips and tricks to keep your site from getting compromised in the future

What Your Web Hosting Tech Support Will Try

Usually web hosting technical support will ask you to try techniques similar to computer tech support…

  • Reinstall WordPress
  • Restore from Backup
  • Clean infected files

The problem is, they usually don’t know how to do any of those things right – and even if it does fix your broken site, it doesn’t find the “root cause”. I’m going to try and give you enough tips and tricks in this article to do a better job than any web host tech could ever do, based on my own experience of fixing hundreds of hacked blogs myself for clients over the last few years.

What Causes A WordPress Site to Become Infected or Hacked?

An Automated Army of Spammers and Hackers is Out to Get You…

First let me clear up the misnomer that web site are hacked literally by “people”. I say this, because I get emails from people saying “they got in again…” or “I don’t know how they got into WordPress…” 99.9% of all web site hacks and infections are done by automated scripts and software.

Here’s how it works…

Some clever little programmer finds a security hole or exploit that is either very recent, or very old. Recent security holes are easy to find, older exploits are harder to find – but easier to hack. They write a web “crawler” or software robot to trawl the web and comb through hundreds of thousands of sites – looking for ones that meet the right criteria (that have the hole). Once a site has been identified, the automated software performs the break-in, and then follows it’s programmed routine for infection. It’s very uncommon to have your web site hacked or infected by an actual live “person”.

Why was my web site a good target?

  • Footprints: The software robots look for “footprints”, that’s the first way they find and target your web site. It may be as simple as the text “powered by WordPress” in your footer, or the WordPress version in your HTML code.
  • Server Vulnerabilities: Hackers specifically seek out servers with “directory indexing” turned on by default to search for backend scripts and files not indexed by seach engines (for more exploits and holes). Most of the hacked blog clients I get have directoy indexing turned on (and it shouldn’t be). Having directory indexing turned on is like giving a hacker an x-ray machine to see inside your site.
  • Plugin Exploits: A hacker script may automatically try different directories on your site just to find out if you have different plugins installed, what versions they are, and if they’re exploitable. It doesn’t matter if WordPress is up to date – if all your plugins aren’t. I have had multiple clients get hacked through an outdated WordPress plugin.
  • Bad Web Hosts: Most modern web hosts use some kind of web site control panel software. Hackers look for out of date installations of cPanel, Plesk, etc., to break in. Some web hosts code their own control panels – which may eliminates a “footprint” but sometimes opens up even more holes. Your web host is also responsible for keeping your server up to date – so they are additionally responsible for the other points of server vulnerabilities, and operating system. I have had LOTS of web hosts over the years (still have multiple acconts), and even though I’ve written articles about WP security – I’ve had WordPress sites hacked through bad web host configurations.
  • Other Outdated Software: This is something I actually learned first hand – in addition to having clients that had this problem. Let’s say you have WordPress installed (and up to date) on your web site. Then one day you decide to install “Simple Machines Forum” in a sub-directory of your site. Maybe you didn’t like it, and just left it there. Maybe you installed Drupal, Mambo, Pligg, or Joomla, or some other scripts. The biggest mistake you could make is to install something and forget about it, because over time it becomes outdated and easily exploitable. Case and point, a few years back I actually did install Simple Machines Forum in one of my shared hosting accounts and forgot about it for 2 years. It was a shared hosting account with 30 web sites installed, and hackers got in and infected EVERY ONE of my WordPress sites through the backdoor in the forum. Just because hackers broke into your WordPress site – doesn’t mean that the got in that way.
  • Public Vulnerability: People have no idea how easy it easy for hackers to steal your credentials when you’re away from home. Public wifi is great, until you realize how many things you do on a daily basis that send usernames and password in plain text with no encryption (email, FTP, WordPress admin login, social media sites, etc). I don’t care if you’re in Starbucks or a hotel on vacation – you need to make sure that absolutely everything you do is encrypted at all times. That means using https:// secure logins, SFTP (secure FTP), etc. It also means routinely changing all your login passwords once back home.
  • Operating Systems: This actually falls under 2 other points, but I thought I’d mention it alone as well. Your web sites run on a server at a web hosting company, and that server has it’s own operating system (Linux, Windows, or Mac). If it’s not kept up to date by the web hosting company with current patches and proper security, hackers will break in. I personally don’t prefer Windows web hosting, and last year I believe Godaddy had their Windows hosting servers broke into not once, not twice, but three times. I had to move several new clients that got hacked during that time from Windows to Linux.

What to do if your WordPress Web Site is Hacked

Alright, now that you know what causes sites to get hacked, let’s get down to business. What you really want to know is what to do…and that really depends on what your symptoms are. I’ll try to give answers for every scenario that I can think of…the most important thing is to know whether you have access to your wp-admin dashboard login or not.

I can’t get into my WordPress web site…

This section is for people that have a hacked or infected WordPress site, and they’ve been locked out in some way. If you can at least access your wp-admin dashboard login, move on to the next section.

If you can’t login to your WordPress admin dashboard, you probably have one of the following symptoms:

  • When I try to login to wp-admin I get a white screen of death (blank screen)
  • When I try to login to wp-admin it redirects me to the homepage or “page not found”
  • My admin username or password no longers works
  • also…my web hosting control panel / FTP / email password no longer works

The first order of business is actually getting into your WordPress dashboard admin. There are many reasons why you might not be able to login to your dashboard, and the hacker scripts accomplish this in many different ways depending on how they broke in – and what they want to accomplish. I’ve fixed so many hacked sites that I’ve developed techniques to quickly be able to login – no matter what the problem actually was. So keep in mind that the steps I’m about to tell you won’t actually figure out why you couldn’t login – but rather provide the most direct path to be able to allow you to login.

Steps to regain entry to your WordPress dashboard:

  1. Change your web hosting control panel password – NOW
  2. Download a backup of your ENTIRE wordpress site in FTP to a folder on your desktop
  3. Login to your web control panel, go to the database section, and click on phpMyAdmin. Once it loads, find the database for your wordpress site in the left sidebar and click on it (look in wp-config.php file in the root of your site if you don’t know what it’s called)
  4. Click on the “export” tab on the top right
  5. Under the “View dump (schema) of databases” section click “select all” to select all the tables (if they aren’t already)
  6. At the bottom of the page make sure the “save as file” checkbox is checked and the radio button for “zipped” is selected for compression
  7. Click the “go” button to the right, and when the popup appears, save the file to your desktop. Now you’ve saved a copy of your WordPress database
  8. In FTP delete the “.htaccess” file in the root of your site. This file exists for every working WordPress site – if you don’t see it in FTP, just change the options of your FTP program to “show hidden files”, so you can find and delete it
  9. In FTP go to your /wp-admin folder in the root of your site and make sure there isn’t an .htaccess file there – and if there is, delete it
  10. In FTP go to /wp-content/plugins and delete all the plugins (don’t worry, you downloaded a backup of them earlier)
  11. In FTP go to /wp-content/themes and delete all the themes except default wordpress (you also have a copy of all themes)
  12. Download the latest version of WordPress, unzip it on your desktop, and then manually FTP the new files over the top of your WordPress installation. If you were really concerned about about your site being infected you could delete ALL files in the root of the site except for /wp-config.php, all files in /wp-includes, and all files in /wp-admin. Keep /wp-content because you want to preserve anything you uploaded in /wp-content/uploads
  13. With the new WordPress files uploaded in a browser go to www.site.com/wp-admin/upgrade.php. Click the db upgrade button if necessary, and then try to login your site at www.site.com/wp-admin. You should be able to login. If you can’t, then your admin account or database has been compromised. You’ll either have to reset your password manually in the database or have your database cleaned. For 99% of the sites I work on the steps up until this point fix the issue, because getting locked out of your site or white screen of death is almost always caused by a plugin or theme conflict, .htaccess problem, or failed upgrade of some kind. If you think you have a database issue – move on to the next section below.
  14. If your issue was fixed, now you have to get at the root cause. Normally at this point I start re-uploading the plugins and activate them one by one – checking to make sure that one of them wasn’t the issue. Often I find one that is, and have to find a replacement.
  15. If you get the plugins all uploaded and activate, then re-upload your theme. Before I do this I carefully check the footer for bad code or links, especially encoded stuff like gzip eval statements (hackers put these there so yo don’t know they’re spam links). I check the functions.php file and make sure there isn’t any rogue code there. Last I check all the main PHP files for bad code too, like index.php, search.php, page.php, archive,php, etc. – all by hand in a text editor. THEN, I re-upload the theme, activate, and check the front end web site to make sure everything is ok.

My WP site has been hacked or compromised, but I can get into my dashboard admin…

Well, if you can login to wp-admin to get to your dashboard, the process is pretty similar…

  1. Download a backup of your ENTIRE wordpress site in FTP to a folder on your desktop
  2. Login to your web control panel, go to the database section, and click on phpMyAdmin. Once it loads, find the database for your wordpress site in the left sidebar and click on it (look in wp-config.php file in the root of your site if you don’t know what it’s called)
  3. Click on the “export” tab on the top right
  4. Under the “View dump (schema) of databases” section click “select all” to select all the tables (if they aren’t already)
  5. At the bottom of the page make sure the “save as file” checkbox is checked and the radio button for “zipped” is selected for compression
  6. Click the “go” button to the right, and when the popup appears, save the file to your desktop. Now you’ve saved a copy of your WordPress database
  7. In FTP go to /wp-content/plugins and delete all the plugins (don’t worry, you downloaded a backup of them earlier)
  8. In FTP go to /wp-content/themes and delete all the themes except default wordpress (you also have a copy of all themes)
  9. What you’ve done is completely removed all the plugins and theme files – which 90% of the time are the problem. If this fixes your problem – then re-upload and activate the plugins one by one, checking each time to make sure one of them isn’t the problem.
  10. If you get beyond all the plugins then move on to the theme that you were using at the time of the problem. You need to re-upload your theme, but before I do this I carefully check the footer for bad code or links, especially encoded stuff like gzip eval statements (hackers put these there so yo don’t know they’re spam links). I check the functions.php file and make sure there isn’t any rogue code there. Last I check all the main PHP files for bad code too, like index.php, search.php, page.php, archive,php, etc. – all by hand in a text editor. THEN, I re-upload the theme, activate, and check the front end web site to make sure everything is ok.
  11. If you get through all your plugins and the theme files, my next steps are search the site for any weird looking files or folders. It really depends on what the problem was. If the infected site had spam links in the footer and I found the bad code in footer.php and removed it – then of course I would know I had removed it. If the footer links were still there after going through the plugins and theme – then I’d keep looking. In my experience if I didn’t find the problem in the plugins or theme, then I usually have to move on to the database.
  12. I could give you all kinds of ways to search and fix the database – but it takes both experience and time to find a database infection – and even then you might miss something. Over time from experience I’ve concluded that it’s much easier to export everything from the dashboard, start with a new database, and then re-import all your data. Move on to the next section for those instructions.

I need to fix a WordPress database infection – what do I do?…

So, if you’ve gotten this far in this “fixing hacked blogs tutorial” you should at least have access to your dashboard, and you’ve already gone through your plugins and themes – and what’s left is the database. As I previously mentioned – I could show you how to search for and clean infections out of your database, but it’s much easier to take the route I’m about to tell you.

Here is the easiest way I’ve found to completely remove a WordPress database infection:

  1. If you performed the steps earlier, you already have a full database backup that you exported from your web control panel using phpMyAdmin. If not – go back and do it now
  2. Login to your WP dashboard admin and go to “Tools->Export” and export the contents of your site. With this standard WordPress tool you can export all your posts, tags, pages, categories – ALL of your content. The only thing you cannot export are your (previously installed) plugins settings. The only thing you can do in that regard is export them from various plugin pages (which most don’t have options for), write them down, or export the records from your wordpress wp_options table one by one. You might want to take note of your general wordpress settings as well, exporting content will not export those settings.
  3. Next, you want to visit your web hosting control panel and create a new blank database. Write down the database name, database password, and database username.
  4. Now open download the wp-config.php file from the root of your site and open it in a text editor. Remove the old db name, password, and username – and replace with the new blank database ones. Upload the updated wp-config.php back to the root of your site. Depending on whether or not you suspect your wordpress files were infected, if you haven’t already you could additionally at this point is delete all the root files (except wp-config.php), an everything in wp-admin and wp-includes and then upload a fresh copy of all core WP files. Then you truly know you’re starting with fresh WP files AND fresh clean WP database.
  5. Now just visit your site in a web browser, and what should happen is it gives you the dialogue and button to run the WP install for the first time. Click the button and run the install for wordpress, and login for the first time with your admin account
  6. Once you’re logged in go to “Tools->Import” and import your previously exported posts, pages, tags, categories, etc.
  7. Activate your plugins
  8. Activate your theme
  9. Now you should have a completely clean wordpress database, and if you followed the first two sections you should now already have clean plugins and a clean theme. As I mentioned, you might have to setup your plugins settings and options again, but that’s a very small price to pay to ensure you have a 100% clean and fresh WordPress database

The biggest mistake that anyone can make is to find and fix an infected WordPress web site, and then not take any preventative measures to ensure that it doesn’t happen again. Be sure to go through the next section and take the preventative measures to ensure that it doesn’t happen to you again. I can’t tell you the number of clients that have come tome because they were able to remove the infection from their site by themselves, but then it kept getting infected over and over again (and they didn’t know why). So – they would pay me to fix their site and ensure that it never happens again.

How do I prevent my WordPress site from getting hacked again?

So, at this point in the tuorial you’re site should be clean. If it’s not – quick reading this section, and got back and remove the infection. Now your job is to do preventative maintenance for the future – to ensure it won’t happen again.

You may have removed some kind of site infection or malware, but you probably have no idea how it happened. I’m much better now when working on sites at figuring out exactly how somebody broke in. But there are times where I really don’t know – but once I get done with the preventative maintenance and harden the security, I’ve never had a single time after doing this (and hundreds of fixed sites) that the site got infected again. That’s because when it comes down to it, the break in’s are almost always automated by scripts and software (and predictable).

To prevent your WordPress site from getting hacked, infected, or broken into again – these are the steps you should take:

  1. Logins and Passwords: It’s time to take charge of your passwords. Most likely – like everyone else you’ve been using passwords that are easy to remember. In addition, most people tend to use the exact same password for everything – and the exact same username. That means if somebody gets the login to one site – the get them all…and your facebook, twitter, online banking, email accounts, etc. The #1 source of entry for spammers and hackers into your web site is by going directly through your login account – and here’s how to stop that…
    • Use different login usernames on all your accounts. NEVER use the same login across all sites, and always try to use login usernames that have some numbers AND letters
    • Use STRONG passwords with numbers, letters, and special characters. You can use www.strongpasswordgenerator.com if you’re in doubt. Also, the LONGER a password is, the harder it is to break. Most people are forced to use an 8 character password with most site – I use 15.
  2. b>Failure to do Maintenance and Upgrades: If you have shared web hosting, make sure that EVERY WordPress web site and plugin in ALL the sites you have are up to date. If someone breaks into one – they gain access to hack them ALL. If you have software OTHER than WordPress in your web hosting account (forums, other CMS systems, scripts) keep THEM updated in ALL sites. Neglected and unmaintained code is one of the #1 ways hackers can compromise your site!
  3. Intercepted Logins: Be very aware of HOW and WHERE you are connecting to your WordPress site, your web control panel, and FTP. Use encrypted wifi at home, never use public wifi for connecting to your wordpress dashboard, FTP, or your web control panel unless you can use an “https://” secure connection.
  4. WordPress Security Plugins: Use a few free WordPress security plugins, such as Secure WordPress, and Login Lockdown
  5. Google Webmaster Tools: Signup for Google webmaster tools and it’s “automated alert” feature – so if your web site is broken into (for malware) you’ll get an email alert. You can also keep track of your rankings and any indexing problems easily here as well
  6. Other WordPress Security: Read my free WordPress Security Guide for even more free preventative maintenance and security hardening you can do with your WordPress web site

Additional Help for Infected Blogs

If you have a website emergency and your website is down – JTPratt Media offers Malware Removal and WordPress security services.


13 Responses

  • admin/ 28 Feb 11 @ 2:53 PM

    You’ll have a white screen of death, spam links, malware, gzip eval base64 code, or a blatant message saying “you’ve been hacked”!

  • ravi/ 14 Mar 11 @ 5:09 AM

    Excellent post. The most comprehensive and easy to do tutorial I have ever read.

    For the question from anonymous:

    You will know when your browser issues security warning and doesn’t allow you to proceed. Google search results may also indicate something like “This site may be compromised”, “This site has malware” etc/.

  • Jennyjinx/ 16 Mar 11 @ 4:03 PM

    I just discovered my site was hacked– actually by using Google Webmaster. My attack was injection of over 800 pages of link spam. I noticed that the keywords associated with my site were about stuff I have no interest in and never discuss on my blog. I found the infection in an old, forgotten Drupal directory.

    I managed to get rid of the nasty stuff, but somehow managed to break my backup database. And didn’t export my comments (I don’t know why. These are just things I sometimes do). Before I saw where the infection was coming from I thought the data in my databases could be corrupted, so I wanted to get that out as quick as possible.

    Anyway, back on topic: I found the directory via the Webmaster tools– the pages were interlinked. When I went into the directory there was only one file and it kept regenerating itself. I couldn’t delete it. So I changed the directory name. When I did that and went back in to see if the file regenerated, I saw the hidden pages. Hundreds and hundreds of them.

    So, my point is that having a Google Webmaster accountant can help you spot those hidden files if they’re interlinking. I realize that you know this, of course, but thought I’d mention my experience so others can see it. That tool saved me a lot of grief.

    Now, I’ve got to go republish my archives (I really do break things in the most amazing ways) and check out those security plugins. Thanks for such an amazing resource here. I’m keeping it bookmarked just in case. :)

  • Gary Bottomly/ 09 Sep 11 @ 5:26 AM

    @JTPratt… excellent article – you should bundle it up into an ebook or special report, slap in some images, create it in PDF and sell it for $9.97 all day long.

    Oh, and “yes” to strongpasswordgenerator.com. That is one of the easiest, quickest and yet most powerful tools of its type.

  • Kathir Vel/ 02 Oct 11 @ 2:41 AM

    I second @GaryBottomly’s suggestion! BTW, Keepass, is awesome at generating passwords.

  • Greg/ 08 Oct 11 @ 12:27 PM

    OK…So I’ve been hacked 3 to 4 times in the last year…and it always seems the same…replace my “admin” name (not admin) with basic “admin” change the password…replace the index.php- page.php- sometimes the css file …
    I have been able to clean up or repair the site by reloading backups…and have check the site operation completely for any rogue code or files (OK..to the best of my ability as a novice coder).
    Then BAM…1 month later…same thing or close to the same type of hack.
    ALL of my WP files are up to date..timthumb is up to date..plugins seem clean…and I have installed WP security – Lock down…
    Does this sound familiar of some particular hack I really can’t protect myself against…
    I always seem to find out my sites hacked at the least opportune moment…last time I set the site to maintenance after accessing the control panel – myphp admin – replaced the admin user with another custom user…reloaded the site…jheeze…from a tablet…no fun.
    Thanks for any input, guidance and help in advance!

    Greg

  • admin/ 11 Oct 11 @ 6:07 AM

    you mentioned only a handful of things. Do you have strong passwords? Do you change them every 30 days? Did you delete the admin account and replace it with a new account that has admin rights? Did you change your web control panel password, and db passwords? Did you harden your .htaccess files and rename your wp_ tables? Did you completely reinstall fresh WP files and plugins and theme files? Did you remove any bad files? It could also be either your webhost (bad server security) or an infected computer you access the site with.

  • Tony Payne/ 06 Feb 12 @ 9:02 AM

    Firstly, this is an excellent article, the kind of resource I am finding hard to locate unfortunately.

    In the last 2 weeks all my WordPress and hard coded HTML sites got hacked and infected with a base64 script. It was planted in the index.php, index.html and other scripts, sometimes as many as 50 copies of the code within a single script!

    Having tried without success to remove the problem (I cleaned up the code but within hours was re-infected), I decided to re-install my sites from scratch on a new host, adding better security, and using new themes etc (which I was planning to do in any case).

    The problem is the content, which I wish to keep.

    Can I just upload the existing database to my new host, or is it likely to be infected?

    I did scan for <iframe, display: and <noscript, and "damn you Amazon" but all the iframe occurences seem to be valid Amazon adverts ones that I added.

    I have multiple copies of the posts, because I had the option set to keep backups, which is frustrating, not sure how to eliminate those before uploading.

    If I don't have any obvious malicious code in the database, is it safe to use the data on my revamped site? I REALLY don't want to lose hundreds of posts and over 3 years of work.

    Thanks in advance for any helpful responses.
    Tony

  • admin/ 07 Feb 12 @ 11:54 AM

    export all your content into an XML file “tools->export” and “tools->import” it into your new site. Do this on a blank WP install, with a new blank theme and fresh copies of all plugins. 99% of the time there’s nothing in the content itself that’s harmful. Caveat- you’ll have to setup your theme again and widgets, and other plugins or things that had settings. But it’s fresh, and minty clean WP website!

  • Wpfix/ 31 Mar 12 @ 10:36 AM

    Awesome article in fixing a hacked wordpress blog

  • Sadek/ 15 Aug 12 @ 1:45 PM

    This tutorial is really awesome.
    Just a few days ago my site got infected by eval base 64 injection codes to all the index files, and whenever I used to edit and update those codes and disinfect my site, those codes appear again after 1 or 2 hours, and try to install something on browsing computer.
    I installed bulletproof security plugin, but it didn’t work.

    was there any wordpress vulnerability or it was my hosts fault?
    BTW: all of my 9 sites withing the same host got hacked by same method, and finally I changed host,and it’s fine now. the codes doesn’t appeared again.

  • jtpratt/ 15 Aug 12 @ 2:58 PM

    could be the host, could be your theme or a plugin, could be something else you have installed in your hosting account, could be your connection to the web, could be your computer.

  • Mike/ 24 Aug 12 @ 4:53 AM

    I have build a wordpress blog for a client which was hacked ,he is claiming for loss of earnings ,is the webhost liable ,they have rebuild the site from scratch but they have no back-up of the content .
    does wordpress keep backups of the content ,as all previous content has been wiped .
    also how do you keep tabs on all your 15character usernames and passwords
    is roboform a good idea

You must be logged in to post a comment.