My WordPress site was hacked, how can I recover?

My blog went largely unused in the past few months which in turn caused me to be lazy about applying updates. (A big no no in the WordPress world.) Then a few weeks ago I got a wild hair to start writing again. Upon logging in I was greeted with this fun message:

wordpress hacked

It turns out that not only was my site hacked but a few others I have on the same server were as well.

Here are the steps that I completed to go about and fix it. (NB: I had installed a plugin which had been emailing me daily backups of my data which really saved my skin in this case. I highly recommend it.)

  1. Identify infected files. Have a look at the tool that Cory provides over on his blog that I used to figure out when the date of the hack occurred.  (My hack involved someone uploading a dodgy plugin called: ‘tool‘ which allowed them to create administrative users in my install.)
  2. Remove the infected files.
  3. Change your website’s FTP username/password
  4. Change your mysql username and password (you will also need to update the wp-config.php file)
  5. Login to PHPMyAdmin and create a full database backup
  6. Choose a backup that was from before you were hacked.* (NB: “Although just because execution happened a certain time, doesn’t mean infection did”) As I had not written anything in 3 months, I simply choose a backup that was a few days after my last post. (The infection manifested itself on the 9th of Dec)
  7. In the SQL field in PHPMyAdmin, run the sql statement. (NB: This will delete and then restore EVERYTHING, if it goes south, make sure you completed Step 5)
  8. After it has finished, go to your WordPress dashboard. If you had upgraded WordPress before the hack (as I had), WordPress is smart enough to inform you it needs to upgrade the db.
  9. Change your WordPress admin username and password. (I recommend creating a new admin user and deleting the old one. You can assign all your posts to the new user…)
  10. Check the user list to see if there is anyone else listed as an admin.
  11. That’s it, you should be all good to go!
* Unless you were keeping daily backups, you may not be able to do this step
Now that you have done this, you should do a few things to help prevent this in the future or if it does happen at least make restoring easier.
Prevention:
  1. Make sure your passwords are STRONG passwords.
  2. Don’t user ‘admin’ as the name for your admin user.
Recovery:
  1. Make sure you have the wordpress backup plugin installed. (This post describes exactly what I have done with Gmail filters)
  2. Schedule daily/weekly wordpress site backups (post on this forthcoming)

 

2012
01/06
CATEGORY
WORDPRESS
TAGS

Write comment

  1. No comments yet.

  1. No trackbacks yet.

 

Switch to our mobile site