Recovering a hacked wordpress site

August 22nd, 2013


A friend’s wordpress site just got hacked, so reposting this info which I have found useful a number of times.

OK,  so wordpress got hacked. I’ve had problems with this in the past and tried tactical surgery, but this time decided to do a full re-install. My first attempt today left me with the wordpress blank screen of death, so here I’m outlining the steps I took that finally got the new version working:

   back up wordpress database

       http://codex.wordpress.org/WordPress_Backups#Simple_Backup

   # go onto hosting box and downloaded new workdpress :
   # there are better ways to download wordpress than zip, but this worked for me
   lynx -source -dump http://wordpress.org/latest.zip > wordpress.zip
     or
   curl http://wordpress.org/latest.zip  --O latest.zip
   unzip wordpress.zip
   mv myblog.com oldmyblog.com
   mv wordpress myblog.com
   cd myblog.com
   cp wp-config-sample.php wp-config.php
   vi wp-config.php
      # change mysql info
      /** The name of the database for WordPress */
      define('DB_NAME', 'mydbname');
      /** MySQL database username */
      define('DB_USER', 'mydbuser');
      /** MySQL database password */
      define('DB_PASSWORD', 'mydbpassowrd');
      /** MySQL hostname */
      define('DB_HOST', 'mysql.myhost.com');
      # added new keys
      # get keys at
      #    https://api.wordpress.org/secret-key/1.1/salt/
      # replacing  these lines
      # define('AUTH_KEY',         'put your unique phrase here');
      # define('SECURE_AUTH_KEY',  'put your unique phrase here');
      # define('LOGGED_IN_KEY',    'put your unique phrase here');
      # define('NONCE_KEY',        'put your unique phrase here');
      # define('AUTH_SALT',        'put your unique phrase here');
      # define('SECURE_AUTH_SALT', 'put your unique phrase here');
      # define('LOGGED_IN_SALT',   'put your unique phrase here');
      # define('NONCE_SALT',       'put your unique phrase here');
      # save file

    cp .htaccess .htaccess.orig
    # the downloaded .htaccess was giving me 404 errors
    # so I used the one from the previous blog. Not sure
    # if it's fully up to date but at least it got me going
    vi .htaccess
      # include these lines
      # BEGIN WordPress
       RewriteEngine On
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . /index.php [L]
       # END WordPress

    cp -R  ../oldmyblog.com/wp-content/themes        wp-content
    cp -R  ../oldmyblog.com/wp-content/uploads       wp-content
    cp -R  ../oldmyblog.com/wp-content/profile-pics  wp-content

    reinstall plugins, in my case I use these:
     amr-shortcode-any-widget/amr_shortcode_any_widget.php
     google-analytics-for-wordpress/googleanalytics.php
     profile-pic/profile-pic.php
     sbs-blogroll/sbs-blogroll.php
     syntax-highlighter-compress/syntax-highlighter-compress.php
     w3-total-cache/w3-total-cache.php
     wordpress-popular-posts/wordpress-popular-posts.php
     wp-widget-cache/widget-cache.ph

   For more info see

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

       suggest reinstall and checking wordpress database for these code usages for possible hacks
       SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
       UNION
       SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
       UNION
       SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
       check for usage of  base64_decode()


Uncategorized

  1. Trackbacks

  2. No trackbacks yet.
  1. Comments

  2. No comments yet.


7 − one =