My wordpress website is hacked!

→ Are you a new visitor? Please visit the page guidance for new visitors ←

My wordpress website is hacked!

Hehe hitting wood here as its not really the case for me, but I did indeed had some clients on my server that came from a local hosting company were they were using Litespeed with cloudlinux. They came about one month ago, in November, today however the client contact me saying his sites are no longer working properly. When I checked I did saw some strange folders / scripts that were redirecting traffic to a different website. At that point the conclusion was final, the hosting account / website is hacked. What I did found out was that the files were there in the account before he came to me (I restored a hosting account from that company using Litespeed), so at the very least I was a bit happy that the security issues did not happen in my “house” and that my current settings are still “safe”.

Of course, everything can be safe until proven otherwise … so nothing really to brag.

The solution to these cases

In these cases the solution is not really easy nor what you really want. In the best case you can just remove the hacked files / modifications that were only added to your files, of course you do need to have some knowledge level about the actual scripts. In this case I knew the script was wordpress, and about 5-6 wordpress websites at that, all encountering the same hacking bot script.

I’m not entirely sure which is the easiest method, but in my experience so far I’ve notice a few things you should keep in mind:

  1. Your billing email address – please do secure this first and foremost, having access to this email will allow the hacker to always gain access to your billing account)
  2. Your billing password – you should and you will need to reset your billing password to ensure no one has access to your billing account. Billing softwares like whmcs.com will allow you to view the default username and password of your service as well the ability to change their passwords, regaining access directly from your billing account
  3. Your service password – at this point your next move is to reset your service password. In some cases, hosting provider recommend resetting the hosting account directly and reinstalling scripts. This is what I also recommend, but some clients may still want to retain some settings / options. Eg. emails.
  4. Renaming public_html – If you did not want to accept the recommendation of your hosting provider and reset the account, then your next step once you have reset the hosting account, billing account and email account passwords, is to rename the public_html (will rename it for now for having a copy for later) and create a new public_html folder (or htdocs / www in some cases).
  5. Lastly we begin reinstalling all scripts while keeping close note of the old backup files from our websites.
  6. Once finished, make yourself a backup of the renamed public_html and remove it from your account.

Restoring your websites

Restoring your websites is the most consuming part of this process, I do advise you to take a cup of coffee or something to have with you to take your mind from time to time. I do have one good news when restoring a hacked websites, this is valid only for dynamic websites that are using a database, which is:

Database are safe! In most cases, databases are safe to be used to restore your websites, however you should reset any admin user passwords.

With a wordpress website, as this is a topic of this article, you only need to reupload the wordpress script files from here:

http://wordpress.org/download/

In the archive of the downloaded script you will find:

wp-config-sample.php

Make sure you rename this to wp-config.php and update only the mysql details and the unique phrases. Keep in mind that you MUST create a new mysql user and password or at least update the mysql user password to something else.

Warning! It is not a good practice to use your own cpanel account username for connecting to your mysql database. You need to create a new mysql user and password.

So the steps here are:

  1. Download script from wordpress website
  2. Rename wp-config-sample.php to wp-config.php
  3. update wp-config with your new mysql details and unique phrases (see https://api.wordpress.org/secret-key/1.1/salt/ for generating these)

At this point you should have a working website, or at the very least /wp-admin/ should be working using your own username and password (which I advise you to also reset!).

Uploads folder

The next steps are the wp-content files (uploads and plugins). These are usually content you add after a long period of time of testing and using your website. The uploads section you should be able to have only images there, so it should be safe to restore, but you need to double check that you are only uploading images or known files.

Plugins folder

For plugins, you need to reinstall them as normal, I’m not entirely sure if the settings are retained, but some of them should still keep their settings as long as you reupload them back. But in no way re-upload the same plugins folder from your hacked public_html, this is normally where hackers leave their hackery scripts. Of course they also use the core folders of wordpress, but we already reinstalled wordpress at this point, so that’s no longer our concern. The good news is that wordpress is not really dependent on the installed plugins, once you login to your /wp-admin/ it should automatically read that the plugins no longer exist and deactivate them in your database and you can reinstall them back.

Themes folder

Unfortunately this is also one of the places hackers love to place their files. Mainly because you can almost hook yourself directly to your wordpress core, but not only that, its because some themes are made in such a way that allow the option to upload things to our theme folders. Remember the timthumb script? Its purpose was very simple, making thumbs of the already big images inside a local cache folder. Well since the issue years ago the script was fixed, but that’s just an example of what hackers are looking for. Also keep in mind that editing your theme means they have direct access to your website code, so for instance, if they want to redirect all traffic that comes from google to one of their sites, and when you access directly you will not see the difference, it is possible by simply editing the header or index file of your theme and adding a little piece of code.

Ok got long with this, but what I’m trying to say is that you should carefully check your theme and assert it properly if you can still use it or if you need to install a new theme. Of course reinstalling the original theme is the best in all cases!

My recommendations

I don’t really think that everything I’ve said so far will go well to any user that is in the same position of my current clients, although this article is long, the process of these things can be completed in about 15-20 minutes at most. However you do need to take good care when working with hacked websites and if you still wish to use the old files. It could happen again if the files you retain have any security holes. My recomandation is always to upload the original scripts used, for instance:

  • original wordpress script
  • original plugins
  • original theme

That’s about it to restoring your websites after your website is hacked. Comment bellow if you think I missed something or if I should add something else.

Request an article ←