How to Fix a Hacked WordPress Blog

By J.T. Pratt

JTPratt Media was started by John Pratt in 2009 after working online for 14 years as a consultant, successful affiliate marketer and blogger, WordPress consultant, and tenure as senior web developer at Ford Motor Company in Dearborn, MI. Mr. Pratt is a specialist when it comes to solving WordPress problems. This particular article helped me resolve a hacked site for one of my clients. It has also helped me provide better security for all of my other WordPress clients. If you have any questions or require some help fixing a hacked WordPress blog, please contact Mr. Pratt by clicking on the link at the beginning of this paragraph.

Fixing a hacked WordPress blog isn’t easy if you’re just a blogger with little technical experience. In my experience with clients, web hosting companies usually aren’t much help – because their experience with WordPress is limited (whether they’re ‘WordPress friendly’ or not). Their experience fixing a compromised or infected WP site and hardening security is usually non-existant. Like most technical support personnel – their job is to close your ticket as quickly as possible, not to get to the “root cause” of your infected and hacked blog. Without actually figuring out how your site was hacked, odds are you’ll get re-infected again, and again, and again.

Consider this a 4,000+ word tutorial / lesson / guide to help you fix your compromised WP site on your own. If you still need help – feel free to contact me, but I’m hoping that this article will help a LOT of people deal with their broken site on their own. You don’t have to be a coder or developer to be able to use these techniques, but you’ll need a decent understanding of WordPress, FTP, and possibly phpMyAdmin.

This article will help:

  • prevent your web site from getting hacked, jacked, infected, injected, exploited, etc.
  • fix your hacked blog or WordPress site from any one or more of the following…
  • spam links in your theme footer
  • spam links only found google’s cache of your web pages
  • eval base64 decode hacks (eval(base64_decode)
  • iframe hacks
  • .htaccess hacks
  • malware code
  • evil 301 redirects
  • injected or compromised wordpress database
  • give you tips and tricks to keep your site from getting compromised in the future

What Your Web Hosting Tech Support Will Try

Usually web hosting technical support will ask you to try techniques similar to computer tech support…

  • Reinstall WordPress
  • Restore from Backup
  • Clean infected files

The problem is, they usually don’t know how to do any of those things right – and even if it does fix your broken site, it doesn’t find the “root cause”. I’m going to try and give you enough tips and tricks in this article to do a better job than any web host tech could ever do, based on my own experience of fixing hundreds of hacked blogs myself for clients over the last few years.

What Causes A WordPress Site to Become Infected or Hacked?

An Automated Army of Spammers and Hackers is Out to Get You…

First let me clear up the misnomer that web site are hacked literally by “people”. I say this, because I get emails from people saying “they got in again…” or “I don’t know how they got into WordPress…” 99.9% of all web site hacks and infections are done by automated scripts and software.

Here’s how it works…

Some clever little programmer finds a security hole or exploit that is either very recent, or very old. Recent security holes are easy to find, older exploits are harder to find – but easier to hack. They write a web “crawler” or software robot to trawl the web and comb through hundreds of thousands of sites – looking for ones that meet the right criteria (that have the hole). Once a site has been identified, the automated software performs the break-in, and then follows it’s programmed routine for infection. It’s very uncommon to have your web site hacked or infected by an actual live “person”.

Why was my web site a good target?

  • Footprints: The software robots look for “footprints”, that’s the first way they find and target your web site. It may be as simple as the text “powered by WordPress” in your footer, or the WordPress version in your HTML code.
  • Server Vulnerabilities: Hackers specifically seek out servers with “directory indexing” turned on by default to search for backend scripts and files not indexed by seach engines (for more exploits and holes). Most of the hacked blog clients I get have directoy indexing turned on (and it shouldn’t be). Having directory indexing turned on is like giving a hacker an x-ray machine to see inside your site.
  • Plugin Exploits: A hacker script may automatically try different directories on your site just to find out if you have different plugins installed, what versions they are, and if they’re exploitable. It doesn’t matter if WordPress is up to date – if all your plugins aren’t. I have had multiple clients get hacked through an outdated WordPress plugin.
  • Bad Web Hosts: Most modern web hosts use some kind of web site control panel software. Hackers look for out of date installations of cPanel, Plesk, etc., to break in. Some web hosts code their own control panels – which may eliminates a “footprint” but sometimes opens up even more holes. Your web host is also responsible for keeping your server up to date – so they are additionally responsible for the other points of server vulnerabilities, and operating system. I have had LOTS of web hosts over the years (still have multiple acconts), and even though I’ve written articles about WP security – I’ve had WordPress sites hacked through bad web host configurations.
  • Other Outdated Software: This is something I actually learned first hand – in addition to having clients that had this problem. Let’s say you have WordPress installed (and up to date) on your web site. Then one day you decide to install “Simple Machines Forum” in a sub-directory of your site. Maybe you didn’t like it, and just left it there. Maybe you installed Drupal, Mambo, Pligg, or Joomla, or some other scripts. The biggest mistake you could make is to install something and forget about it, because over time it becomes outdated and easily exploitable. Case and point, a few years back I actually did install Simple Machines Forum in one of my shared hosting accounts and forgot about it for 2 years. It was a shared hosting account with 30 web sites installed, and hackers got in and infected EVERY ONE of my WordPress sites through the backdoor in the forum. Just because hackers broke into your WordPress site – doesn’t mean that the got in that way.
  • Public Vulnerability: People have no idea how easy it easy for hackers to steal your credentials when you’re away from home. Public wifi is great, until you realize how many things you do on a daily basis that send usernames and password in plain text with no encryption (email, FTP, WordPress admin login, social media sites, etc). I don’t care if you’re in Starbucks or a hotel on vacation – you need to make sure that absolutely everything you do is encrypted at all times. That means using https:// secure logins, SFTP (secure FTP), etc. It also means routinely changing all your login passwords once back home.
  • Operating Systems: This actually falls under 2 other points, but I thought I’d mention it alone as well. Your web sites run on a server at a web hosting company, and that server has it’s own operating system (Linux, Windows, or Mac). If it’s not kept up to date by the web hosting company with current patches and proper security, hackers will break in. I personally don’t prefer Windows web hosting, and last year I believe Godaddy had their Windows hosting servers broke into not once, not twice, but three times. I had to move several new clients that got hacked during that time from Windows to Linux.

What to do if your WordPress Web Site is Hacked

Alright, now that you know what causes sites to get hacked, let’s get down to business. What you really want to know is what to do…and that really depends on what your symptoms are. I’ll try to give answers for every scenario that I can think of…the most important thing is to know whether you have access to your wp-admin dashboard login or not.

I can’t get into my WordPress web site…

This section is for people that have a hacked or infected WordPress site, and they’ve been locked out in some way. If you can at least access your wp-admin dashboard login, move on to the next section.

If you can’t login to your WordPress admin dashboard, you probably have one of the following symptoms:

  • When I try to login to wp-admin I get a white screen of death (blank screen)
  • When I try to login to wp-admin it redirects me to the homepage or “page not found”
  • My admin username or password no longers works
  • also…my web hosting control panel / FTP / email password no longer works

The first order of business is actually getting into your WordPress dashboard admin. There are many reasons why you might not be able to login to your dashboard, and the hacker scripts accomplish this in many different ways depending on how they broke in – and what they want to accomplish. I’ve fixed so many hacked sites that I’ve developed techniques to quickly be able to login – no matter what the problem actually was. So keep in mind that the steps I’m about to tell you won’t actually figure out why you couldn’t login – but rather provide the most direct path to be able to allow you to login.

Steps to regain entry to your WordPress dashboard:

  1. Change your web hosting control panel password – NOW
  2. Download a backup of your ENTIRE wordpress site in FTP to a folder on your desktop
  3. Login to your web control panel, go to the database section, and click on phpMyAdmin. Once it loads, find the database for your wordpress site in the left sidebar and click on it (look in wp-config.php file in the root of your site if you don’t know what it’s called)
  4. Click on the “export” tab on the top right
  5. Under the “View dump (schema) of databases” section click “select all” to select all the tables (if they aren’t already)
  6. At the bottom of the page make sure the “save as file” checkbox is checked and the radio button for “zipped” is selected for compression
  7. Click the “go” button to the right, and when the popup appears, save the file to your desktop. Now you’ve saved a copy of your WordPress database
  8. In FTP delete the “.htaccess” file in the root of your site. This file exists for every working WordPress site – if you don’t see it in FTP, just change the options of your FTP program to “show hidden files”, so you can find and delete it
  9. In FTP go to your /wp-admin folder in the root of your site and make sure there isn’t an .htaccess file there – and if there is, delete it
  10. In FTP go to /wp-content/plugins and delete all the plugins (don’t worry, you downloaded a backup of them earlier)
  11. In FTP go to /wp-content/themes and delete all the themes except default wordpress (you also have a copy of all themes)
  12. Download the latest version of WordPress, unzip it on your desktop, and then manually FTP the new files over the top of your WordPress installation. If you were really concerned about about your site being infected you could delete ALL files in the root of the site except for /wp-config.php, all files in /wp-includes, and all files in /wp-admin. Keep /wp-content because you want to preserve anything you uploaded in /wp-content/uploads
  13. With the new WordPress files uploaded in a browser go to www.site.com/wp-admin/upgrade.php. Click the db upgrade button if necessary, and then try to login your site at www.site.com/wp-admin. You should be able to login. If you can’t, then your admin account or database has been compromised. You’ll either have to reset your password manually in the database or have your database cleaned. For 99% of the sites I work on the steps up until this point fix the issue, because getting locked out of your site or white screen of death is almost always caused by a plugin or theme conflict, .htaccess problem, or failed upgrade of some kind. If you think you have a database issue – move on to the next section below.
  14. If your issue was fixed, now you have to get at the root cause. Normally at this point I start re-uploading the plugins and activate them one by one – checking to make sure that one of them wasn’t the issue. Often I find one that is, and have to find a replacement.
  15. If you get the plugins all uploaded and activate, then re-upload your theme. Before I do this I carefully check the footer for bad code or links, especially encoded stuff like gzip eval statements (hackers put these there so yo don’t know they’re spam links). I check the functions.php file and make sure there isn’t any rogue code there. Last I check all the main PHP files for bad code too, like index.php, search.php, page.php, archive,php, etc. – all by hand in a text editor. THEN, I re-upload the theme, activate, and check the front end web site to make sure everything is ok.

My WP site has been hacked or compromised, but I can get into my dashboard admin…

Well, if you can login to wp-admin to get to your dashboard, the process is pretty similar…

  1. Download a backup of your ENTIRE wordpress site in FTP to a folder on your desktop
  2. Login to your web control panel, go to the database section, and click on phpMyAdmin. Once it loads, find the database for your wordpress site in the left sidebar and click on it (look in wp-config.php file in the root of your site if you don’t know what it’s called)
    Click on the “export” tab on the top right
  3. Under the “View dump (schema) of databases” section click “select all” to select all the tables (if they aren’t already)
  4. At the bottom of the page make sure the “save as file” checkbox is checked and the radio button for “zipped” is selected for compression
  5. Click the “go” button to the right, and when the popup appears, save the file to your desktop. Now you’ve saved a copy of your WordPress database
  6. In FTP go to /wp-content/plugins and delete all the plugins (don’t worry, you downloaded a backup of them earlier)
  7. In FTP go to /wp-content/themes and delete all the themes except default wordpress (you also have a copy of all themes)
  8. What you’ve done is completely removed all the plugins and theme files – which 90% of the time are the problem. If this fixes your problem – then re-upload and activate the plugins one by one, checking each time to make sure one of them isn’t the problem.
  9. If you get beyond all the plugins then move on to the theme that you were using at the time of the problem. You need to re-upload your theme, but before I do this I carefully check the footer for bad code or links, especially encoded stuff like gzip eval statements (hackers put these there so yo don’t know they’re spam links). I check the functions.php file and make sure there isn’t any rogue code there. Last I check all the main PHP files for bad code too, like index.php, search.php, page.php, archive,php, etc. – all by hand in a text editor. THEN, I re-upload the theme, activate, and check the front end web site to make sure everything is ok.
  10. If you get through all your plugins and the theme files, my next steps are search the site for any weird looking files or folders. It really depends on what the problem was. If the infected site had spam links in the footer and I found the bad code in footer.php and removed it – then of course I would know I had removed it. If the footer links were still there after going through the plugins and theme – then I’d keep looking. In my experience if I didn’t find the problem in the plugins or theme, then I usually have to move on to the database.

I could give you all kinds of ways to search and fix the database – but it takes both experience and time to find a database infection – and even then you might miss something. Over time from experience I’ve concluded that it’s much easier to export everything from the dashboard, start with a new database, and then re-import all your data. Move on to the next section for those instructions.

I need to fix a WordPress database infection – what do I do?…

So, if you’ve gotten this far in this “fixing hacked blogs tutorial” you should at least have access to your dashboard, and you’ve already gone through your plugins and themes – and what’s left is the database. As I previously mentioned – I could show you how to search for and clean infections out of your database, but it’s much easier to take the route I’m about to tell you.

Here is the easiest way I’ve found to completely remove a WordPress database infection:

  1. If you performed the steps earlier, you already have a full database backup that you exported from your web control panel using phpMyAdmin. If not – go back and do it now
  2. Login to your WP dashboard admin and go to “Tools->Export” and export the contents of your site. With this standard WordPress tool you can export all your posts, tags, pages, categories – ALL of your content. The only thing you cannot export are your (previously installed) plugins settings. The only thing you can do in that regard is export them from various plugin pages (which most don’t have options for), write them down, or export the records from your wordpress wp_options table one by one. You might want to take note of your general wordpress settings as well, exporting content will not export those settings.
  3. Next, you want to visit your web hosting control panel and create a new blank database. Write down the database name, database password, and database username.
  4. Now open download the wp-config.php file from the root of your site and open it in a text editor. Remove the old db name, password, and username – and replace with the new blank database ones. Upload the updated wp-config.php back to the root of your site. Depending on whether or not you suspect your wordpress files were infected, if you haven’t already you could additionally at this point is delete all the root files (except wp-config.php), an everything in wp-admin and wp-includes and then upload a fresh copy of all core WP files. Then you truly know you’re starting with fresh WP files AND fresh clean WP database.
  5. Now just visit your site in a web browser, and what should happen is it gives you the dialogue and button to run the WP install for the first time. Click the button and run the install for wordpress, and login for the first time with your admin account
    Once you’re logged in go to “Tools->Import” and import your previously exported posts, pages, tags, categories, etc.
  6. Activate your plugins
  7. Activate your theme

Now you should have a completely clean wordpress database, and if you followed the first two sections you should now already have clean plugins and a clean theme. As I mentioned, you might have to setup your plugins settings and options again, but that’s a very small price to pay to ensure you have a 100% clean and fresh WordPress database

The biggest mistake that anyone can make is to find and fix an infected WordPress web site, and then not take any preventative measures to ensure that it doesn’t happen again. Be sure to go through the next section and take the preventative measures to ensure that it doesn’t happen to you again. I can’t tell you the number of clients that have come tome because they were able to remove the infection from their site by themselves, but then it kept getting infected over and over again (and they didn’t know why). So – they would pay me to fix their site and ensure that it never happens again.

How do I prevent my WordPress site from getting hacked again?

So, at this point in the tuorial you’re site should be clean. If it’s not – quick reading this section, and got back and remove the infection. Now your job is to do preventative maintenance for the future – to ensure it won’t happen again.

You may have removed some kind of site infection or malware, but you probably have no idea how it happened. I’m much better now when working on sites at figuring out exactly how somebody broke in. But there are times where I really don’t know – but once I get done with the preventative maintenance and harden the security, I’ve never had a single time after doing this (and hundreds of fixed sites) that the site got infected again. That’s because when it comes down to it, the break in’s are almost always automated by scripts and software (and predictable).

To prevent your WordPress site from getting hacked, infected, or broken into again – these are the steps you should take:

  1. Logins and Passwords:It’s time to take charge of your passwords. Most likely – like everyone else you’ve been using passwords that are easy to remember. In addition, most people tend to use the exact same password for everything – and the exact same username. That means if somebody gets the login to one site – the get them all…and your facebook, twitter, online banking, email accounts, etc. The #1 source of entry for spammers and hackers into your web site is by going directly through your login account – and here’s how to stop that…
    • Use different login usernames on all your accounts. NEVER use the same login across all sites, and always try to use login usernames that have some numbers AND letters
    • Use STRONG passwords with numbers, letters, and special characters. You can use www.strongpasswordgenerator.com if you’re in doubt. Also, the LONGER a password is, the harder it is to break. Most people are forced to use an 8 character password with most site – I use 15.
  2. Failure to do Maintenance and Upgrades: If you have shared web hosting, make sure that EVERY WordPress web site and plugin in ALL the sites you have are up to date. If someone breaks into one – they gain access to hack them ALL. If you have software OTHER than WordPress in your web hosting account (forums, other CMS systems, scripts) keep THEM updated in ALL sites. Neglected and unmaintained code is one of the #1 ways hackers can compromise your site!
    Intercepted Logins: Be very aware of HOW and WHERE you are connecting to your WordPress site, your web control panel, and FTP. Use encrypted wifi at home, never use public wifi for connecting to your wordpress dashboard, FTP, or your web control panel unless you can use an “https://” secure connection.
  3. WordPress Security Plugins: Use a few free WordPress security plugins, such as Secure WordPress, and Login Lockdown
  4. Google Webmaster Tools: Signup for Google webmaster tools and it’s “automated alert” feature – so if your web site is broken into (for malware) you’ll get an email alert. You can also keep track of your rankings and any indexing problems easily here as well
  5. Other WordPress Security: Read my free WordPress Security Guide for even more free preventative maintenance and security hardening you can do with your WordPress web site

About the Author

JTPratt Media was started by John Pratt in 2009 after working online for 14 years as a consultant, successful affiliate marketer and blogger, WordPress consultant, and tenure as senior web developer at Ford Motor Company in Dearborn, MI.


Comments

How to Fix a Hacked WordPress Blog — 13 Comments

  1. dear JT Pratt, thx for the article. im now facing almost the same like problems u’ve explained. but then i realized 1 thing that .htaccess here can’t be erased. do u have any suggestion?
    does re-install wordpress then import the back-up can resolve my problem?

    hope to hear from u soon, thx.
    rina

  2. Pingback: How I fixed my hacked Wordpress blog | Is This Wisdom?

  3. Pingback: What you may have missed (WordPress hacked) | upstartHR

  4. Pingback: How to take over someone else’s wordpress blog

  5. Thanks so much for this article! A client blog suddenly wouldn’t let me login, I am thankful I found this article as I followed all the steps and it worked perfectly. The client site is now up and running properly. I really appreciate this info you shared.

  6. Thanks for all these info regarding hacking.My website hacked my be due to WP plugin. but control panel password also not working.Please suggests me .

  7. Hi Chandan, First, If your control panel password is not working, I suggest that you contact your hosting company technical support. Have them look into why your password isn’t working and have them reset your password. They may also be able to track any hacks into your site.

  8. Pingback: Case Study: Web sites hacked, WordPress โดนแฮก และการแกะรอยแฮกเกอร์ #2 | Sontaya's | Blog

  9. “Do you mind if I quote a few of your posts as long as I provide credit and sources back to your weblog? My blog site is in the exact same area of interest as yours and my users would truly benefit from a lot of the information you present here. Please let me know if this ok with you. Thank you!”

  10. Pingback: How to Rebuild a Wordpress Blog after Your Site has Been Hacked or Infected with Malware - Fabulous Blogging

  11. Pingback: How to Rebuild a Wordpress Blog after Your Site Has Been Hacked or Infected with Malware | Fabulous Blogging

Leave a Reply