WordPress hacked – reinstall time
January 13th, 2012
OK, so wordpress got hacked. I’ve had problems with this in the past and tried tactical surgery, but this time decided to do a full re-install. My first attempt today left me with the wordpress blank screen of death, so here I’m outlining the steps I took that finally got the new version working:
back up wordpress database
http://codex.wordpress.org/WordPress_Backups#Simple_Backup
# go onto hosting box and downloaded new workdpress :
# there are better ways to download wordpress than zip, but this worked for me
lynx -source -dump http://wordpress.org/latest.zip > wordpress.zip
or
curl http://wordpress.org/latest.zip --O latest.zip
unzip wordpress.zip
mv myblog.com oldmyblog.com
mv wordpress myblog.com
cd myblog.com
cp wp-config-sample.php wp-config.php
vi wp-config.php
# change mysql info
/** The name of the database for WordPress */
define('DB_NAME', 'mydbname');
/** MySQL database username */
define('DB_USER', 'mydbuser');
/** MySQL database password */
define('DB_PASSWORD', 'mydbpassowrd');
/** MySQL hostname */
define('DB_HOST', 'mysql.myhost.com');
# added new keys
# get keys at
# https://api.wordpress.org/secret-key/1.1/salt/
# replacing these lines
# define('AUTH_KEY', 'put your unique phrase here');
# define('SECURE_AUTH_KEY', 'put your unique phrase here');
# define('LOGGED_IN_KEY', 'put your unique phrase here');
# define('NONCE_KEY', 'put your unique phrase here');
# define('AUTH_SALT', 'put your unique phrase here');
# define('SECURE_AUTH_SALT', 'put your unique phrase here');
# define('LOGGED_IN_SALT', 'put your unique phrase here');
# define('NONCE_SALT', 'put your unique phrase here');
# save file
cp .htaccess .htaccess.orig
# the downloaded .htaccess was giving me 404 errors
# so I used the one from the previous blog. Not sure
# if it's fully up to date but at least it got me going
vi .htaccess
# include these lines
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
cp -R ../oldmyblog.com/wp-content/themes wp-content
cp -R ../oldmyblog.com/wp-content/uploads wp-content
cp -R ../oldmyblog.com/wp-content/profile-pics wp-content
reinstall plugins, in my case I use these:
amr-shortcode-any-widget/amr_shortcode_any_widget.php
google-analytics-for-wordpress/googleanalytics.php
profile-pic/profile-pic.php
sbs-blogroll/sbs-blogroll.php
syntax-highlighter-compress/syntax-highlighter-compress.php
w3-total-cache/w3-total-cache.php
wordpress-popular-posts/wordpress-popular-posts.php
wp-widget-cache/widget-cache.ph
For more info see
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
suggest reinstall and checking wordpress database for these code usages for possible hacks
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
check for usage of base64_decode()
Oracle L
Trackbacks
Comments
Hi Kyle,
I’ve heard about so many people having their sites hacked that I thought I would create a couple of videos about protecting your site from being hacked and also how to set up automatic backups of WordPress sites:
http://www.onlinemagnetism.com/blog/protecting-your-wordpress-site-hacking
Oliver
hacked again
Somehow someone/something was able to remove the ~/dboptimizer.com/.htaccess file.
When it was gone, the access fell back to ~/.htaccess which was hacked such that 404 errors got redirected.
Currently changed ~/dboptimizer.com/.htaccess is correct and set to 444 permissions. I got rid of the ~/.htaccess and put an empty ~/.htaccess with 444 permissions in place.
Disturbing that someone had the rights to remove .htaccess with 664 permissions. Not sure how that works. Worrisome.
Changed passwords, but I don’t think that’s the issue.