WordPress hacked – reinstall time

January 13th, 2012

OK,  so wordpress got hacked. I’ve had problems with this in the past and tried tactical surgery, but this time decided to do a full re-install. My first attempt today left me with the wordpress blank screen of death, so here I’m outlining the steps I took that finally got the new version working:

   back up wordpress database

       http://codex.wordpress.org/WordPress_Backups#Simple_Backup

   # go onto hosting box and downloaded new workdpress :
   # there are better ways to download wordpress than zip, but this worked for me
   lynx -source -dump http://wordpress.org/latest.zip > wordpress.zip
     or
   curl http://wordpress.org/latest.zip  --O latest.zip
   unzip wordpress.zip
   mv myblog.com oldmyblog.com
   mv wordpress myblog.com
   cd myblog.com
   cp wp-config-sample.php wp-config.php
   vi wp-config.php
      # change mysql info
      /** The name of the database for WordPress */
      define('DB_NAME', 'mydbname');
      /** MySQL database username */
      define('DB_USER', 'mydbuser');
      /** MySQL database password */
      define('DB_PASSWORD', 'mydbpassowrd');
      /** MySQL hostname */
      define('DB_HOST', 'mysql.myhost.com');
      # added new keys
      # get keys at
      #    https://api.wordpress.org/secret-key/1.1/salt/
      # replacing  these lines
      # define('AUTH_KEY',         'put your unique phrase here');
      # define('SECURE_AUTH_KEY',  'put your unique phrase here');
      # define('LOGGED_IN_KEY',    'put your unique phrase here');
      # define('NONCE_KEY',        'put your unique phrase here');
      # define('AUTH_SALT',        'put your unique phrase here');
      # define('SECURE_AUTH_SALT', 'put your unique phrase here');
      # define('LOGGED_IN_SALT',   'put your unique phrase here');
      # define('NONCE_SALT',       'put your unique phrase here');
      # save file

    cp .htaccess .htaccess.orig
    # the downloaded .htaccess was giving me 404 errors
    # so I used the one from the previous blog. Not sure
    # if it's fully up to date but at least it got me going
    vi .htaccess
      # include these lines
      # BEGIN WordPress
       RewriteEngine On
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . /index.php [L]
       # END WordPress

    cp -R  ../oldmyblog.com/wp-content/themes        wp-content
    cp -R  ../oldmyblog.com/wp-content/uploads       wp-content
    cp -R  ../oldmyblog.com/wp-content/profile-pics  wp-content

    reinstall plugins, in my case I use these:
     amr-shortcode-any-widget/amr_shortcode_any_widget.php
     google-analytics-for-wordpress/googleanalytics.php
     profile-pic/profile-pic.php
     sbs-blogroll/sbs-blogroll.php
     syntax-highlighter-compress/syntax-highlighter-compress.php
     w3-total-cache/w3-total-cache.php
     wordpress-popular-posts/wordpress-popular-posts.php
     wp-widget-cache/widget-cache.ph

   For more info see
     http://codex.wordpress.org/FAQ_My_site_was_hacked
     http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
       suggest reinstall and checking wordpress database for these code usages for possible hacks
       SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
       UNION
       SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
       UNION
       SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
       check for usage of  base64_decode()


Uncategorized

  1. Trackbacks

  2. No trackbacks yet.
  1. Comments

  2. February 8th, 2012 at 11:14 | #1

    Hi Kyle,

    I’ve heard about so many people having their sites hacked that I thought I would create a couple of videos about protecting your site from being hacked and also how to set up automatic backups of WordPress sites:
    http://www.onlinemagnetism.com/blog/protecting-your-wordpress-site-hacking

    Oliver

  3. March 15th, 2012 at 05:09 | #2

    hacked again

    Somehow someone/something was able to remove the ~/dboptimizer.com/.htaccess file.
    When it was gone, the access fell back to ~/.htaccess which was hacked such that 404 errors got redirected.

    Currently changed ~/dboptimizer.com/.htaccess is correct and set to 444 permissions. I got rid of the ~/.htaccess and put an empty ~/.htaccess with 444 permissions in place.

    Disturbing that someone had the rights to remove .htaccess with 664 permissions. Not sure how that works. Worrisome.

    Changed passwords, but I don’t think that’s the issue.

You must be logged in to post a comment.