WordPress Hack Cleanup – A Tale from the Trenches

A client that I had previously done some work for called me the other morning.

He told me how his site had been hacked and his host had suspended his site completely. He had an advert in the paper this weekend and was not happy about paying for customers to go to a suspended site.

As you can imagine it is pretty hard to fix a site that you cannot even connect to. All I had to work from was a WordPress login.

After talking to his host they would allow one IP address to connect to the site to work on it. They added mine. Problem though the admin page was full of errors.

Image: flickr
Image: flickr

Eventually I got the CPANEL details and got to work.

The first thing I did was disabled all the WordPress plugins with this MySQL script. That then allowed me to login.

I was immediately redirected to another site though – a result of the hack.

I went back to the site dashboard and immediately updated WordPress, it was running a very old version.

Then I logged in via Cpanel and noticed a few files with a modified date of a few days ago. I edited out the hacked pieces of code from them. I then installed WordFence and Exploit Scanner and tried to do some scans.

Unfortunately Wordfence was not working, due to the site not being accessible to Wordfences servers. Here are some additional steps that I did:

  • Working and checking with CPANEL and then using FTP uploaded new WP-Admin and WP-Includes folders from a clean install. (You can just replace these entire folders).
  • The site was now starting to work well, I updated all the plugins, then reenabled a couple of necessary ones.
  • Updated all the themes.
  • Checked the uploads folders and found a whole folder full of uploaded PHP files, so removed those.
  • Changed the user passwords within WordPress to new complex passwords.
  • Checked the main folders for any files that looked out of place.

The site was now in a stable enough state to contact the provider and get them to enable public access again.

Once this was done I was then able to run a full WordFence scan and deal to a couple of minor issues.

Going forwards the client wanted us to take a more active role with the support of their site, so they are now on our Bronze maintenance plan which means we take care of all their backups and WordPress updates and they can focus on their business.

Rob StGeorge
Senior SQL Server Database Administrator residing in Auckland, NZ

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.