International Journal of Scientific and Research Publications, Volume 5, Issue 6, June 2015
ISSN 2250-3153
the loss of valuable content. However, once it happens it is
usually best to not procrastinate on the cleanup process, since a
speedy restore will most times minimize the damage that was
caused.
While almost all sources will recommend that you upgrade
your Word Press to the latest version, what the majority neglect
to tell you is that in most cases simply doing so will not prevent
the attackers from getting back in, even if there are no known
exploits with the latest version. The hackers may have left a back
door file hidden in a directory where it wouldn’t get overwritten
with an upgrade, or inserted code into your theme, or simply
created an account that they then granted admin privileges to.
Any one of those would allow them back in, even after you
patched what was wrong the first time. Therefore I am providing
this step by step process on how to completely clean out and
restore a Word Press installation that has been hacked.
a. Backup the site and the database.
Even a hacked copy of your blog still probably contains
valuable information and files. You don’t want to lose this data if
something goes wrong with the cleanup process. Worst case
scenario you can just restore things back to their hacked state and
start over.
b. Make a copy of any uploaded files, such as images, that
are referenced.
Images are generally exempt from posing a security risk,
and ones that you uploaded yourself (as opposed to ones included
with a theme, for instance) will be harder to track down and
replace after things are fixed again. Therefore it is usually a good
idea to grab a copy of all the images in your upload folder so as
to avoid broken images in posts later. If you have any non-image
files that could potentially have been compromised, such as zip
files, plug-in, or php scripts that you were offering people, then it
is a good idea to grab fresh copies of those from the original
source.
c. Download a fresh version of WP, all of the plug-in you
need, and a clean template.
Using the Word Press automatic upgrade plug-in does make
it easier to upgrade every time a new version comes out.
However, it only replaces Word Press specific files, and does not
delete obsolete ones. It also leaves your current themes and plug-
in in place, as is. This means that if used to upgrade a blog that
has already been compromised, it can very well leave the
attackers a way back in. It is best to start over from scratch as far
as the files portion of your installation goes. Note that if you use
the Easy WP Word Press Installer script that I wrote it saves you
from having to download, unzip, and then upload all of the core
Word Press files, although you will still need to grab fresh copies
of the themes and plug-in that you want to use.
d. Delete all of the files and folders in the WP directory,
either through FTP (slower) or through panel’s File Manager
(faster).
Now that you have fresh copies of all the files you need, and
copied all of your uploaded images, completely delete the entire
directory structure your blog is in. This is the only sure-fire way
to completely remove all possibly infected files. You can do this
through FTP, but due to the way that FTP handles folder deletion
(ie. it walks the directory structure, stores each and every file
name that needs to be deleted, and then sends a delete command
for each one), this can be slow and in some instances cause you
3
to get disconnected due to flooding the server with FTP
commands. If available it is much faster to do this through either
panel’s File Manager or via command line if you happen to have
shell access.
e. Re-upload the new fresh copies you just grabbed.
This step should be self explanatory, but I would like to
mention that if your FTP client supports it (I use FileZilla, which
does) and your host allows it, then increasing the number of
simultaneous connections you use to upload can greatly reduce
your overall transfer time, especially on servers or ISP’s where
latency is more of an issue than bandwidth.
f. Run the database upgrade (point your browser at /wp-
admin/upgrade.php).
This will make any necessary changes to your database
structure to support the newest version of Word Press.
g. Immediately change your admin password.
If you have more than one admin (meaning any user with
editing capabilities), and cannot get the others to change their
passwords right then, I would change their user levels until they
can change their passwords as well. If there is anyone in your
user list that has editing capabilities, and you do not recognize
them, it’s probably best to just delete them altogether. If
changing passwords is something you hate doing, then maybe my
new memorable password generator can make that a little less
stressful for you.
h. Go through the posts and repair any damage in the posts
themselves.
Delete any links or frames that were inserted, and restore
any lost content. Google and Yahoo’s caches are often a good
source of what used to be there if anything got overwritten. The
following query run against the database can help you isolate
which posts you want to look at:
SELECT * FROM wp_posts WHERE post content LIKE
'%