So your WordPress was hacked… Now what?

Local blogger friend Dr. Beth Snow‘s site was hit with a PHP injection attack. My blog was hacked using that mechanism last summer, but today I realized that I never wrote down the recipe for cleaning it out. So here goes.

Form of the attack

The attack is in the form of some extra PHP code that gets added onto existing files on the webserver as well as written into new files on the webserver that are likely to get called. The goal is to redirect visitors’ browsers to a thirdparty website where there’s bad stuff waiting to be downloaded.

Vector

Most likely the site got hacked by a bot that did a brute-force password guessing attack on the FTP account. Once the bot gets in, it will add the code to many files.

How to get rid of it

Step 1: Upgrade your FTP password!

Prevent future attacks by upgrading your FTP password. “Sammy32″ is NOT a strong password. “rU#9&Jup” is a strong (though quite short) password. If you need inspiration, there are many free strong password generators online.

Step 2: Upgrade the rest of your passwords on that webhost!

Somebody got access to some of your data, and you must assume that they’ve taken full advantage of their access, so change your other passwords too. Including:

  • Database passwords (for a WordPress blog that’s the MySQL password)
  • WordPress user accounts passwords
  • Any password protected directories (whether you set them up manually in the .htaccess file or you used your webhost’s control panel tools to do the same)

Step 3: Check all browsable files on your website

The PHP insertion hack will attack browsable files such as .php, .htm, .html. Look for lines of code with width 1, height 1 hidden iframe (see the post describing the hack on my website).

Donncha O Caoimh, a respected WordPress community contributor had created a very handy WordPress exploit scanner plugin that will look through your WordPress installation and database. If you have more content on your website than just the WordPress files (e.g. a Wiki, a static website, a downloads directory, etc.) then the WordPress plugin won’t scan those directories. For that situation I recommend using an editor or another tool that can search all files in a directory tree for a particular string.

Step 4: What to do if you find the hack code

If the hack code is the only content in the file, delete the file.

If you find the hack in any part of the site that you didn’t create yourself (WordPress core files, theme files, extensions, etc.) delete the particular directory and re-upload a freshly downloaded replacement. For plugins, the settings are stored in the DB and will survive this procedure; for theme directories, you might want to first backup .css files, image files and any other files you’ve modified.

If the hack code is inserted after the ending HTML tag, just delete the hack code and save the file.

10 Comments to “So your WordPress was hacked… Now what?”

  1. Vancouver Lofts 16 April 2009 at 2:08 #

    I think it’s also important to note that you should always have your WordPress installation fully up to date. So many people that run in to issues do so because they are using an aged version of WP, which is no good.

    • Jan Karlsbjerg 16 April 2009 at 11:04 #

      Good point. I’ll also add a note to the post that the WP extension won’t protect areas of your site that’s outside the WP directory.

  2. Gwyn Pritchett 19 April 2009 at 13:59 #

    This happened to me a couple of hours ago on a site I’m working on. All the index.php files were edited with iframe code. I’m pretty sure mine was the FTP problem as well, and if you read through http://wordpress.org/support/topic/232657 someone mentions it’s probably not directly related to WP (can happen to any site).

  3. Beth 22 April 2009 at 21:42 #

    Thanks for explaining how to fix all this! I’m only semi-tech savvy, so I was completely confused as to why my blog was behaving so strangely!

    It still freaks me out that some hacked into my blog, even if it was bot.

  4. Roger Young 4 June 2009 at 17:52 #

    I just started with a WordPress 2.7 blog, how can I check if it was hacked already, or will that be obvious?

  5. Jan Karlsbjerg 5 June 2009 at 19:38 #

    Roger, it probably won’t be obvious. I recommend that you install Donncha’s WordPress plugin that I link to in the post.

  6. Raul 28 June 2009 at 22:49 #

    I have always found it a bit confusing why someone would desire to hack someone else’s blog?

    Thanks for this post, Jan! We missed you at Meetup of Meetups!

  7. Jan Karlsbjerg 29 June 2009 at 21:11 #

    Raul, I had an important family commitment that evening at Denny’s (not kidding).

  8. David Drucker 19 July 2009 at 15:39 #

    Thanks for this. The hack (or initial point of entry, or so it looked) was of my xmlrpc.php file. It had everything but ‘From Russia with Love’ strewn on it. I downloaded a virgin copy from WordPress and blew the code away, but by that time, it had inserted something else that I couldn’t find. No matter what I did, the SPAM kept appearing. After about 6 hours of troubleshooting, doing DIFF between normal files and what I had, I finally admitted that I was beaten (this was at about 3:30 in the morning). I think that Donncha’s plugin may come in handy in the future, so I won’t have to do all of that scanning manually, but I have to admit that I’m pretty frightened of just how sophisticated this attack seemed to be. The SPAM wasn’t even in my template files or WordPress code. Instead, at the moment WordPress published a blog post, extra, hidden code would grab the SPAM from who-knows-where, and insert it between the head and body of a post, placing it in a div offscreen, and then inserting it at random in my RSS feed. Nasty.

  9. Grace 18 September 2009 at 4:53 #

    Thanks for the advice! With the WordPress exploit scanner plugin I was able to find the problem and solve it asap. Turned out it was a php script saved onto my index.php file from the public_html directory. I became aware of it when Google webmaster suggested “tattoo”-related keywords based on my site content, so I opened up my source code and found all sorts of nasty links. What?!


Leave a Reply