Surviving WordPress Compromise (part 2)
Monday, March 5th, 2012Once you feel comfortable that your wordpress site is back, it is time to locate where the malicious code came from.
If you provider gives you access to the logs you may be able to determine which file(s) have the malicious code in it. How will you do that? You will see web access to a specific file(s) deep in your wordpress (or former wordpess site).
In my situation, the file http://www.jefftangen.com/wordpress/wp-content/themes/{theme_name}/functions.php was infected. I checked one of my backups and did see the added code to the top of the file. The added code had “eval (base64_decode” and the code of the hack after.
While you are looking at your site, you should do a visual inspection of all the files and make sure that all the files out there are yours. Why do I say that? Well, your site had malicious code on it. Correct? What would stop the bad guy from adding their own code to your site and have it run there? Nothing is really stopping them from that. My suggestion is to take the time and verify all the folders/files on your site. If those files/folders are not associated with your site, delete them.
In retrospect, to mitigate this from happening in the future, make sure that you do not use simple, easy passwords and that your passwords are unique from site to site.