Archive for February, 2012

Surviving WordPress Compromise (part 1)

Sunday, February 26th, 2012

So, your wordpress site has been hacked…

Hidden php file that contains the malicious code.

1. Make a backup of your site including the database.
In your control panel there should be a backup application to make a backup of your entire site. Once the backup is complete, download the created file.
Use ftp to copy your entire site to your local computer.
Use phpmyadmin to make a dump (copy) of the database.

It is better to have to many backups then not enough and lose your data.

2. Make a screen shot of your plugins and themes (optional as you do have the names and files in the backups)

3. Remove all plugins and themes and see if that gets rid of the malicious code.

If that does not remove the malicious code then the site needs to be deleted and re-created.

4. Remove wordpress from your installed applications in your control panel. This will delete permanently the wordpress site.

5. Re-install wordpress in your control panel and make sure that wordpress is up to date.

6. Edit the mysql database dump file and change the name of the database to be the newly created database name.

7. Inside of phpmyadmin, remove all the tables that wordpress created.

8. Import the database dump file. When it is imported, it will create all of the tables that were just deleted.

9. Verify that the site comes up with the correct data and that the malicious code has been removed.

10. Re-install any plug-ins and themes.

11. Copy the uploaded files that was in the original site. Typically these files are under /wordpress/wp-content/uploads