Posts Tagged ‘wordpress’

Surviving WordPress Compromise (part 2)

Monday, March 5th, 2012

Once you feel comfortable that your wordpress site is back, it is time to locate where the malicious code came from.
If you provider gives you access to the logs you may be able to determine which file(s) have the malicious code in it. How will you do that? You will see web access to a specific file(s) deep in your wordpress (or former wordpess site).
In my situation, the file http://www.jefftangen.com/wordpress/wp-content/themes/{theme_name}/functions.php was infected. I checked one of my backups and did see the added code to the top of the file. The added code had “eval (base64_decode” and the code of the hack after.
While you are looking at your site, you should do a visual inspection of all the files and make sure that all the files out there are yours. Why do I say that? Well, your site had malicious code on it. Correct? What would stop the bad guy from adding their own code to your site and have it run there? Nothing is really stopping them from that. My suggestion is to take the time and verify all the folders/files on your site. If those files/folders are not associated with your site, delete them.
In retrospect, to mitigate this from happening in the future, make sure that you do not use simple, easy passwords and that your passwords are unique from site to site.

Surviving WordPress Compromise (part 1)

Sunday, February 26th, 2012

So, your wordpress site has been hacked…

Hidden php file that contains the malicious code.

1. Make a backup of your site including the database.
In your control panel there should be a backup application to make a backup of your entire site. Once the backup is complete, download the created file.
Use ftp to copy your entire site to your local computer.
Use phpmyadmin to make a dump (copy) of the database.

It is better to have to many backups then not enough and lose your data.

2. Make a screen shot of your plugins and themes (optional as you do have the names and files in the backups)

3. Remove all plugins and themes and see if that gets rid of the malicious code.

If that does not remove the malicious code then the site needs to be deleted and re-created.

4. Remove wordpress from your installed applications in your control panel. This will delete permanently the wordpress site.

5. Re-install wordpress in your control panel and make sure that wordpress is up to date.

6. Edit the mysql database dump file and change the name of the database to be the newly created database name.

7. Inside of phpmyadmin, remove all the tables that wordpress created.

8. Import the database dump file. When it is imported, it will create all of the tables that were just deleted.

9. Verify that the site comes up with the correct data and that the malicious code has been removed.

10. Re-install any plug-ins and themes.

11. Copy the uploaded files that was in the original site. Typically these files are under /wordpress/wp-content/uploads