How To Completely Clean Your Hacked WordPress Installation

Posted on June 24th, 2008 at 10:11 am by Michael VanDeMar under On The Ball-ness, SEO, blogthropology, coding, how-to, web design

WordPress hacker removal spray... use in a well ventilated area. Getting hacked sucks, plain and simple. It can affect your rankings, cause your readership to be exposed to virus and trojan attacks, make you an unwilling promoter to subject material you may not actually endorse, and in many cases cause the loss of valuable content. However, once it happens it is usually best to not procrastinate on the clean up process, since a speedy restore will most times minimize the damage that was caused.

While almost all sources will recommend that you upgrade your WordPress to the latest version, what the majority neglect to tell you is that in most cases simply doing so will not prevent the attackers from getting back in, even if there are no known exploits with the latest version. The hackers may have left a back door file hidden in a directory where it wouldn’t get overwritten with an upgrade, or inserted code into your theme, or simply created an account that they then granted admin privileges to. Any one of those would allow them back in, even after you patched what was wrong the first time. Therefore I am providing this step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

1. Backup the site and the database.

Even a hacked copy of your blog still probably contains valuable information and files. You don’t want to lose this data if something goes wrong with the cleanup process. Worst case scenario you can just restore things back to their hacked state and start over.

2. Make a copy of any uploaded files, such as images, that are referenced.

Images are generally exempt from posing a security risk, and ones that you uploaded yourself (as opposed to ones included with a theme, for instance) will be harder to track down and replace after things are fixed again. Therefore it is usually a good idea to grab a copy of all the images in your upload folder so as to avoid broken images in posts later. If you have any non-image files that could potentially have been compromised, such as zip files, plugins, or php scripts that you were offering people, then it is a good idea to grab fresh copies of those from the original source.

3. Download a fresh version of WP, all of the plugins you need, and a clean template.

Using the WordPress automatic upgrade plugin does make it easier to upgrade every time a new version comes out. However, it only replaces WordPress specific files, and does not delete obsolete ones. It also leaves your current themes and plugins in place, as is. This means that if used to upgrade a blog that has already been compromised, it can very well leave the attackers a way back in. It is best to start over from scratch as far as the files portion of your installation goes. Note that if you use the EasyWP WordPress Installer script that I wrote it saves you from having to download, unzip, and then upload all of the core WordPress files, although you will still need to grab fresh copies of the themes and plugins that you want to use.

4. Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster).

Now that you have fresh copies of all the files you need, and copied all of your uploaded images, completely delete the entire directory structure your blog is in. This is the only surefire way to completely remove all possibly infected files. You can do this through FTP, but due to the way that FTP handles folder deletion (ie. it walks the directory structure, stores each and every file name that needs to be deleted, and then sends a delete command for each one), this can be slow and in some instances cause you to get disconnected due to flooding the server with FTP commands. If available it is much faster to do this through either cPanel’s File Manager, or via command line if you happen to have shell access.

5. Re-upload the new fresh copies you just grabbed.

This step should be self explanatory, but I would like to mention that if your FTP client supports it (I use FileZilla, which does) and your host allows it, then increasing the number of simultaneous connections you use to upload can greatly reduce your overall transfer time, especially on servers or ISP’s where latency is more of an issue than bandwidth. In FileZilla this setting is found by going to “Edit -> Settings -> File transfer settings”:

FileZilla settings panel

Also, if not using the EasyWP WordPress Installer script, don’t forget to edit and rename your wp-config.php file (when freshly unzipped this is named wp-config-sample.php).

6. Run the database upgrade (point your browser at /wp-admin/upgrade.php).

This will make any necessary changes to your database structure to support the newest version of WordPress.

7. Immediately change your admin password.

If you have more than one admin (meaning any user with editing capabilities), and cannot get the others to change their passwords right then, I would change their user levels until they can change their passwords as well. If there is anyone in your user list that has editing capabilities, and you do not recognize them, it’s probably best to just delete them altogether. If changing passwords is something you hate doing, then maybe my new memorable password generator can make that a little less stressful for you. :D

8. Go through the posts and repair any damage in the posts themselves.

Delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'

If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL® Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.

Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.


If you have enjoyed what you read here, please consider subscribing to my feed.

  Follow me on Twitter!

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Furl
  • StumbleUpon
  • Technorati
  • Reddit
  • Yahoo! Buzz
  • HackerNews

75 Responses to “How To Completely Clean Your Hacked WordPress Installation”

  1. Altaf Gilani Says:

    Very nice post bro, I hope you could have posted it lill before to help me out of this situation… lol

    Anyhow, I am sure it will be very helpful to some else who is stucked in such situation. Thanks for the useful post

  2. john andrews Says:

    Image files can be used to carry both hidden information and executable code (malware). While I agree the risk is not great, you should be careful about everything you port forward from a hacked installation to a new installation, including images. If you have pre-hack copies, certainly use those instead. Also, the existence of many images you did not put up yourself may be evidence of the intent of the hacker. Your site may have been intended to be used as a distribution point or hub… and you should ask your host to help make sure the new setup is protected against that sort of abuse.

  3. Michael VanDeMar Says:

    Actually, no, you cannot infect someone with a virus or other malware through an image. At worst a hacked blog might have their images defaced or destroyed, but that doesn’t actually pose a danger to the readers.

  4. Yair Bar-On Says:

    Excellent post. Definitely worth my Digg.
    There is one thing I would add to the list – use a vulnerability scanner on a regular basis.
    Spend $50 a month and have someone scan your site every day so you know when is the next time you are vulnerable. I just thought about how much this hack had cost me including downtime when I make no sales, loosing customers and reputation, and the cost of recovery, assuming I have an updated backup…
    It is definately helpful to know how to recover but it is more important to make sure you are not falling again.

  5. FreeSEOResources.com Says:

    Great post! Unfortunately most folks don’t heed the advice to prepare and backup until something happens to them. Just like backing up a hard drive. But once it happens, they realize how important it is and never forget. It’s good to have the peace of mind that you have a plan in place to deal with something like this when it happens. I recommend printing up the post and keeping it as a Standard Operating Procedure for dealing with the possibility of being hacked.
    Sounds like Atlaf just went through the same thing..I’m sure he’ll be prepared if it happens again thanks to your informative post. Keep up the good work! Enjoyable and informative blog on what can sometimes be a boring subject.

  6. Marc Says:

    You might be getting hundreds of “thank you”s by the end of the year with this post. Thanks for laying out everything step by step. I have dozens of people forward this post to :)

  7. john andrews Says:

    @Michael VanDeMar there have been malware vectors abusing images files since 2002, and stegonographic manipulations since before that.

    You misread me – I never said you would get a virus from the image. I said the image can carry malware – payload code, which can be executed if you have any of several existing Windows viruses on your system. Search perrun for an example.

    In this context it was said that you can safely keep your images after you’ve been hacked. My caution was that they may have been modified, so if you have your originals, you are better off resoring them because images are not 100% “safe”. It is not best-practice to retain anything after a hack if you have other options.

  8. The Ultimate Hacker Prevention Guide | SEO Scoop Says:

    [...] been attacked, it’s time for the cleanup process. Smackdown has a comprehensive post about cleaning your hacked WordPress blog, so I’ll just link to it here. Obviously, I hope you never have to use that post, but if you [...]

  9. Hypotheek Says:

    Just say “wush wush go away hacker!” and there they fly away :) No sorry, it is a pain in the ass, you should always have the last version and a managed server that is up to date, for my situation that would be sufficient. good luck! Aislin

  10. Michael VanDeMar Says:

    Actually, Hypotheek, one of the reasons they keep coming out with new versions is because the older ones have security holes in them. Just having the latest version is never a guarantee that it is safe. The most you can say is that having an older version is pretty much a guarantee that you are not safe.

  11. romeo aka ills Says:

    Great info, who knows it might be coming handy one day (hopefully not)

    Another way to prevent security loophole in WP or any other PHP based CMS is to tighten the security at the server level.

  12. fedmich Says:

    Thats great info. I’ll try to run those SQL in my wp sites now and check them.

    Thanks for the tips :)

  13. Kopen op Krediet Says:

    Good info. Does anyone have some great plugin or tool to backup your WP a little faster?

    Thanks, Kopen

  14. Jim in New Jersey Says:

    I have had to deal with four or five wp hacks in the past year, so this post helps alot. Sometimes I dont know where to start.

  15. Skogtrollet » Ukens deilige link: Hvor sikker er bloggen din egentlig? Says:

    [...] Har du allikevel vært så uheldig å få WordPress bloggen din hacket, så fins det råd. Her er en fin gjennomgang av hva du bør gjøre. [...]

  16. Viidar.net » Hjelp! WordPress-databasen min er hacket! Says:

    [...] vil være sikker på at du har fjernet alt som ikke skal være på bloggen din, kan du gå igjennom denne listen. Vil du vite hvordan en hacker jobber, er denne siden litt grei å lese, men dog veldig [...]

  17. Hypotheek Says:

    Great post! i had a lot of hackproblems the past couple of years so this would help me a lot.

  18. Cleaning Up Wordpress iframe Hack | Domain Name News | Domain News | Expired Domains Says:

    [...] LIKE ‘%noscript%’ UNION SELECT * FROM wp_posts WHERE post_content LIKE ‘%display:%’ (Thanks to Smackdown) 8. Download and install Secure plugin and Security scan plugin from [...]

  19. speelgoed Says:

    This is really good to mentione! Most of the times this advice is for many too late. Thank you for sharing. Greetz, Jasper

  20. Wordpress hacked, defaced og inficeret med en grim iframe » Netsans Says:

    [...] Også Smackdown har en glimrende artikel om emnet. [...]

  21. Matt Says:

    Wow, great reference article, worked great right away.

  22. Old WordPress Versions Under Attack « Lorelle on WordPress Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  23. WARNING: WordPress versi lama UNDER ATTACK | Belajar Blog WordPress Says:

    [...] Baca How To Completely Clean Your Hacked WordPress Installation oleh Smackdown [...]

  24. Oude WordPress installaties worden aangevallen : WordPress Dimensie Says:

    [...] SmackDown – How to Completely Clean Your Hacked WordPress Installation [...]

  25. Attacks on old versions of WordPress | Blog Mum | WordPress made easy Says:

    [...] If you've been hit with this already, then copying your posts and comments into a completely clean installation of WordPress seems to be the best way to deal with it. Simply upgrading now will most likely not deal with this (hackers know how WordPress upgrades work, and make the compromised files ones which are not over-written in an upgrade). Smackdown has more advice. [...]

  26. Gamla WordPress-versioner attackeras! | WP-Support Sverige Says:

    [...] innehåller dina inlägg, sidor, kommentarer och förhoppningsvis ingen hackad kod. Artikeln ”How To Completely Clean Your Hacked WordPress Installation” av Smackdown, är en bra artikel om hur du installerar WordPress efter att ha blivit hackad, [...]

  27. 10 day websites » WordPress Under Attack Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  28. spacefem Says:

    I’m going to do all this, thanks.

    But while preparing all this, I at least cleaned my unauthorized admins out of my db with a few queries: http://spacefem.livejournal.com/555475.html

  29. Wordpress Attacke – unbeding updaten! | Webdesign & Online Shops aus MV | Kai Köpke Blog & Portfolio Says:

    [...] Passwörter zu verwenden. Sollte es bereits zu spät sein, könnte dieser Artikel hilfreich sein: How to completely Clean Your Hacked Wordpress Installation Share this on del.icio.usDigg this!Stumble upon something good? Share it on StumbleUponShare this [...]

  30. Hidden Administrator Attack Hitting Outdated WordPress Sites | WPblogger Says:

    [...] my man Michael over at Smackdown has a great post on how to completely clean your WordPress installation if you’ve suffered an attack, however, with this particular attack you need to be sure that [...]

  31. Secure your WordPress Blog. Upgrade Now! | Swank Web Style Blog Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  32. andy.edmonds.be › links for 2009-09-05 Says:

    [...] How To Completely Clean Your Hacked WordPress Installation | Smackdown! (tags: wordpress security hack restore) This was written by andy. Posted on Sunday, September 6, 2009, at 1:35 am. Filed under Delicious. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback. [...]

  33. Old WordPress Versions (prior to 2.8.4) Under Attack :: HTML Websites, Web Design, Splash Pages, Blog Headers, Wordpress Blogs, Blog Sites Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  34. WordPress is under attack! | PINOYTUTORIAL TECHTORIAL Says:

    [...] the “whole” database since the hack has gone deep into the WordPress DB. You can view, “How To Completely Clean Your Hacked WordPress Installation” by Smackdown for additional tips. It is a good article on how to reinstall WordPress after being [...]

  35. Self-hosted WordPress users need to upgrade to newest version immediately « So You Want To Be A Waiter Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  36. Has your WordPress been hacked? | Paul Maunders | Web log Says:

    [...] http://smackdown.blogsblogsblo.....s-instal... [...]

  37. Protecting Your WordPress Blog From Hackers, Crackers, and Jerks | I Like WordPress! Says:

    [...] start, review Michael VanDeMar’s post on How to Completely Clean Your Hacked WordPress Installation. Much good info [...]

  38. Problème de sécurité sur les anciennes versions de WordPress ! | WordPress Francophone Says:

    [...] Comment nettoyer complètement une installation WordPress contaminée [...]

  39. Franz's Blog > Attacco hacker a Wordpress. Soluzione per risolvere il problema di quel “base64_decode” e alcuni link utili. Says:

    [...] Smackdown [...]

  40. Wordpress angrepet av orm « Litt om web og sånt Says:

    [...] Da bør du ta en backup av alle bilder, videoer etc., så kjøre en eksport av brukerdata i XML-formatet til WordPress. Så innstallere WordPress på nytt. Så importere XML tilbake. Ja, dette var kortversjonen. Før du setter igang så anbefaler jeg deg å lese How To Completely Clean Your Hacked WordPress Installation. [...]

  41. Hypotheekrente vergelijken Says:

    Thanks for this great article. I’ve had to deal with three wordpress-hacks this year, so this post helps me a lot!

  42. Peggie Says:

    I have been hacked and just found out. I know it was my fault as I did not update because of problems my daughter had when she updated, and I felt like things were going fine for me so did not do it.

    I am sorry now, but also confused as to what to do. I am not as young as many of you, and so sometimes things scare me a bit!

    I exported my XML that wordpress makes for you as well as all my images, but now do not know what I should do. I also forget how to install wordpress from the beginning which is what I think I need to do now, wipe out all the old and then put in a new, right?

    Then, is it not safe to just import my old posts? I hate to lose everything, but do I need to start over and let the two or 3 years of posts get dumped?

    UGH, I am upset.

  43. TODAY » is tech Thursday. Says:

    [...] you have been hit, I feel for you. The fixes look aggravating. 2009 10 [...]

  44. Ryan Says:

    Hey

    My site just went down in a way that has never happened before. I was not working on it either plus I had done some major marketing. It was a strange coincidence that I had emailed someone who deals with security, just before it happened and obviously competitors may have done it.

    The site is http://www.csv2post.com now I was not too bothered to be honest its very new, not a lot of traffic but I’m dead certain it was a hack, even hosting thinks it was.

    Anyone good at hacking want to offer a fee to fix the issue or are these hacker plugins around working enough and giving enough security to not bother paying?

    Ryan

  45. doruman Says:

    Thank you Michael for all these useful details. Unfortunately, most of people become wise just after a hacker attack… The main rule remain a constantly backup of your databases.

    By upgrading your blog to the last version – and for the plugins also – it`s a way to keep away the common hackers attacks; but don`t forget, never you can`t be sure, this is the nature of the web and only with an early backup you keep in sure the most of your important dates.

  46. Gary Graye Says:

    I cant thank you enough for helping me rescue several of my wordpress sites that were hacked.

    Once again thanks

  47. September Upgrade Wordpress Due to Security Issues! | The Blogosaurus - PHP, Java, Wordpress, Joomla, Ubuntu Technology Blog Says:

    [...] http://smackdown.blogsblogsblo.....s-instal... http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.journeyetc.com/2009.....-problems/ [...]

  48. Updating WordPress Tips and Tricks | Custom Design and Digital Art Says:

    [...] in a very specific way to avoid updating with the worm’s ‘backdoor’ in tact. “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care [...]

  49. Scott Morton Says:

    I have a photography blog at http://shoots.wedding-photography-melbourne.com.au – I have just recovered from a hack that went deep into the database. I had to export my posts as an xml file from the hacked Wordpress site and import that file into a new, freshly created database… Arrgh. New passwords, redownload of the plugins and template files – absolutely everything new and clean. The call across the board is to stay current with your Wordpress installation and you’ll have less chance of problems.

  50. Brian Thomas Clark | Damn Hackers Says:

    [...] Cleaning: http://smackdown.blogsblogsblo.....s-instal... September 24, 2009 – 10:55 am | By Brian Thomas Clark | Posted in General, Site News | [...]

  51. Lon Says:

    Before switching to 2.8.4, our site was compromised. The @*%$! spammers deployed two files to our system /wp-admin/fotter.php and /wp-admin/inclode.php (note the purposeful misspellings). These were encrypted files that were web-based backdoors. These were causing our theme footer to be overwritten nightly.

  52. Dabbled » Blog Archive » iframe Hack – A Warning for readers and other bloggers Says:

    [...] http://www.spam-whackers.com/b.....rame-hack/ http://smackdown.blogsblogsblo.....s-instal... [...]

  53. Wordpress: quelques notions de base concernant la sécurité | Descary.com Says:

    [...] Lorelle on WordPress: Old WordPress Versions Under Attack Smackdown: How To Completely Clean Your Hacked WordPress Installation Wordpress Blog: How to Keep WordPress [...]

  54. Mr Gray Says:

    Thanks very much for your help.

  55. Kfx Says:

    I found a Virus that links to try-your-destiny.cn that was hiding in the file wp-content\uploads\js.cache\tinymce_f299bb0eff6f5bf98754a5f09bd63ddf.gz !
    (eval(…) was hidden in that zip).

    Deleting all the Wordpress Content didn’t helped, as I kept the wp-config and my upload folder!

    So it is important to make step 2. as described above…

    Best regards
    Kfx

  56. Sorry for the Recent Downtime Says:

    [...] How To Completely Clear Your Hacked WordPress Installation Hardening WordPress Did Your WordPress Site Get Hacked? 20 WordPress Security Plugins (don’t [...]

  57. WordPress 2.8.4 ? ??????! @ Blog.Caspie.Net Says:

    [...] How To Completely Clean Your Hacked WordPress Installation – ??? ?? ???????? WordPress ?? ??????????? ???????? ?? ??????. ????? ?? ???????? ?? ????? ??????. ?????? ?? ????? ????, ????? ?? ?????… [...]

  58. willy Says:

    bad luck for me
    my site hacked
    i can’t open and redirect into another
    and i can’t log in into my cpanel too

  59. How I Found Out My Websites Have Been Hacked | South Gippsland Website Design Says:

    [...] How To Clean Up After A Hacker Attack [...]

  60. Symptoms of a Wordpress Hack @ danforys.com Says:

    [...] you think you’ve been hacked, I’ve spotted a couple of useful guides to dealing with the aftermath. Wordpress, php hack, php, security, [...]

  61. kristine Says:

    Mine was not hacked, but rather, the whole wp blog seems to have a lot of errors in it. Probably plugin incompatibility issues. Some plugins I was using before doesn’t seem to work anymore. And some features of the dashboard doesn’t work either, like it just shows a white, blank space in there, especially if I am installing themes, plugins.

    So I think I’d just clean up my whole root folder, reinstall wordpress and upload my backup database. what do you think? will that solve the issues surrounding plugins, themes etc?

  62. Blogging Tips: How To Secure Wordpress Blogs With Plug-ins Says:

    [...] Note: If your blog has been hacked, you might want to consider having a look at this blog post; How To Completely Clean Your Hacked WordPress Installation. [...]

  63. Michael VanDeMar Says:

    kristine, there is no way of knowing if that would fix it without knowing the errors or simply trying. It can’t hurt.

    The thing is, if you are having incompatibility issues with the plugins, and you just reinstall the same ones, then you will most likely have the same issues. If you’re not hacked, then what you might want to do is simply deactivate all of the plugins first, and then slowly turn them back on, one by one, checking for the errors you are getting each time. That will help you isolate what is causing the problem (assuming that it is in fact related to your plugins). You should also go to Wordpress and check each plugin’s compatibility (ie. which versions they are supposed to work with).

  64. Z. Roonie Says:

    Good info bro to share. Recently, I have just cleaned up my blog folder after backed up my database. All plugin were lost then need to install one by one. It’s so mess. Any plugins management that you can propose? TQ.

  65. Dr Net Says:

    Thank you so much for this post. My sites got hacked and I did not know what to do. I went through all your steps and was able to almost restore my site. The last think I needed to do was update my .htaccess file and when I did that I got back all my posts….WAHHOOOOOOOOOOOOO

    I have worked on one site for 3 years and had close to 600 posts on that site…I thought it was all gone. I literally worked on restoring this site for 12 hours today…and thanks to you and the steps above, I finally did it.

    Thank you again

    Sam

  66. luqmansaad Says:

    Hello,

    I need someone to help me explain this in more details and step by step. I’m completely newbie in this.

    Thanks for your time

  67. Nick Says:

    I will pay someone $250 to perform this as a service for me… Cleaning or getting rid of all of the bad coding and scripts on my blogs.

    It is unfortunate that hackers and virus creators do things like this to intentionally and maliciously destroy other peoples hard worked for content. These individuals are like the scum of the earth. Who sits around all day creating malicious codes and scripts just to mess with people?? It’s people like this that end up seriously HAUNTED at the end of their lives by all of the wrong doing that they have done throughout their life. People that intentionally harm or wrong do others are like satans little lovely beings. Heartless. Soulless. Friendless. Must be a wonderfull world they live in…

    There is a thing called benevolence, which holds the meaning of: possessing that in which an individual truly cares about the health and well being of other people. Not to sound “tree huggerish”. But seriously, come on, get a life and go do something significant rather than sitting in your cave all day and dying a slow, timely death. There is so much more to life than thinking that you are doing something cool by “being a hacker and ILLEGALLY getting into or intentionally destroying other peoples stuff”. Back in the old days you would have had the privilege of getting a bag put over your head with a noose around your neck and getting the stool kicked out from under you. It’s called “eye for eye”.

    My apologies to everyone that reads this that are searching out how to fix your blog. It is obviously meant for the little, no good, no life having, soulless human maggot out there that creates viruses, malicious scripts and hacks other peoples stuff. YOU SUCK BIG MOOSE C#&@!!

    Nick

  68. Jesse Says:

    1, Only use plugin from wordpress.org unless you feel confident about the security of third-party plugins.
    2, Use Secure WordPress plugin.
    3, Remove the wp version from php files of theme. If possible, directly use static javascript file location instead of invoking php function since wp will automatically add the version number at the tail.
    4, Have a nice neighbor on your hosting.

    Just my 2 cents hehe

  69. Adis Says:

    thank yu so much for the article, few days ago all of my sites got hacked. I was lucky it was not xss. Bad part is got a trojan from a hacked advertiser on a very reputable network, when it installed it compromised smart ftp. All index,home and .jv got a malicious script inserted after page code. Took me days to clean up, going one by one. I wish I came across your post earlier :-(

  70. Jeremy Says:

    urrrgh!!!! Looks like we got our blog hit too X(

    This was NOT on the schedule for today, but thanks for the layout of how to handle this hacked WP issue. It should go much smoother with this ;)

  71. Zac Says:

    Fantastic post. The SQL stuff saved me!

  72. Securitate sporita pentru WordPress | Cine Sunt ? Says:

    [...] how to completely clean your hacked wordpress [...]

  73. Good to be back! | John Arroyo Says:

    [...] http://smackdown.blogsblogsblo.....s-instal... [...]

  74. Don’t Think “If” You Will Get Hacked, Or Even “When” – Think In Terms Of “How Often” | Smackdown! Says:

    [...] following “guest post” was a comment left on “How To Completely Clean Your Wordpress Installation” by a gentleman named Daniel J. Dick. He makes some excellent points, and due to it’s [...]

  75. Stray Leftover Hacked Wordpress Database Entry: rzf.php | Smackdown! Says:

    [...] physically or virtually (I get a 404 trying to access it on the web), which makes sense since I did completely wipe and reinstall Wordpress several times last year. I also always check the wp_posts, wp_users, and wp_options (especially the [...]

Leave a Reply