How To Completely Clean Your Hacked WordPress Installation

Posted on June 24th, 2008 at 10:11 am by Michael VanDeMar under blogthropology, coding, how-to, On The Ball-ness, SEO, web design
Update 11/14/2012 – Please note: if you are currently hosting with either HostPapa or Netregistry and you are here because you were hacked then the following tutorial may not be sufficient. Please see this post for more details:Hosting with HostPapa or Netregistry and Hacked? Switch Hosts Now. (hacked by hacker)

WordPress hacker removal spray... use in a well ventilated area. Getting hacked sucks, plain and simple. It can affect your rankings, cause your readership to be exposed to virus and trojan attacks, make you an unwilling promoter to subject material you may not actually endorse, and in many cases cause the loss of valuable content. However, once it happens it is usually best to not procrastinate on the clean up process, since a speedy restore will most times minimize the damage that was caused.

While almost all sources will recommend that you upgrade your WordPress to the latest version, what the majority neglect to tell you is that in most cases simply doing so will not prevent the attackers from getting back in, even if there are no known exploits with the latest version. The hackers may have left a back door file hidden in a directory where it wouldn’t get overwritten with an upgrade, or inserted code into your theme, or simply created an account that they then granted admin privileges to. Any one of those would allow them back in, even after you patched what was wrong the first time. Therefore I am providing this step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

1. Backup the site and the database.

Even a hacked copy of your blog still probably contains valuable information and files. You don’t want to lose this data if something goes wrong with the cleanup process. Worst case scenario you can just restore things back to their hacked state and start over.

2. Make a copy of any uploaded files, such as images, that are referenced.

Images are generally exempt from posing a security risk, and ones that you uploaded yourself (as opposed to ones included with a theme, for instance) will be harder to track down and replace after things are fixed again. Therefore it is usually a good idea to grab a copy of all the images in your upload folder so as to avoid broken images in posts later. If you have any non-image files that could potentially have been compromised, such as zip files, plugins, or php scripts that you were offering people, then it is a good idea to grab fresh copies of those from the original source.

3. Download a fresh version of WP, all of the plugins you need, and a clean template.

Using the WordPress automatic upgrade plugin does make it easier to upgrade every time a new version comes out. However, it only replaces WordPress specific files, and does not delete obsolete ones. It also leaves your current themes and plugins in place, as is. This means that if used to upgrade a blog that has already been compromised, it can very well leave the attackers a way back in. It is best to start over from scratch as far as the files portion of your installation goes. Note that if you use the EasyWP WordPress Installer script that I wrote it saves you from having to download, unzip, and then upload all of the core WordPress files, although you will still need to grab fresh copies of the themes and plugins that you want to use.

4. Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster).

Now that you have fresh copies of all the files you need, and copied all of your uploaded images, completely delete the entire directory structure your blog is in. This is the only surefire way to completely remove all possibly infected files. You can do this through FTP, but due to the way that FTP handles folder deletion (ie. it walks the directory structure, stores each and every file name that needs to be deleted, and then sends a delete command for each one), this can be slow and in some instances cause you to get disconnected due to flooding the server with FTP commands. If available it is much faster to do this through either cPanel’s File Manager, or via command line if you happen to have shell access.

5. Re-upload the new fresh copies you just grabbed.

This step should be self explanatory, but I would like to mention that if your FTP client supports it (I use FileZilla, which does) and your host allows it, then increasing the number of simultaneous connections you use to upload can greatly reduce your overall transfer time, especially on servers or ISP’s where latency is more of an issue than bandwidth. In FileZilla this setting is found by going to “Edit -> Settings -> File transfer settings”:

FileZilla settings panel

Also, if not using the EasyWP WordPress Installer script, don’t forget to edit and rename your wp-config.php file (when freshly unzipped this is named wp-config-sample.php).

6. Run the database upgrade (point your browser at /wp-admin/upgrade.php).

This will make any necessary changes to your database structure to support the newest version of WordPress.

7. Immediately change your admin password.

If you have more than one admin (meaning any user with editing capabilities), and cannot get the others to change their passwords right then, I would change their user levels until they can change their passwords as well. If there is anyone in your user list that has editing capabilities, and you do not recognize them, it’s probably best to just delete them altogether. If changing passwords is something you hate doing, then maybe my new memorable password generator can make that a little less stressful for you. :D

8. Go through the posts and repair any damage in the posts themselves.

Delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'

If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL® Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.

Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.

UPDATE: 9. (still valid in 2014) If you are having issues cleaning the installation yourself

When I wrote this post back in 2008 I intended it to be a do it yourself guide for the non-techie. However, I do realize that some people would still rather a professional programmer perform many of the steps I outlined here. If anyone has had their WordPress installation hacked, and either is uncomfortable attempting to clean it on their own, or has tried to do so with no success, I am available on a case by case basis. Most cleanings can be performed in about one hour, two at the most. The time can vary depending on the size of the blog, the amount of customization to the original theme, and the number of plugins installed. Feel free to contact me here if you feel like you could benefit from my help. Please include the site and any details that you think might be relevant (pro theme, anything you may have tried on your own, etc.) in the contact form.

UPDATE #2: 10. A note on hosting.

This past year (2010) has seen multiple waves of attacks on people’s websites that happened not due to insecurities within the WordPress platform itself, as has historically been the issue, but rather due to vulnerabilities with the actual hosts. Some of the bigger names that were hit include GoDaddy, Rackspace Cloud, MediaTemple, and Network Solutions, for instance. It is very important that you use a host that is not only well versed in security, but one that is stable and has knowledgeable tech support as well.

My personal recommendation for shared hosting is Hostgator. It is where this blog and many other sites of mine are currently hosted. Yes, that is an aff. link, but I would recommend them even if it wasn’t. For a dedicated solution that is both affordable and robust I use The Planet, which is where I host Bad Neighborhood. Both companies are ones that I have been using for years without issues, and that I do recommend to my own clients when they find themselves dissatisfied with their current hosts. If you were hacked, and your WordPress was up to date when it happened, then a change of hosts is something you should consider looking into.

Enjoyed what you read here? Subscribe to my feed.

  You should follow me on Twitter!

Be Sociable, Share!

252 Responses to “How To Completely Clean Your Hacked WordPress Installation”

  1. Altaf Gilani Says:

    Very nice post bro, I hope you could have posted it lill before to help me out of this situation… lol

    Anyhow, I am sure it will be very helpful to some else who is stucked in such situation. Thanks for the useful post

  2. john andrews Says:

    Image files can be used to carry both hidden information and executable code (malware). While I agree the risk is not great, you should be careful about everything you port forward from a hacked installation to a new installation, including images. If you have pre-hack copies, certainly use those instead. Also, the existence of many images you did not put up yourself may be evidence of the intent of the hacker. Your site may have been intended to be used as a distribution point or hub… and you should ask your host to help make sure the new setup is protected against that sort of abuse.

  3. Michael VanDeMar Says:

    Actually, no, you cannot infect someone with a virus or other malware through an image. At worst a hacked blog might have their images defaced or destroyed, but that doesn’t actually pose a danger to the readers.

  4. Yair Bar-On Says:

    Excellent post. Definitely worth my Digg.
    There is one thing I would add to the list – use a vulnerability scanner on a regular basis.
    Spend $50 a month and have someone scan your site every day so you know when is the next time you are vulnerable. I just thought about how much this hack had cost me including downtime when I make no sales, loosing customers and reputation, and the cost of recovery, assuming I have an updated backup…
    It is definately helpful to know how to recover but it is more important to make sure you are not falling again.

  5. FreeSEOResources.com Says:

    Great post! Unfortunately most folks don’t heed the advice to prepare and backup until something happens to them. Just like backing up a hard drive. But once it happens, they realize how important it is and never forget. It’s good to have the peace of mind that you have a plan in place to deal with something like this when it happens. I recommend printing up the post and keeping it as a Standard Operating Procedure for dealing with the possibility of being hacked.
    Sounds like Atlaf just went through the same thing..I’m sure he’ll be prepared if it happens again thanks to your informative post. Keep up the good work! Enjoyable and informative blog on what can sometimes be a boring subject.

  6. Marc Says:

    You might be getting hundreds of “thank you”s by the end of the year with this post. Thanks for laying out everything step by step. I have dozens of people forward this post to :)

  7. john andrews Says:

    @Michael VanDeMar there have been malware vectors abusing images files since 2002, and stegonographic manipulations since before that.

    You misread me – I never said you would get a virus from the image. I said the image can carry malware – payload code, which can be executed if you have any of several existing Windows viruses on your system. Search perrun for an example.

    In this context it was said that you can safely keep your images after you’ve been hacked. My caution was that they may have been modified, so if you have your originals, you are better off resoring them because images are not 100% “safe”. It is not best-practice to retain anything after a hack if you have other options.

  8. The Ultimate Hacker Prevention Guide | SEO Scoop Says:

    [...] been attacked, it’s time for the cleanup process. Smackdown has a comprehensive post about cleaning your hacked WordPress blog, so I’ll just link to it here. Obviously, I hope you never have to use that post, but if you [...]

  9. Hypotheek Says:

    Just say “wush wush go away hacker!” and there they fly away :) No sorry, it is a pain in the ass, you should always have the last version and a managed server that is up to date, for my situation that would be sufficient. good luck! Aislin

  10. Michael VanDeMar Says:

    Actually, Hypotheek, one of the reasons they keep coming out with new versions is because the older ones have security holes in them. Just having the latest version is never a guarantee that it is safe. The most you can say is that having an older version is pretty much a guarantee that you are not safe.

  11. romeo aka ills Says:

    Great info, who knows it might be coming handy one day (hopefully not)

    Another way to prevent security loophole in WP or any other PHP based CMS is to tighten the security at the server level.

  12. fedmich Says:

    Thats great info. I’ll try to run those SQL in my wp sites now and check them.

    Thanks for the tips :)

  13. Kopen op Krediet Says:

    Good info. Does anyone have some great plugin or tool to backup your WP a little faster?

    Thanks, Kopen

  14. Jim in New Jersey Says:

    I have had to deal with four or five wp hacks in the past year, so this post helps alot. Sometimes I dont know where to start.

  15. Skogtrollet » Ukens deilige link: Hvor sikker er bloggen din egentlig? Says:

    [...] Har du allikevel vært så uheldig å få WordPress bloggen din hacket, så fins det råd. Her er en fin gjennomgang av hva du bør gjøre. [...]

  16. Viidar.net » Hjelp! WordPress-databasen min er hacket! Says:

    [...] vil være sikker på at du har fjernet alt som ikke skal være på bloggen din, kan du gå igjennom denne listen. Vil du vite hvordan en hacker jobber, er denne siden litt grei å lese, men dog veldig [...]

  17. Hypotheek Says:

    Great post! i had a lot of hackproblems the past couple of years so this would help me a lot.

  18. Cleaning Up Wordpress iframe Hack | Domain Name News | Domain News | Expired Domains Says:

    [...] LIKE ‘%noscript%’ UNION SELECT * FROM wp_posts WHERE post_content LIKE ‘%display:%’ (Thanks to Smackdown) 8. Download and install Secure plugin and Security scan plugin from [...]

  19. speelgoed Says:

    This is really good to mentione! Most of the times this advice is for many too late. Thank you for sharing. Greetz, Jasper

  20. Wordpress hacked, defaced og inficeret med en grim iframe » Netsans Says:

    [...] Også Smackdown har en glimrende artikel om emnet. [...]

  21. Matt Says:

    Wow, great reference article, worked great right away.

  22. Old WordPress Versions Under Attack « Lorelle on WordPress Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  23. WARNING: WordPress versi lama UNDER ATTACK | Belajar Blog WordPress Says:

    [...] Baca How To Completely Clean Your Hacked WordPress Installation oleh Smackdown [...]

  24. Oude WordPress installaties worden aangevallen : WordPress Dimensie Says:

    [...] SmackDown – How to Completely Clean Your Hacked WordPress Installation [...]

  25. Attacks on old versions of WordPress | Blog Mum | WordPress made easy Says:

    [...] If you've been hit with this already, then copying your posts and comments into a completely clean installation of WordPress seems to be the best way to deal with it. Simply upgrading now will most likely not deal with this (hackers know how WordPress upgrades work, and make the compromised files ones which are not over-written in an upgrade). Smackdown has more advice. [...]

  26. Gamla WordPress-versioner attackeras! | WP-Support Sverige Says:

    [...] innehåller dina inlägg, sidor, kommentarer och förhoppningsvis ingen hackad kod. Artikeln ”How To Completely Clean Your Hacked WordPress Installation” av Smackdown, är en bra artikel om hur du installerar WordPress efter att ha blivit hackad, [...]

  27. 10 day websites » WordPress Under Attack Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  28. spacefem Says:

    I’m going to do all this, thanks.

    But while preparing all this, I at least cleaned my unauthorized admins out of my db with a few queries: http://spacefem.livejournal.com/555475.html

  29. Wordpress Attacke – unbeding updaten! | Webdesign & Online Shops aus MV | Kai Köpke Blog & Portfolio Says:

    [...] Passwörter zu verwenden. Sollte es bereits zu spät sein, könnte dieser Artikel hilfreich sein: How to completely Clean Your Hacked WordPress Installation Share this on del.icio.usDigg this!Stumble upon something good? Share it on StumbleUponShare this [...]

  30. Hidden Administrator Attack Hitting Outdated WordPress Sites | WPblogger Says:

    [...] my man Michael over at Smackdown has a great post on how to completely clean your WordPress installation if you’ve suffered an attack, however, with this particular attack you need to be sure that [...]

  31. Secure your WordPress Blog. Upgrade Now! | Swank Web Style Blog Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  32. andy.edmonds.be › links for 2009-09-05 Says:

    [...] How To Completely Clean Your Hacked WordPress Installation | Smackdown! (tags: wordpress security hack restore) This was written by andy. Posted on Sunday, September 6, 2009, at 1:35 am. Filed under Delicious. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback. [...]

  33. Old WordPress Versions (prior to 2.8.4) Under Attack :: HTML Websites, Web Design, Splash Pages, Blog Headers, Wordpress Blogs, Blog Sites Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  34. WordPress is under attack! | PINOYTUTORIAL TECHTORIAL Says:

    [...] the “whole” database since the hack has gone deep into the WordPress DB. You can view, “How To Completely Clean Your Hacked WordPress Installation” by Smackdown for additional tips. It is a good article on how to reinstall WordPress after being [...]

  35. Self-hosted WordPress users need to upgrade to newest version immediately « So You Want To Be A Waiter Says:

    [...] “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database. [...]

  36. Has your WordPress been hacked? | Paul Maunders | Web log Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  37. Protecting Your WordPress Blog From Hackers, Crackers, and Jerks | I Like WordPress! Says:

    [...] start, review Michael VanDeMar’s post on How to Completely Clean Your Hacked WordPress Installation. Much good info [...]

  38. Problème de sécurité sur les anciennes versions de WordPress ! | WordPress Francophone Says:

    [...] Comment nettoyer complètement une installation WordPress contaminée [...]

  39. Franz's Blog > Attacco hacker a Wordpress. Soluzione per risolvere il problema di quel “base64_decode” e alcuni link utili. Says:

    [...] Smackdown [...]

  40. Wordpress angrepet av orm « Litt om web og sånt Says:

    [...] Da bør du ta en backup av alle bilder, videoer etc., så kjøre en eksport av brukerdata i XML-formatet til WordPress. Så innstallere WordPress på nytt. Så importere XML tilbake. Ja, dette var kortversjonen. Før du setter igang så anbefaler jeg deg å lese How To Completely Clean Your Hacked WordPress Installation. [...]

  41. Hypotheekrente vergelijken Says:

    Thanks for this great article. I’ve had to deal with three wordpress-hacks this year, so this post helps me a lot!

  42. Peggie Says:

    I have been hacked and just found out. I know it was my fault as I did not update because of problems my daughter had when she updated, and I felt like things were going fine for me so did not do it.

    I am sorry now, but also confused as to what to do. I am not as young as many of you, and so sometimes things scare me a bit!

    I exported my XML that wordpress makes for you as well as all my images, but now do not know what I should do. I also forget how to install wordpress from the beginning which is what I think I need to do now, wipe out all the old and then put in a new, right?

    Then, is it not safe to just import my old posts? I hate to lose everything, but do I need to start over and let the two or 3 years of posts get dumped?

    UGH, I am upset.

  43. TODAY » is tech Thursday. Says:

    [...] you have been hit, I feel for you. The fixes look aggravating. 2009 10 [...]

  44. Ryan Says:

    Hey

    My site just went down in a way that has never happened before. I was not working on it either plus I had done some major marketing. It was a strange coincidence that I had emailed someone who deals with security, just before it happened and obviously competitors may have done it.

    The site is http://www.csv2post.com now I was not too bothered to be honest its very new, not a lot of traffic but I’m dead certain it was a hack, even hosting thinks it was.

    Anyone good at hacking want to offer a fee to fix the issue or are these hacker plugins around working enough and giving enough security to not bother paying?

    Ryan

  45. doruman Says:

    Thank you Michael for all these useful details. Unfortunately, most of people become wise just after a hacker attack… The main rule remain a constantly backup of your databases.

    By upgrading your blog to the last version – and for the plugins also – it`s a way to keep away the common hackers attacks; but don`t forget, never you can`t be sure, this is the nature of the web and only with an early backup you keep in sure the most of your important dates.

  46. Gary Graye Says:

    I cant thank you enough for helping me rescue several of my wordpress sites that were hacked.

    Once again thanks

  47. September Upgrade Wordpress Due to Security Issues! | The Blogosaurus - PHP, Java, Wordpress, Joomla, Ubuntu Technology Blog Says:

    [...] http://smackdown.blogsblogsblo.....ess-instalhttp://codex.wordpress.org/FAQ_My_site_was_hacked http://www.journeyetc.com/2009.....-problems/ [...]

  48. Updating WordPress Tips and Tricks | Custom Design and Digital Art Says:

    [...] in a very specific way to avoid updating with the worm’s ‘backdoor’ in tact. “How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care [...]

  49. Scott Morton Says:

    I have a photography blog at http://shoots.wedding-photography-melbourne.com.au – I have just recovered from a hack that went deep into the database. I had to export my posts as an xml file from the hacked WordPress site and import that file into a new, freshly created database… Arrgh. New passwords, redownload of the plugins and template files – absolutely everything new and clean. The call across the board is to stay current with your WordPress installation and you’ll have less chance of problems.

  50. Brian Thomas Clark | Damn Hackers Says:

    [...] Cleaning: http://smackdown.blogsblogsblo.....ess-instal… September 24, 2009 – 10:55 am | By Brian Thomas Clark | Posted in General, Site News | [...]

  51. Lon Says:

    Before switching to 2.8.4, our site was compromised. The @*%$! spammers deployed two files to our system /wp-admin/fotter.php and /wp-admin/inclode.php (note the purposeful misspellings). These were encrypted files that were web-based backdoors. These were causing our theme footer to be overwritten nightly.

  52. Dabbled » Blog Archive » iframe Hack – A Warning for readers and other bloggers Says:

    [...] http://www.spam-whackers.com/b.....rame-hack/ http://smackdown.blogsblogsblo.....ess-instal… [...]

  53. Wordpress: quelques notions de base concernant la sécurité | Descary.com Says:

    [...] Lorelle on WordPress: Old WordPress Versions Under Attack Smackdown: How To Completely Clean Your Hacked WordPress Installation WordPress Blog: How to Keep WordPress [...]

  54. Mr Gray Says:

    Thanks very much for your help.

  55. Kfx Says:

    I found a Virus that links to try-your-destiny.cn that was hiding in the file wp-content\uploads\js.cache\tinymce_f299bb0eff6f5bf98754a5f09bd63ddf.gz !
    (eval(…) was hidden in that zip).

    Deleting all the WordPress Content didn’t helped, as I kept the wp-config and my upload folder!

    So it is important to make step 2. as described above…

    Best regards
    Kfx

  56. Sorry for the Recent Downtime Says:

    [...] How To Completely Clear Your Hacked WordPress Installation Hardening WordPress Did Your WordPress Site Get Hacked? 20 WordPress Security Plugins (don’t [...]

  57. WordPress 2.8.4 ? ??????! @ Blog.Caspie.Net Says:

    [...] How To Completely Clean Your Hacked WordPress Installation – ??? ?? ???????? WordPress ?? ??????????? ???????? ?? ??????. ????? ?? ???????? ?? ????? ??????. ?????? ?? ????? ????, ????? ?? ?????… [...]

  58. willy Says:

    bad luck for me
    my site hacked
    i can’t open and redirect into another
    and i can’t log in into my cpanel too

  59. How I Found Out My Websites Have Been Hacked | South Gippsland Website Design Says:

    [...] How To Clean Up After A Hacker Attack [...]

  60. Symptoms of a Wordpress Hack @ danforys.com Says:

    [...] you think you’ve been hacked, I’ve spotted a couple of useful guides to dealing with the aftermath. WordPress, php hack, php, security, [...]

  61. kristine Says:

    Mine was not hacked, but rather, the whole wp blog seems to have a lot of errors in it. Probably plugin incompatibility issues. Some plugins I was using before doesn’t seem to work anymore. And some features of the dashboard doesn’t work either, like it just shows a white, blank space in there, especially if I am installing themes, plugins.

    So I think I’d just clean up my whole root folder, reinstall wordpress and upload my backup database. what do you think? will that solve the issues surrounding plugins, themes etc?

  62. Blogging Tips: How To Secure Wordpress Blogs With Plug-ins Says:

    [...] Note: If your blog has been hacked, you might want to consider having a look at this blog post; How To Completely Clean Your Hacked WordPress Installation. [...]

  63. Michael VanDeMar Says:

    kristine, there is no way of knowing if that would fix it without knowing the errors or simply trying. It can’t hurt.

    The thing is, if you are having incompatibility issues with the plugins, and you just reinstall the same ones, then you will most likely have the same issues. If you’re not hacked, then what you might want to do is simply deactivate all of the plugins first, and then slowly turn them back on, one by one, checking for the errors you are getting each time. That will help you isolate what is causing the problem (assuming that it is in fact related to your plugins). You should also go to WordPress and check each plugin’s compatibility (ie. which versions they are supposed to work with).

  64. Z. Roonie Says:

    Good info bro to share. Recently, I have just cleaned up my blog folder after backed up my database. All plugin were lost then need to install one by one. It’s so mess. Any plugins management that you can propose? TQ.

  65. Dr Net Says:

    Thank you so much for this post. My sites got hacked and I did not know what to do. I went through all your steps and was able to almost restore my site. The last think I needed to do was update my .htaccess file and when I did that I got back all my posts….WAHHOOOOOOOOOOOOO

    I have worked on one site for 3 years and had close to 600 posts on that site…I thought it was all gone. I literally worked on restoring this site for 12 hours today…and thanks to you and the steps above, I finally did it.

    Thank you again

    Sam

  66. luqmansaad Says:

    Hello,

    I need someone to help me explain this in more details and step by step. I’m completely newbie in this.

    Thanks for your time

  67. Nick Says:

    I will pay someone $250 to perform this as a service for me… Cleaning or getting rid of all of the bad coding and scripts on my blogs.

    It is unfortunate that hackers and virus creators do things like this to intentionally and maliciously destroy other peoples hard worked for content. These individuals are like the scum of the earth. Who sits around all day creating malicious codes and scripts just to mess with people?? It’s people like this that end up seriously HAUNTED at the end of their lives by all of the wrong doing that they have done throughout their life. People that intentionally harm or wrong do others are like satans little lovely beings. Heartless. Soulless. Friendless. Must be a wonderfull world they live in…

    There is a thing called benevolence, which holds the meaning of: possessing that in which an individual truly cares about the health and well being of other people. Not to sound “tree huggerish”. But seriously, come on, get a life and go do something significant rather than sitting in your cave all day and dying a slow, timely death. There is so much more to life than thinking that you are doing something cool by “being a hacker and ILLEGALLY getting into or intentionally destroying other peoples stuff”. Back in the old days you would have had the privilege of getting a bag put over your head with a noose around your neck and getting the stool kicked out from under you. It’s called “eye for eye”.

    My apologies to everyone that reads this that are searching out how to fix your blog. It is obviously meant for the little, no good, no life having, soulless human maggot out there that creates viruses, malicious scripts and hacks other peoples stuff. YOU SUCK BIG MOOSE C#&@!!

    Nick

  68. Jesse Says:

    1, Only use plugin from wordpress.org unless you feel confident about the security of third-party plugins.
    2, Use Secure WordPress plugin.
    3, Remove the wp version from php files of theme. If possible, directly use static javascript file location instead of invoking php function since wp will automatically add the version number at the tail.
    4, Have a nice neighbor on your hosting.

    Just my 2 cents hehe

  69. Adis Says:

    thank yu so much for the article, few days ago all of my sites got hacked. I was lucky it was not xss. Bad part is got a trojan from a hacked advertiser on a very reputable network, when it installed it compromised smart ftp. All index,home and .jv got a malicious script inserted after page code. Took me days to clean up, going one by one. I wish I came across your post earlier :-(

  70. Jeremy Says:

    urrrgh!!!! Looks like we got our blog hit too X(

    This was NOT on the schedule for today, but thanks for the layout of how to handle this hacked WP issue. It should go much smoother with this ;)

  71. Zac Says:

    Fantastic post. The SQL stuff saved me!

  72. Securitate sporita pentru WordPress | Cine Sunt ? Says:

    [...] how to completely clean your hacked wordpress [...]

  73. Good to be back! | John Arroyo Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  74. Don’t Think “If” You Will Get Hacked, Or Even “When” – Think In Terms Of “How Often” | Smackdown! Says:

    [...] following “guest post” was a comment left on “How To Completely Clean Your WordPress Installation” by a gentleman named Daniel J. Dick. He makes some excellent points, and due to it’s [...]

  75. Stray Leftover Hacked Wordpress Database Entry: rzf.php | Smackdown! Says:

    [...] physically or virtually (I get a 404 trying to access it on the web), which makes sense since I did completely wipe and reinstall WordPress several times last year. I also always check the wp_posts, wp_users, and wp_options (especially the [...]

  76. Hardening WordPress | erictopia.com Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  77. Wordpress Hacked, Recover hacked Wordpress blog and Prevent Wordpress Hacking Says:

    [...] Another good resource that helps you with steps to do when your blog gets hacked. [...]

  78. Spaarhypotheek Says:

    Thank you for this great post. I am going to make some backups today of my wordpress based websites. A friend’s website has been hacked recently. It was very hard for me to get his site online again. Thanks again for your post, it really helped me.

  79. Serene Falcon » The Most Important Truth You Will Ever Know Says:

    [...] Still, however unlikely, the Internal Security Division of Serene Falcon had to look for any evidence of hacking; which was not found: to the easily awestruck ‘hacking’ appears like some rough magic by which the threatening deliver some arcane spell at a site like a videogame wizard easily manipulating all though a mysterious and unnameable exploit which vanishes when suspected. In prosaic real life traces are always left, and for php even the powerful c99madshell needs to have been uploaded via FTP or through allowed uploads for the attacker to work; simply doing a date search for the most recent files will show if any of those was compromised… Should one find evidence in WordPress, there are the options of looking for backdoors and eliminating them or cleaning the install. [...]

  80. ANEW. « looking post Says:

    [...] and alone, in the flaming pits of the Internets. But hopefully you’ll never have to use them. How To Completely Clean Your Hacked WordPress Installation The title doesn’t lie.  It really works. And its easy to follow, if you’re a newb like [...]

  81. Robert Says:

    I am having issues with the header php being modified. A script and a ton of BS links to various sites. I’m fairly familiar with all the steps you describe but I’m really uncomfortable with doing it. I got a lot of data stored and I’m sharing the server with several other people. Any way you can help a fellow blogger out?

  82. Attacco siti wordpress con exploit sconosciuto | nexnova.net Says:

    [...] – http://codex.wordpress.org/FAQ_My_site_was_hacked; – http://smackdown.blogsblogsblo.....ess-instal…; – [...]

  83. How To Secure Wordpress Blogs - Prevent Hacking of Wordpress Blog | JR's Internet Marketing Strategies Says:

    [...] The best and complete step-by-step guide on how to clean a hacked blog [...]

  84. What to do when you got hacked? • Secure Wordpress Says:

    [...] How to clean your hacked install and Removing malware from a WordPress blog which explain in details some steps you might need to [...]

  85. juan Says:

    Hey thank you so much, This post should be on the wordpress official site.thank you again

  86. Arcane Palette Creative Design » Blog Archive » Keeping your website safe :: creative web design Says:

    [...] FAQ: My site was hacked How to completely clean your hacked WordPress installation [...]

  87. jazzsequence :: arcane palette :: Keeping your website safe Says:

    [...] FAQ: My site was hacked How to completely clean your hacked WordPress installation [...]

  88. Trading Says:

    Thanks a lot for this post! Now my wordpress site is online! ;)

  89. Hosting With GoDaddy? Might Want To Rethink That Decision. | Smackdown! Says:

    [...] and infections, mostly for those who might not have the time or technical expertise to follow my hacked WordPress cleaning guide. Therefore when something happens that increases the number of people getting hacked, such as when [...]

  90. Vladimir Says:

    I found a better, faster and easier way to fix your holasionweb issue, just read it here at tintation.com

  91. Michael VanDeMar Says:

    @Vladimir – while scripts like that can speed the process up and do make some things easier, they are very specialized, therefore only catching certain hacks and no variations, and in no way replace prevention.

  92. Google Cloaking Hack Targeting WordPress & How to Fix It | WPblogger Says:

    [...] help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here [...]

  93. Mike Says:

    Great info how to quickly get your site backup. I would love to know more info how to prevent it in the first place. Putting up a new site and not fixing what caused the problem will recreate the situation all over again.

  94. My Bloggy Is A-Okay Now – Take That Malware Hackers! | Says:

    [...] If you’ve been affected click here on how to remove the hack [...]

  95. Antoony Says:

    As long as I do blogwalking, I have read a lot about preventing to be hacked by upgrading WP to the latest /newest versions. After reading your article above, I realized that my knowledge is very little. I think by ugrading WP to the latest /newest versions and use the plugins from wordpress.org is enough to prevent to be hacked. Apparently there are still many holes for hackers such as through hidden files in a directory and inserted the code into a theme. I never thought of this before. Thank you for this valuable content.

  96. Fadzuli Says:

    I wish I had found your blog earlier. Gosh took me a week to figure out the Malware problems on my sites. In my case PHP files were re-written.

    I did fresh installations initially however I forgot that the scripts were also written in the plugins. After reloading back the data to my server it end up infected again.

    So to safe guard some of the scripts (not delete them away), I did what you did, backed up everything, deleted all the files even those outside public_html.

    Ran through my antivirus software for the back up data and did a Find & Replace code using Dreamweaver for the malicious scripts.

    And finally when I reinstalled wordpress and the plugins back, it is fine now.

    But it really took a long time.

    Thank you again for the valuable info. Hope my sharing will benefit others too. :)

  97. Wordpress Hacking, Matt Mullenweg, And Some Screwed Up Priorities | Smackdown! Says:

    [...] sites as well, but since often times the way people find me is through the guide I wrote on how to fix WordPress after you’ve been hacked it turns out that’s what they need me to do for them a fair [...]

  98. Ajutor, blogul meu a fost h?cuit! | WP Tuts Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  99. Rackspace Hacked Clients, Check Your Databases: Wordpress “wp_optimize” Backdoor In wp_options Table | Smackdown! Says:

    [...] easy way to check for these types of suspicious entries in a hacked WordPress database is to run the following MySQL query: 1 SELECT * FROM wp_options WHERE (option_id LIKE [...]

  100. Jamey Stamos Says:

    Had one of my blogs hacked into a few days ago. They didn’t appear to do anything except change the administrator name, email address and password so I thought changing that back would be enough. Didn’t realize that they might do stuff like add files or codes that would allow them back in… Thanks for that information.

    I’ll be doing a thorough cleaning of my blog. Sounds like its going to take me a whole day and cause a lot of headaches, though!

  101. John Luan Says:

    Michael, can you tell us what directory permissions you recommend for a working WordPress install? I.e. I find that people say you should not have any writable directories – but if you do that, image upload doesn’t work, etc.

    In your opinion, what is the best permissions for a WP install?

  102. Daniel Says:

    Ultimate post. These points are really important and thanks for this because I am sure a small mistake will be the main cause of any kind of loss

  103. You Got Rid of the Virus But Did You Stop The Hackers? | Catherine Lawson Says:

    [...] – 30 Ways To Secure Your Blog From Attack Anyone Can Do Old WordPress Versions Under Attack How To Completely Clean Your Hacked WordPress Installation Did Your WordPress Site Get [...]

  104. Step #12 Admit That You Are A Moron! | NESW Sports, Sports Videos Says:

    [...] did a little more research, and came across this blog cleaning post, by Michael VanDeMar (michael-at-endlesspoetry.com). He gave all of the tips on how to clean your [...]

  105. Lisa Says:

    This definately Works. I though everything was gone when my provider turned me off.

  106. Melanie Says:

    Lisa check these guys out for http://www.dotcomcatcher.com they have wordpress hosting or actually get a hosting account and install wordpress from there value application section takes about 5 min.

  107. Thomas Geraets Says:

    Being hacked is a violation – Great solution you post here.

    Thanks
    Thomas Geraets

  108. Adonis Ramich Says:

    oh, we had mysql injection attack, luckily it only edited index,main,home and ,js files. Took three of us 4 days to clean and another two reinspect, wish would have come across your post earlier, :-), thanks though now we know there is better way.

  109. Handy Backup Says:

    Thanks for this great article. I’ve had to deal with three wordpress-hacks this year, so this post helps me a lot!

  110. Web design Brisbane Adriana Says:

    Thanks for the post!! This is just what I was looking for. It happened to me last week. I will try this step by step. It makes me a little nervious, because my Data Base is full and I am afraid of loosing the information…

  111. Pete Radlett Says:

    Getting hacked is a far too common occurence so this is a great article and very timely

  112. True Up | All Fabric, All the Time » Blog Archive » Hacked! Says:

    [...] Forum Thread on the Pharma Hack Understanding and Cleaning the Pharma Hack on WordPress on Sucuri How to Completely Clean a Hacked WordPress Installation Top 5 WordPress Security Tips You Most Likely Don’t [...]

  113. Edwin Boiten Says:

    It’s really a pain in the …. Been hacked several times last week. This joker somehow got access thru ftp because of a trojan and added a few lines of javascript to every index.php file it could find and any javascript file. So each and every template file was infected as was the index.php file in the root.

  114. DonnellDesign Blog Says:

    [...] Howo to clean your hacked WordPress installation [...]

  115. JG Says:

    After I upload the new WP 3.01 and go to the upgrade link to fix the directory access I get this:

    Error establishing a database connection

    This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at localhost. This could mean your host’s database server is down.

    * Are you sure you have the correct username and password?
    * Are you sure that you have typed the correct hostname?
    * Are you sure that the database server is running?

    If you’re unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums.

  116. JG Says:

    is there a bad bot trap you’d recommend?

  117. Anna d Tent Says:

    Thank you for the post. At the moment we are starting to use word press, I heard is better for search engine, and easier to use… I dont know about the search engine part, but It is definitively easier than joomla! Only for that reason is worth it, but we need to restore the information (not for hack uses) Thanks God there are people like you that take some time to share these type of information! Other wise I would be in trouble! :)

  118. jalagamkalyan Says:

    I have started my blog with wordpress. very useful post for the beginners like me.
    Thanks once again

  119. Aftermath of a WordPress Hack: It Hurt Says:

    [...] “How to Completely Clean Your WordPress Installation” by Michael VanDeMar on Smackdown! [...]

  120. dini sohbet Says:

    Thanks for the post!! This is just what I was looking for. It happened to me last week.

  121. dinisohbet Says:

    I would love to know more info how to prevent it in the first place

  122. Michael VanDeMar Says:

    @dini – currently staying up to date with WordPress itself and having a stable, knowledgeable host seem to be the best preventative. The problem is that a new exploit might always get included in a future version, or some new way to hack the hosts themselves discovered. There really is no way to know you are 100% safe.

  123. Moruf Surakat Says:

    Thank you so much for this great post. This will save me lots of assle and funds instead of having to look for our=tsourcing options to sort the problem out when it arises. Once again thanks.

  124. Gavin | Marquees Says:

    Nothing worse than a hacked WordPress installation… I remember it happened to Chris Pearson once, he got Viagra Spammed in his site links lol.

    Thanks for the step by step instructions

  125. tatay ash Says:

    My WordPress site was hacked. I only changed the theme and it’s working now…

  126. Michael VanDeMar Says:

    tatay – Often times the part of the hack that causes the symptoms is found either in the theme, or in a combination of code in the theme and entries in the database, and changing the theme can indeed make those symptoms go away. The problem is that in the majority of the cases the hackers will just come back again through back doors that are located elsewhere in your installation, back doors that they inserted into your site when they hacked it the first time. Hopefully this is not the case with your site, but if you do get hacked again then you will want to keep this in mind. Good luck.

  127. tatay ash Says:

    OMG! thanks for the info Michael. Hope the hacker will not come back.

  128. Enriched Says:

    Great info how to quickly get your site backup. I would love to know more info how to prevent it in the first place. Putting up a new site and not fixing what caused the problem will recreate the situation all over again.

  129. Welcome to vSphere-land! » The vLaunchpad - hacked! Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  130. Securing Wordpress on a shared host » Do Not Exec! Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  131. sTyLo Says:

    Yeah very nice information but it is only basic information. A hacker played with my database. Even if i export all post using export function still i m getting the error in new installation…

  132. Michael VanDeMar Says:

    @stylo – Most times the database is messed with. No clue which “the error” you are referring to though.

  133. ReadnDownload Says:

    Hi, I just got hacked few hours ago. They completely change my main page and when I try to login using my Admin ID, password no longer accepted. I manage to go to my Control Panel and restore my backup. Very lucky it works. At the point of getting hack, I’m using version 2.8 +.

  134. Michael VanDeMar Says:

    Odds are that you got hacked before a few hours ago and you only just now started to show symptoms. Simply restoring from a backup might not be enough, which is what this whole post is about. Either way, even if the backup is clean if you don’t upgrade you will simply get hacked again. WordPress 2.8 is not secure.

  135. Spaarhypotheek Says:

    Personally I think a complete fresh install is the only solution. You’ll never know what files might be infected.

  136. Timothy Says:

    Michael, I was wondering, If your site is hacked and you restore it from a backup. You still don’t fix the exploit the hacker used right? How do I prevent the hacker from using the same method?

    Thanks!

  137. Michael VanDeMar Says:

    @Timothy – well, that’s what this post is about… not restoring from a backup but reinstalling altogether.

  138. A Cold Day in Hell | Christopher Bennett's Weblog Says:

    [...] worth reading through and acting on, as it goes into more depth than this page. You can also read How to clean your hacked install and Removing malware from a WordPress blog which explain in details some steps you might need to [...]

  139. nilantha Says:

    chek my web site

  140. Michael VanDeMar Says:

    You are right, according to Google you are definitely hacked. Your site does not appear to be WordPress, however, so this article really wouldn’t help you much. I am not sure what exactly it was you were hit with, but you should hire a programmer to go clean it up for you.

  141. Aidha Says:

    Hai….my site has been hacked. I already install with new fress wordpress. But why the hacking website still appear on my website?? and another website I had, I already install with new one, but now there is a problem with the wordpress I think. Because the wordpress themes didn’t appear completely. I try to install with another template, unfortunately the template doesn’t look the same. How can this be happen? Please help me…I’m nearly desperate with this one. thanks

  142. How to protect your blog from viruses, backdoor Trojans and other nasty stuff — NevilleHobson.com Says:

    [...] around the web produced lots of helpful posts recounting the experiences of others who have addressed similar issues as mine, all of which were very useful in the actions I took to [...]

  143. Sandy Brisbane Says:

    The people who hack into peoples online businesses and do this sh*t need to get a better hobby.

  144. Orth Otic Says:

    Great info on how to get your site back working quickly. More info how to prevent it in the first place would be appreciated. Putting up a new site would be a major poin in the freckle.

  145. What to do when your wordpress site has been hacked? | FusionPeach Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  146. Reference for reinstalling a clean WP site | Apathetic Moon Says:

    [...] referring to How To Completely Clean Your Hacked WordPress Installation and several articles in the WordPress’s Codex regarding installing, restoring and migrating [...]

  147. Update your Wordpress or get hacked (apparently) | Age and Annie's Ramblings Says:

    [...] I found this rather helpful article on Smackdown entitled “How To Completely Clean Your Hacked WordPress Installation” which is packed full of good stuff to help fix your hacked blog, written in a handy [...]

  148. Travel Blogger Says:

    I got hit last year in the mass Godaddy hack. I have two accounts there, one on a shared server and one on a private IP. The shared one got hacked, which meant I had to do this cleansing process to about a dozen sites :(

  149. Debbie Ashmore Says:

    Arrghh. They got me this weekend. This looks like just the thing I need. A bit beyond me but my friend is going to walk me through it. Thanks for posting it – I appreciate your efforts. Cheers Debs

  150. Daniel King Says:

    I dont wish it to anybody since I have experienced it myself but that was a neglected error. If I was keeping my plugins up to date that would never happen.

  151. hanipah2001 Says:

    nice post,I experienced the same with my blog

  152. picks from the past: alice r. ballard {and an update} | Daily Art Muse Says:

    [...] VanDeMar to the rescue! VanDeMar is the programmer who wrote this very thorough post about how to clean a hacked site. I had been struggling for more than 12 hours trying to fix things [...]

  153. Kate H Says:

    Our company has several sites down right now so reports are flying and i’ve sent this blog to the boss..

  154. Mohammed Says:

    My wp site was hacked first time but I have cleared it and uploaded freshly again it was hacked after a day and have no clue how to recover my site. I am using latest version 3.1 but no security in my site. How can I stop these BS hackers?

  155. Simon Winter Says:

    This post definately saved my ass!!
    I had recovered my blog which was hacked by this filezilla trojan (on my PC).

    Thanks again!!

  156. Jeremy Fox Says:

    Amazing work man, I can’t believe it’s this easy- I was spending weeks trying to test my server for hacked files but that’s a nightmare- this eliminates hours of hell and the feeling of “clean” afterwards is much better htan “I hope it’s clean”

  157. Carla Says:

    Yaeh, Im in the same hot sauce,got hacked ok was cool with it got hacked again. This time it too me sometime to find out that the infection was in the wp-content/themes folder. So now I am ready to reinstall…grrr!!!!

  158. Bleepity Bleep Booop | hummingcrow: one squall voice Says:

    [...] been following guidance from Smackdown on cleaning up the hack. Next up will be Hardening WordPress. But between bouts of this unpleasant [...]

  159. Site hacked by Hackerler Vurur Lamerler Surunur!! What to do | BlueJProjects Websites that Work Says:

    [...] recommended in the wordpress.org FAQ on recovering from being hacked to help you do this: Reading How To Completely Clean Hour Hacked WordPress Installation byMichael [...]

  160. Hackers are the Asses of Evil - Blogging4Jobs HR, Recruiter, Social Media, Job Search Blogging4Jobs Says:

    [...] DIY Solution.  While I’m not a programmer or a coder, here’s a good how to for those do it yourselfers who want to remove the malware, phishing, and close the exploit from Smackdown. [...]

  161. Mady Says:

    Hi Mike -
    I know this post is an old one but want to find out if you could help me with this. I am using RPC protocol to publish posts on to my word press site from a small program that we built. I want to set permalink from my program thru RPC protocol. Is it possible? Can you please guide me in this regard? Thank you -Mady.

  162. Michael VanDeMar Says:

    Mady, honestly I would have to investigate further to see what would be involved. Hit me up through my contact form if you would like to discuss it further.

  163. Juice Says:

    Hi there, and thank you for this post. I was hacked today, and after working with my web host all day, they think only my wordpress password was hacked. I did delete the users and blog posts added by the hackers added to blog, but I am not comfortable just thinking everything will be ok now. I think my best course of action is going to be to completely re-install WordPress all the plug ins and my theme. My question is two-fold:

    1. If I use WP Import after the new reinstall to “import” the files I backed up today, do I risk re-infecting my site? Can the hackers have inserted malicious code there? and

    2. In your step No. 4- delete all files in the WP Directory. Can you be more specific, or clarify “WP directory” for us idiots? Suppose I use the “FTP” method, do I just delete every single file and folder under “mysiteurl.com/”?

  164. Juice Says:

    Oh third question, related to my “No. 2″ above. In terms of deleting the “WP Directory” I asked if every file and folder should be deleted under the folder entitled “mysiteurl.com/”, but that folder is a sub folder of my “root” folder, there are other subfolders in the root (cgi-bin, Stats,etc..) do I delete all of those too?

  165. Michael VanDeMar Says:

    @Juice –

    1) There could be infected code in the database, and I am not certain what all WP import grabs. Usually though with that the biggest concern would be iframes and scripts that were injected into the actual posts. The only entries that would be of concern for re-entry by the hackers would be in wp_options or wp_users.

    2) & 3) I would delete everything that is accessible from the web, or everything under what is known as your “web root”. In most cases this will be a directory named either yourdomain.com, public_html, web, or httpdocs, although there are other possibilities. You should not have to delete anything other than what is under that, unless you have moved the .htaccess, php.ini, or wp-config.php into the root.

    Also, remember, backup *everything* first, and I would make a separate backup of your uploads directory, and then scan that and make sure that only images are inside of it. If so then you should be able to re-upload that to your fresh installation once you are done.

  166. Juice Says:

    Thanks so much Michael. The different directories confuse me, naturally. I have a “webroot” file named mydomain.com, which is a sub folder of the main “directory” (if that is what its called). I was thinking I should delete every folder under the main directory (like the cgi-bin, stats,etc.). Earlier I did back up my uploads folder and looked through, but the files all looked normal to me- I am not sure I would recognize something malicious… I did do a WP import back up last week, maybe I should just reinstall WP and my theme from scratch, and then upload last week’s back up, then I only lose today’s post. Is it possible that the hackers hacked days ago, but their malicious activity only appeared today, for the first time? thanks again, you’re help has been invaluable!

  167. Juice Says:

    Well, I deleted all my site directory files and started from scratch today. After installing WP and Theme from brand new downloads, I imported an old WP back up and an old theme back up. Then I added the /uploads/ file that I had backed up yesterday(post hack). I went about trying to rebuild my site until at 11 PM tonight, for the third day in a row, a new unauthorized WP User appeared in my admin panel. I deleted the user and began the password, secret key changes, while alerting my host once more to the problem. I honestly don’t know what to do anymore. I am lost.

  168. kenneth Says:

    I completely dumped my old wp files folders directory structure, the whole shabbang. How the heck can my fresh wp and plugins install still have malware links (months old) in my wp-includes/feed-rss2.php? according to a well known security host these bad links were pulled up by looking through my sites feed at the source code!

  169. Michael VanDeMar Says:

    Kenneth, I would need to actually go into your site and do a scan and some checks to see what was up. I wish I could be more help but there are just too many things that could be going on to know without looking.

  170. kenneth Says:

    ok, well thanks for the speedy reply! ill be in touch soon

  171. Lix Says:

    4 days ago 3 of my websites were infected with malware. One was picked up by Google and is now flagged for avoidance.

    I have spent hours upon hours fixing this problem, yet every time the .htaccess files are reinfected with redirects to a Russian site of some description.

    - When I cleaned the sites I changed all the passwords for FTP, site admin, and database. I deleted cookie logon function by resetting WP secret keys. I installed Bulletproof Security to protect .htaccess and my wp-config folder. This hasn’t worked, they just bypass it. The hackers also won’t let me resave the file when i delete their hack, instead making me have to download the file and then upload it clean.

    - I thought the hack had come through filezilla. So I stopped cleaning through that and instead started using Go Daddy file manager to clean the reinfected .htaccess flles. But no, reinfection within 7 hours. Go Daddy, as per usual, don’t have a clue what I should even be looking for.

    - I also installed site DB backups but that didn’t make a difference. Neither did the plugin upgrades or WP upgrades I did when the sites were clean, which they were because i scanned them at sucuri.net.

    - I have scanned every line of php for bad code using the advice on forums like this one and blogs, etc. I can’t see anything untoward and just don’t know what to do. As far as I can see this is purely the .htaccess file that is getting attacked. I have even completely deleted the file yet they keep putting a new one in.

    - one thing i find strange is that it only attacked these 3 sites. I have 3 other WordPress sites on the same hosting that it hasn’t affected. I have a feeling it got to my root site first and worked into the others, but then I don’t know how these things work so i am probably wrong. Could there be one file in the root that is triggering all this?

    If you have any clue what i should be looking for I would greatly appreciate any advice. I can’t afford to shed out $100 each for a site clean, hell, the sites are more sentimental than valuable.

    Thank you.

  172. Sites Got Hacked | AnotherMaria.com Says:

    [...] How To Completely Clean Your Hacked WordPress Installation by Michael VanDeMar. Many people found this post useful. I’m not touching my database though, at least not yet [...]

  173. Dave Golden Says:

    Just discovered a site I redesigned has been injected – AVG warning appeared on Thursday, Oct. 13. Need to present site at the end of the month – can someone please contact me at dgolden@nasbp.org for assistance and quote? Site is suretyinfo.org. Thanks.

  174. Housekeeping « the connected world Says:

    [...] this ever happens to your wordpress site, I found that this and this were useful sources of information. Hope you never need them [...]

  175. Mike Says:

    Thanks for the helpful info. Too bad this is a continuing problem.

    Mike

  176. Gustie Says:

    hi michael, i really need your help, i got redirect blog problem. After someone type keyword in google browse n click my blog (wordpress), he will get my blog just a few second. after that, he will redirect to other website, what i’ve to do to solve this problem? i’m really happy if you give me the solution n send to my email: iyan_41@yahoo.com

  177. lajme Says:

    Cleaning a 3 GB space in my host is killing me, and i can not find the source of infection for 3 weeks. Damn. Thank you for the post, now i have few more places to look :)

  178. Tim Lucas Says:

    Just wanna say a big thank you to Michael for rescuing my blog. Excellent service at a fair price too!

  179. What a Mess! | In Shadows Says:

    [...] How to completely clean your hacked WordPress installation was another good one – not as labor intensive, but it brought up things I hadn’t considered, and made me more aware of what I was doing. (It’s always good to be aware of what you’re doing when your digging into code!) [...]

  180. Jordan Redhawk Says:

    Ah, Michael, you’re a lifesaver! Thanks for the handy tip. I was NOT looking forward to editing 103 pages to correct those silly apostrophes!

  181. Michael VanDeMar Says:

    @Jordan, No problem, glad I could help. :)

  182. Cathy B. Says:

    this is very good info however i was wondering if you had any insight on special characters showing up in posts? i have searched high and low, got some instruction on how to delete them from my cpanel with no success. help! if you can. I do not want to delete my whole blog of two years work.

  183. Michael VanDeMar Says:

    Cathy, that is something that I can usually fix, but how I fix it depends on how they got there in the first place and what the underlying cause of the character conversion is, and what, if anything, you did already to attempt to fix them. Feel free to hit me up via my contact form if you need help cleaning them out.

  184. Martina Says:

    Hi everyone,
    I really need help! I have a new website for my business, few days ago I noticed on the footer the line sayin sintax error footer.php line 3. I checked with an antivrus plugin and coming up with virus, so I update wordpress, I change all my passwords and delate all the pages,plugin,post,pictures,everything (i have a backup)
    But still there is that line and the home page layout is messed up.
    What can I do? Do i have to delate something from the cpanel?
    Sorry I am very new to these things!
    Thak you !
    Martina

  185. Tipster Says:

    Hi,

    one of my blogs is infected by Trojan.JS.Iframe.ARU (Engine A)
    Does anyone know if there is a plugin that can helps me to remove or check the wordpress installation ?
    Thanks

  186. Tony Payne Says:

    All my sites got infected with a decode_base64 script in the last 3 weeks and I am trying to save everything. It’s a slow process. This article took me a while to find, but I am hoping the tips will help.

    I tried to manually clean the php files from Filezilla, and like so many others, within hours they were modified again. Now it seems every “<?php" statement has the script added to it, as many as 50 lines of code to update in many files.

    I am hoping to get into my site to export the database as xml, so I can rebuild it on a new host. I do have an SQL export, but not a WP export unfortunately.

    It just proves you can never have enough backups, and in this case ALL my domains on the host caught the same infection.

  187. Michael VanDeMar Says:

    @Tony – regarding all of your sites on the same host, with most shared hosting accounts that let you host multiple sites under one account that is what will happen… one gets hit, they all get hit.

  188. JoeGP Says:

    It’s funny but the site i’m trying to fix is hosted on your recommended host Hostgator.
    So much for that.

  189. shalhevet Says:

    how do u copy your images from your uploaded files (to back up your hacked site), if u can t have access any more to your admin in wordpress?

  190. Michael VanDeMar Says:

    Joe, unfortunately security holes in hosting isn’t the only way that hackers can get in, so even on the best host if there is an old back door or vulnerable script on the site, or if someone with ftp access to the site gets a virus, the sites can still get hacked.

  191. Michael VanDeMar Says:

    @shalhevet – you need to use ftp to access the uploads directory and download them all. Make you you verify there is nothing but images in the folder before re-uploading them to the cleaned site as well.

  192. Back online, after my WordPress blog was hacked Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  193. What to do when your WordPress site is hacked | The Podcast Guy - The Podcast Guy Says:

    [...] Go see WordPress guru Michael VanDeMar (How To Completely Clean Your WordPress Installation) [...]

  194. WordPress Hacked, How to Get Things Back To Normal | ShelleyNewman.Com Says:

    [...] 3-How To Completely Clean Your Hacked WordPress Installation. I had already said a prayer and that didn’t help. Since I was doing this myself, there was only one thing left to do. It was the last resort but there seem to be no other way. The site would have to be taken down. Yes, this means hours of work but there was no other way. Those hackers were quite sneaky when they hacked my WordPress. They were much more knowledgeable in the ways of the code than I. [...]

  195. What to Do When a WordPress Blog Keeps Getting Hacked with Malware « ScottFillmer.com Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  196. Steve Says:

    Great info thanks! I had an iframe injection virus of some sort – every instance of index.php had an iframe appended.

  197. How To Fix Hacked WordPress Sites - Step by Step | Wordpress Jedi Says:

    [...] to save yourself some time in the process. Of course, you can always go through your database and use commands such as this to find malicious content in it:Scan all your filesThis is the first thing I would do after [...]

  198. Vamsi Says:

    Thanks mate, you helped me fix the blog that’s linked above. Great stuff.

  199. rumah dijual Says:

    how i can clear this harm AS8426 (CLARANET)?
    please help

  200. Hacked by Tariq SQL | Ain't Complicated Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  201. vytas Says:

    So, my site is hacked and redirecting. When I export my wp data to xml I can see the offending hack. At the very end of the xml, is:

    It is the script which is the problem.
    problem is, I cannot figure out how to remove it from the existing site! I could rebuild the site the scratch, which seems like overkill. I would rather just find and remove that one line of code, but I don’t know how to find it in the database, and it doesn’t show up in any greps of the source files, etc.

  202. vytas Says:

    shoot, that didn’t work, the code block I just posted didn’t show….

  203. vytas Says:

    lets try this:

    /item
    /channel
    /rss
    script src=”http://greedc57upelev.rr.nu/nl.php?p=d”
    /script

  204. Michael VanDeMar Says:

    vytas – if that is showing in your xml export then odds are the injection would be in your database, not your files (although there may be a back door injected into your files as well). Try running this inside of a query window in phpmyadmin and see what comes up:

    SELECT * from wp_posts WHERE post_content LIKE ‘%rr.nu%’

    See if that helps narrow it down.

  205. Jason Says:

    Thank you so much for this,working on hack attempts which effect wordpress blogs is very frustrating and now thanks to your amazing post which is really helpful it is now much easier.

  206. Christine Says:

    MICHAEL! IVE been hacked and have no idea how to fix it within my server or anywhere else. I need your help! I read a thread about a guy named lixation that you helped fix the same issue. Please help in any way you can. TY
    christine

  207. Restoring a Pharma Hacked WordPress Site (WP 3.4) | bradford's blawg Says:

    [...] There are lots of how-tos and guides online, but most of them are outdated. The pharma hack has evolved (1,2,3). [...]

  208. What if My Wordpress site hacked « NOSEC – Serving More People Says:

    [...] worth reading through and acting on, as it goes into more depth than this page. You can also read How to clean your hacked install and Removing malware from a WordPress blog which explain in details some steps you might need to [...]

  209. t-p on "how can i clean my website? (hacked)" | Upgrade Wordpress Says:

    [...] http://wordpress.org/support/t.....st-1065779 http://smackdown.blogsblogsblo.....ess-instalhttp://ottopress.com/2009/hack.....backdoors/ tutorial how to fix hacked WP blog: [...]

  210. 8 Essential WordPress Tips Says:

    [...] Cleaning hacked WordPress installation (Blogsblogsblogs.com) Filed Under: SEO Tips [...]

  211. Penelope Glass Says:

    Hi. I was the administrator of a site that got hit by malicious script and has been named as an attack site by Google about 2 months ago. (www.pasmi.org) I copied the pages and posts to my new blog (above) that I am building and when I try to get into the text now it won’t let me open up the edit pages as they are connected to the pasmi site (ie attack site). How can I get access to this text now? I am no longer administrator of http://www.pasmi.org, so I can’t fix that site directly.
    Appreciate your help. Cheers

  212. Michael VanDeMar Says:

    @Penelope – I am unsure, because I can’t tell exactly what you mean when you say that the pages are “connected” to the old site, but my guess is that if you were to use a Search and Replace plugin to change all instances of the old domain to the new one in your blog then you would no longer have those issues.

  213. Laura K Says:

    Hi Michael,

    I am not sure what is happening with mu URL. My database was hacked so after much deliberating I decided on a fresh re-install. However after 2 days of being clear of all WP files, Goolge are still redirecting my url to a malware prevention site. Is it possible that there are still files on my account I can’t find?

    I am at the end of my tether now and I really don’t know what to do!

    Thanks,

    Laura

  214. Michael VanDeMar Says:

    @Laura – it is possible that you missed something, but it is also possible that you caught everything and Google just hasn’t noticed yet. The results in the search engines are not live, and a good portion of your site needs to be re-crawled by Google before thy will remove the malware warning on their own. However, if you sign up for a Google Webmaster Tools account, add and verify your site through there, and then submit a Google Reconsideration Request through that control panel, in most cases Google will check your site within 12 hours and either clear the flag or let you know that you missed something somewhere. If you would like help with all of that it usually only take me about 15 minutes at most to do the whole process, feel free to hit me up via my contact form.

  215. Chibi Says:

    Hi Michael,
    I appreciate your article. My wordpress site was hacked recently and I still haven’t been able to find a solution despite following all the instructions on this page. I started a help thread on wordpress.org with still no solution: http://wordpress.org/support/t.....st-2932557
    I’m not sure what to do! I’ve deleted my entire wordpress site and uploaded a fresh new copy of wordpress, 2012 theme, plugins.. but 2 hours later a “wp-main.php” file pops up in my folder which I cannot remove. If I delete it, it will reappear almost instantly.

    I’m suspecting maybe my database is hacked, but I’m not sure what to do :(
    Hoping you can provide some assistance.

    Thanks for reading

  216. Ramez Says:

    Hi Michael,

    I am looking for an expert to clean my server, a few of my sites are infected. Are you able to help please?

  217. Saurabh @ TechGYD Says:

    Thanks for your detailed tutorial. It really helped me a lot :-)

  218. Vivek Bhatt Says:

    thanks for this great information. i was looking for it since my wordpress dashboard is acting weirdo. i will be reinstalling fresh WordPress script. thanks for providing the right procedure. :)

  219. Olly Says:

    Hi Michael, I contacted you via email yesterday but thought I would post this question on here for others benefit. Having had my website hacked by a malware that deleted all of the files on my server, when I come to: 4. Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster). – Should I delete all of the files in the public_html folder?

  220. reduceri haine Says:

    Right now my site is hacked! :( – reseller host on webhosting buzz
    Can anyone help me?

  221. Michael VanDeMar Says:

    @Olly – it depends. If you have more than just WordPress in your public_html then everything needs to be examined one way or another. If you have other scripts, such as Joomla or a forum, then those too might have back doors on them.

  222. Moving Company Says:

    @Michael,

    I am hacked also to Russian porn site! Help! I have reseller hosting with certifiedhosting.com

  223. Warning: WordPress.org Does Not Tell You If You Download An Infected Plugin From Them | Smackdown! Says:

    [...] barn door after the horses got out, and stronger measures may be necessary (up to and including rebuilding the whole installation in some cases). The WordPress plugin repositories are supposed to be a trusted source. Not being [...]

  224. Locking Down WordPress Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  225. Sandy Allnock Says:

    Oh man. Is there any way you’d be willing to do these steps for a nonprofit that’s been hacked? I’d totally pay you, this sounds like gibberish to a non-savvy person like me….my nonprofit supports deployed troops, so if you’re interested in assisting….I’d give you a huge cyberhug. And the going rate for your time. Please please please…..

  226. Michael VanDeMar Says:

    @Sandy – I emailed you. If you didn’t get it check your spam folder.

  227. sam Says:

    awesome article man ! well written and superb guidelines :D

  228. Umar Rashid Says:

    I tried to manually clean the php files from Filezilla, and like so many others, within hours they were modified again. Does anyone know if there is a plugin that can helps me to remove or check the wordpress installation ?

  229. New WordPress Backdoor Style Discovered – Hackers Think They Are Sneaky | Smackdown! Says:

    [...] This one is a perfect example of why automated scans are often not sufficient when cleaning up a hacked WordPress installation. You can see the full file here: [...]

  230. Emergency Resources for Hacked WorkPress sites | SEO 413 Says:

    [...] How To Completely Clean Your Hacked WordPress Installation [...]

  231. Is WordPress Secure? Says:

    [...] If we take a moment to consider high-profile WordPress security exploits in recent years, every single one has targeted known vulnerabilities that are easily fixed with a simple update. As soon as an update becomes available, the vulnerability essentially ceases to be a WordPress problem and instead becomes an end user responsibility. This reality is underlined by the experience of Michael VanDeMar — a guy who "de-hacks" and secures WordPress installations for a living (in fact, he wrote a popular guide on de-hacking WordPress): [...]

  232. ecoguy Says:

    Please someone help me my website http://www.zombieinfoguide on a blue razor server was hacked by someone in Turkey. Blue razor has no back up because the hack is older then the back up. Blue razor told me that they files were in the server and to find a word press expert to try to get the site back. If anyone can help me please call me at toll free 1-888-578-7324

    Barry

  233. Vicky @ IFSCodeFinder Says:

    Thanks for your detailed tutorial. Helped me recover one of my blog in short time.

  234. Nikhil Says:

    All the tips were spot on. Thanks, cleaning the messed up wordpress is a big task.

  235. Rachel Says:

    Do you know of any companies willing to do this for me? My site seems to be infected as it randomly redirects me to an unknown site but I don’t want to run the risk of doing something wr

  236. Rachel Says:

    Finishing up the above as it was posted prematurely. I don’t want to run the risk of doing something wrong and loose my posts….

  237. Ramdan 2013 Says:

    Many Thanks for your detailed tutorial.. It really helped me a lot for my wp blog.. :)

  238. saurabh Says:

    Brilliant info, thanks. It really helped.

  239. PShan Says:

    Thanks for this wonderful post. It are a life saver! I was panicking when one of my blogs was compromised until I saw your post with detailed instructions.

  240. Moja WordPress stránka bola hacknutá! | CVlite Blog Says:

    [...] http://smackdown.blogsblogsblo.....ess-instal… [...]

  241. Amit Says:

    thanks for the guidelines you provided, it will be very useful for my blog, i was not knowing anything about how to recover it

  242. Roland Says:

    You recommend Hostgator with an affiliate link?

  243. When Hackers Attack | Sherman Smith's Blog Says:

    […] Smackdown looks like a good resource for cleaning a WordPress site. […]

  244. Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked | Elegant Themes Blog Says:

    […] in my themes/plugins folders that looked out of place. Though just to be safe I did end up doing a completely new install. And I began looking for a new […]

  245. My Site Was Hacked: How To Remove Malware From WordPress | The Strategic Blogger Says:

    […] How To Completely Clean Your Hacked Installation […]

  246. isambard | Doing the WordPress (Rebuild) Shuffle Says:

    […] is fine now having completely rebuilt the site.  Following most of these instructions to get it completely replaced within 15 mins.  Or almost completely.  Think I missed downloading […]

  247. Restoring a Pharma Hacked WordPress Site (WP 3.4) | bradford's blog Says:

    […] There are lots of how-tos and guides online, but most of them are outdated. The pharma hack has evolved (1,2,3). […]

  248. Blog Hacked Says:

    […] http://smackdown.blogsblogsblo.....#038;#8230; […]

  249. Build Your Own Website Today Version 5 | Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked Says:

    […] in my themes/plugins folders that looked out of place. Though just to be safe I did end up doing a completely new install. And I began looking for a new […]

  250. Hosting With GoDaddy? Might Want To Rethink That Decision. | Smackdown! | Pharmacy Hack Says:

    […] and infections, mostly for those who might not have the time or technical expertise to follow my hacked WordPress cleaning guide. Therefore when something happens that increases the number of people getting hacked, such as […]

  251. Removing the Hack: Not How But Who | Pharma Hack Says:

    […] how to remove the Pharma Hack from your site I highly recommend you read Michael VanDeMar’s: How To Completely Clean Your Hacked WordPress Installation. In my opinion Michael is the best when it comes to removing hacks from sites. If you can afford […]

  252. Recommended Hack Removal | DLS Consulting Says:

    […] Michael VanDeMar – WordPress […]

Leave a Reply