How To Completely Clean Your Hacked WordPress Installation

Update 08/13/2015 – Please note: The following Do It Yourself guide on how to de-hack your website is designed for people who don’t necessarily know how to read php, but do know how to work their way through installing WordPress, themes, and plugins. It also assumes you know your way around whichever hosting control panel it is that comes with your host. Because malicious code can be very hard to weed out from the legitimate stuff, especially for someone who is not a programmer, this guide recommends that you start over with a completely fresh theme on your site. This means that for many, the customizations that were done to the theme will be lost, or will need to be re-done. For those of you who would prefer not to do that, or who have a complicated or ecommerce site, or one with heavy traffic and you would like to completely minimize the downtime, I do offer professional cleaning services. I can de-hack and secure your site without losing any of the design or functionality, and in most cases there is only a few minutes of downtime near the end of the process. For more information, please fill out my contact form.

WordPress hacker removal spray... use in a well ventilated area. Getting hacked sucks, plain and simple. It can affect your rankings, cause your readership to be exposed to virus and trojan attacks, make you an unwilling promoter to subject material you may not actually endorse, and in many cases cause the loss of valuable content. However, once it happens it is usually best to not procrastinate on the clean up process, since a speedy restore will most times minimize the damage that was caused.

While almost all sources will recommend that you upgrade your WordPress to the latest version, what the majority neglect to tell you is that in most cases simply doing so will not prevent the attackers from getting back in, even if there are no known exploits with the latest version. The hackers may have left a back door file hidden in a directory where it wouldn’t get overwritten with an upgrade, or inserted code into your theme, or simply created an account that they then granted admin privileges to. Any one of those would allow them back in, even after you patched what was wrong the first time. Therefore I am providing this step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

1. Backup the site and the database.

Even a hacked copy of your blog still probably contains valuable information and files. You don’t want to lose this data if something goes wrong with the cleanup process. Worst case scenario you can just restore things back to their hacked state and start over.

2. Make a copy of any uploaded files, such as images, that are referenced.

Images are generally exempt from posing a security risk, and ones that you uploaded yourself (as opposed to ones included with a theme, for instance) will be harder to track down and replace after things are fixed again. Therefore it is usually a good idea to grab a copy of all the images in your upload folder so as to avoid broken images in posts later. If you have any non-image files that could potentially have been compromised, such as zip files, plugins, or php scripts that you were offering people, then it is a good idea to grab fresh copies of those from the original source.

3. Download a fresh version of WP, all of the plugins you need, and a clean template.

Using the WordPress automatic upgrade plugin does make it easier to upgrade every time a new version comes out. However, it only replaces WordPress specific files, and does not delete obsolete ones. It also leaves your current themes and plugins in place, as is. This means that if used to upgrade a blog that has already been compromised, it can very well leave the attackers a way back in. It is best to start over from scratch as far as the files portion of your installation goes. Note that if you use the EasyWP WordPress Installer script that I wrote it saves you from having to download, unzip, and then upload all of the core WordPress files, although you will still need to grab fresh copies of the themes and plugins that you want to use.

4. Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster).

Now that you have fresh copies of all the files you need, and copied all of your uploaded images, completely delete the entire directory structure your blog is in. This is the only surefire way to completely remove all possibly infected files. You can do this through FTP, but due to the way that FTP handles folder deletion (ie. it walks the directory structure, stores each and every file name that needs to be deleted, and then sends a delete command for each one), this can be slow and in some instances cause you to get disconnected due to flooding the server with FTP commands. If available it is much faster to do this through either cPanel’s File Manager, or via command line if you happen to have shell access.

5. Re-upload the new fresh copies you just grabbed.

This step should be self explanatory, but I would like to mention that if your FTP client supports it (I use FileZilla, which does) and your host allows it, then increasing the number of simultaneous connections you use to upload can greatly reduce your overall transfer time, especially on servers or ISP’s where latency is more of an issue than bandwidth. In FileZilla this setting is found by going to “Edit -> Settings -> File transfer settings”:

FileZilla settings panel

Also, if not using the EasyWP WordPress Installer script, don’t forget to edit and rename your wp-config.php file (when freshly unzipped this is named wp-config-sample.php).

6. Run the database upgrade (point your browser at /wp-admin/upgrade.php).

This will make any necessary changes to your database structure to support the newest version of WordPress.

7. Immediately change your admin password.

If you have more than one admin (meaning any user with editing capabilities), and cannot get the others to change their passwords right then, I would change their user levels until they can change their passwords as well. If there is anyone in your user list that has editing capabilities, and you do not recognize them, it’s probably best to just delete them altogether. If changing passwords is something you hate doing, then maybe my new memorable password generator can make that a little less stressful for you. 😀

8. Go through the posts and repair any damage in the posts themselves.

Delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'

If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL® Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.

Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.

UPDATE: 9. (still valid in 2015) If you are having issues cleaning the installation yourself

When I wrote this post back in 2008 I intended it to be a do it yourself guide for the non-techie. However, I do realize that some people would still rather a professional programmer perform many of the steps I outlined here. If anyone has had their WordPress installation hacked, and either is uncomfortable attempting to clean it on their own, or has tried to do so with no success, I am available on a case by case basis. Most cleanings can be performed in about one hour, two at the most. The time can vary depending on the size of the blog, the amount of customization to the original theme, and the number of plugins installed. Feel free to contact me here if you feel like you could benefit from my help. Please include the site and any details that you think might be relevant (pro theme, anything you may have tried on your own, etc.) in the contact form.

UPDATE #2: 10. A note on hosting.

This past year (2010) has seen multiple waves of attacks on people’s websites that happened not due to insecurities within the WordPress platform itself, as has historically been the issue, but rather due to vulnerabilities with the actual hosts. Some of the bigger names that were hit include GoDaddy, Rackspace Cloud, MediaTemple, and Network Solutions, for instance. It is very important that you use a host that is not only well versed in security, but one that is stable and has knowledgeable tech support as well.

Update #3 11/14/2012:

Please note: if you are currently hosting with either HostPapa or Netregistry and you are here because you were hacked then the following tutorial may not be sufficient. Please see this post for more details:Hosting with HostPapa or Netregistry and Hacked? Switch Hosts Now. (hacked by hacker)

My personal recommendation for shared hosting is Hostgator. It is where this blog and many other sites of mine are currently hosted. Yes, that is an aff. link, but I would recommend them even if it wasn’t. For a dedicated solution that is both affordable and robust I use The Planet, which is where I host Bad Neighborhood. Both companies are ones that I have been using for years without issues, and that I do recommend to my own clients when they find themselves dissatisfied with their current hosts. If you were hacked, and your WordPress was up to date when it happened, then a change of hosts is something you should consider looking into.

232 thoughts on “How To Completely Clean Your Hacked WordPress Installation”

  1. Before switching to 2.8.4, our site was compromised. The @*%$! spammers deployed two files to our system /wp-admin/fotter.php and /wp-admin/inclode.php (note the purposeful misspellings). These were encrypted files that were web-based backdoors. These were causing our theme footer to be overwritten nightly.

  2. I found a Virus that links to try-your-destiny.cn that was hiding in the file wp-content\uploads\js.cache\tinymce_f299bb0eff6f5bf98754a5f09bd63ddf.gz !
    (eval(…) was hidden in that zip).

    Deleting all the WordPress Content didn’t helped, as I kept the wp-config and my upload folder!

    So it is important to make step 2. as described above…

    Best regards
    Kfx

  3. Mine was not hacked, but rather, the whole wp blog seems to have a lot of errors in it. Probably plugin incompatibility issues. Some plugins I was using before doesn’t seem to work anymore. And some features of the dashboard doesn’t work either, like it just shows a white, blank space in there, especially if I am installing themes, plugins.

    So I think I’d just clean up my whole root folder, reinstall wordpress and upload my backup database. what do you think? will that solve the issues surrounding plugins, themes etc?

  4. kristine, there is no way of knowing if that would fix it without knowing the errors or simply trying. It can’t hurt.

    The thing is, if you are having incompatibility issues with the plugins, and you just reinstall the same ones, then you will most likely have the same issues. If you’re not hacked, then what you might want to do is simply deactivate all of the plugins first, and then slowly turn them back on, one by one, checking for the errors you are getting each time. That will help you isolate what is causing the problem (assuming that it is in fact related to your plugins). You should also go to WordPress and check each plugin’s compatibility (ie. which versions they are supposed to work with).

  5. Good info bro to share. Recently, I have just cleaned up my blog folder after backed up my database. All plugin were lost then need to install one by one. It’s so mess. Any plugins management that you can propose? TQ.

  6. Thank you so much for this post. My sites got hacked and I did not know what to do. I went through all your steps and was able to almost restore my site. The last think I needed to do was update my .htaccess file and when I did that I got back all my posts….WAHHOOOOOOOOOOOOO

    I have worked on one site for 3 years and had close to 600 posts on that site…I thought it was all gone. I literally worked on restoring this site for 12 hours today…and thanks to you and the steps above, I finally did it.

    Thank you again

    Sam

  7. I will pay someone $250 to perform this as a service for me… Cleaning or getting rid of all of the bad coding and scripts on my blogs.

    It is unfortunate that hackers and virus creators do things like this to intentionally and maliciously destroy other peoples hard worked for content. These individuals are like the scum of the earth. Who sits around all day creating malicious codes and scripts just to mess with people?? It’s people like this that end up seriously HAUNTED at the end of their lives by all of the wrong doing that they have done throughout their life. People that intentionally harm or wrong do others are like satans little lovely beings. Heartless. Soulless. Friendless. Must be a wonderfull world they live in…

    There is a thing called benevolence, which holds the meaning of: possessing that in which an individual truly cares about the health and well being of other people. Not to sound “tree huggerish”. But seriously, come on, get a life and go do something significant rather than sitting in your cave all day and dying a slow, timely death. There is so much more to life than thinking that you are doing something cool by “being a hacker and ILLEGALLY getting into or intentionally destroying other peoples stuff”. Back in the old days you would have had the privilege of getting a bag put over your head with a noose around your neck and getting the stool kicked out from under you. It’s called “eye for eye”.

    My apologies to everyone that reads this that are searching out how to fix your blog. It is obviously meant for the little, no good, no life having, soulless human maggot out there that creates viruses, malicious scripts and hacks other peoples stuff. YOU SUCK BIG MOOSE C#&@!!

    Nick

  8. 1, Only use plugin from wordpress.org unless you feel confident about the security of third-party plugins.
    2, Use Secure WordPress plugin.
    3, Remove the wp version from php files of theme. If possible, directly use static javascript file location instead of invoking php function since wp will automatically add the version number at the tail.
    4, Have a nice neighbor on your hosting.

    Just my 2 cents hehe

  9. thank yu so much for the article, few days ago all of my sites got hacked. I was lucky it was not xss. Bad part is got a trojan from a hacked advertiser on a very reputable network, when it installed it compromised smart ftp. All index,home and .jv got a malicious script inserted after page code. Took me days to clean up, going one by one. I wish I came across your post earlier 🙁

  10. urrrgh!!!! Looks like we got our blog hit too X(

    This was NOT on the schedule for today, but thanks for the layout of how to handle this hacked WP issue. It should go much smoother with this 😉

  11. Thank you for this great post. I am going to make some backups today of my wordpress based websites. A friend’s website has been hacked recently. It was very hard for me to get his site online again. Thanks again for your post, it really helped me.

  12. I am having issues with the header php being modified. A script and a ton of BS links to various sites. I’m fairly familiar with all the steps you describe but I’m really uncomfortable with doing it. I got a lot of data stored and I’m sharing the server with several other people. Any way you can help a fellow blogger out?

  13. @Vladimir – while scripts like that can speed the process up and do make some things easier, they are very specialized, therefore only catching certain hacks and no variations, and in no way replace prevention.

  14. Great info how to quickly get your site backup. I would love to know more info how to prevent it in the first place. Putting up a new site and not fixing what caused the problem will recreate the situation all over again.

  15. As long as I do blogwalking, I have read a lot about preventing to be hacked by upgrading WP to the latest /newest versions. After reading your article above, I realized that my knowledge is very little. I think by ugrading WP to the latest /newest versions and use the plugins from wordpress.org is enough to prevent to be hacked. Apparently there are still many holes for hackers such as through hidden files in a directory and inserted the code into a theme. I never thought of this before. Thank you for this valuable content.

  16. I wish I had found your blog earlier. Gosh took me a week to figure out the Malware problems on my sites. In my case PHP files were re-written.

    I did fresh installations initially however I forgot that the scripts were also written in the plugins. After reloading back the data to my server it end up infected again.

    So to safe guard some of the scripts (not delete them away), I did what you did, backed up everything, deleted all the files even those outside public_html.

    Ran through my antivirus software for the back up data and did a Find & Replace code using Dreamweaver for the malicious scripts.

    And finally when I reinstalled wordpress and the plugins back, it is fine now.

    But it really took a long time.

    Thank you again for the valuable info. Hope my sharing will benefit others too. 🙂

  17. Had one of my blogs hacked into a few days ago. They didn’t appear to do anything except change the administrator name, email address and password so I thought changing that back would be enough. Didn’t realize that they might do stuff like add files or codes that would allow them back in… Thanks for that information.

    I’ll be doing a thorough cleaning of my blog. Sounds like its going to take me a whole day and cause a lot of headaches, though!

Leave a Comment

*