Cleaning up a hacked WordPress site

I was recently tasked with cleaning up a WordPress site that had been hacked and defaced. They had no backups, so restoring from a clean backup was not possible.

Now, as we all know, without a clean backup there is no guarantee of removing everything, as hackers like to hide their nefarious wares in strange places and without scrutinizing every line of code on the site, it is nearly impossible to find everything they have modified.

Some of the popular places hackers like to hide files, are in places that will survive an update of WordPress, places like wp-content, plugins, themes, and uploads.


Comparing files to find changes

It is possible to search through the site for the latest modified files and a lot of the time this will bring up some files the hacker has created or modified, but it is also possible for the hackers to spoof these modified dates to stop them from being detected/removed easily.

If you do have a clean backup, You can also run a comparison against the files on the site to find any differences, these differences will more than likely be files that the hacker has uploaded or modified, unless you have made some changes since your last backup.

On Linux to compare directories:

diff --brief -r dir1 dir2

To compare files side by side:

diff --side-by-side file1 file2


Changing passwords and default admin

It is highly recommended that you change all passwords related to your site, wp-admin, database passwords, mailbox passwords, FTP, SSH, and any other password protected services you have running on your server after being hacked, to try and prevent them from re-gaining access.

You should also make sure to remove the default admin name “admin” and create a new admin named something else, as all hackers know that the default admin username for wp-admin is “admin” so they only have to guess the password if they wanted to brute-force it.

As a side note, there is a few plugins that can help protect your login forms, to prevent attempts at brute-forcing your password etc. Login Security Solution and Login Lockdown are two amazing plugins that have this ability.

By |2018-12-10T18:15:15+00:00May 2nd, 2015|Wordpress|0 Comments

About the Author:

I Have been working in the IT industry for over 10 years.