Hi,
First of all, you should run at least two anti-spyware scans with two different programs (typically, Spybot S&D and Super Antispyware) on all your systems before you do anything. It is very common for spyware to be the cause of these hacks, since they can lodge in your system and keep track of your FTP activity, web logins, etc.
Once you are spyware-free, change all your FTP passwords. Only then you can try to regain access to your WP installation. I would recommend editing your user password directly from the Database, but do a database backup before you attempt editing it. The way you do this is my going into your PHPmyAdmin (either from cpanel or your hosting panel), selecting the user’s table, locating your admin user, and editing the password key. WordPress passwords are MD5 encoded, which means you will have to encode whatever password you choose. Simply Google “MD5 encoder”, enter your password, and the encoder will provide you with the MD5 encoded string. Copy that string and paste it into your admin user’s password field in the DB.
Then, you can either follow the same procedure for the remaining users, or simply update all the passwords from the Admin Panel with your admin user. Admin users have the capability of changing other users’s passwords, even other admins’.
Once your hosting and WP installation are secured, and you can be certain that no other intrusions will occur, download all the files and folders inside your public_HTML folder to your computer through FTP, and make a backup (duplicate) of these files. You can now begin to clean up your files by deleting all files and folders that don’t typically belong in a WP installation. If you are not certain about which folders are normal and which are not, you can compare your files and folders against those of a default WP installation. Make sure you use the same WP version for this comparison.
You might also want to take a look inside your normal files since some hacks involve the insertion of harmful code in them. It might be faster (and simpler) to replace all WP, plugin, and theme files and folders that you did not make changes to, and only check those to which you did make changes.
I know it sounds like a lot of work, but if you are not thorough about this, you might leave a door open for future attacks.
I hope this helps. Good luck!
Thread Starter
MWorld
(@mworld)
Thank you all for your help. I’ll spend some time today going over this and trying to sort it out, but appreciate all the wonderful feedback!
Bernie
Thread Starter
MWorld
(@mworld)
Hi guys
Another part I need filling in please.
I have now gained access to the Dashboard (by following the steps above). I’ve reset the password and can get into the backend of WP.
I can get access to all files and editor
BUT …. when i go to http://www.marketingworld.com.au/blog/ I still get the hacked page. How do i overcome this?
Thanks again
Bernie
you must replace all wordpress core files and wp-admin and wp-includes folder
download `wp-content to your computer and scan the files at minimum
likely the wordpress index.php is compromised but it could be many files – including the theme’s index.php
you should get fresh copies of all themes and plugins
Thread Starter
MWorld
(@mworld)
Ok > I’m now at the stage where I HAVE a backup of my old WordPress.
I have a NEW WordPress going
I now want to integrate my old file content, tags and theme into the new WordPress. Is there an easy way to do this? Any specific files I should use or folders?
Thanks again
Bernie
Thread Starter
MWorld
(@mworld)
I THINK there is a problem with the theme
WP3 1.0 by FlashMint
Free WordPress Themes WpDaddy.com.
Activate | Preview | Delete
All of this theme’s files are located in /themes/wp003.
Seems when I preview this theme, the hack page comes up
