Backup your database FIRST – very very important you do.
Download all the wp files.
On the server, delete those WP files
Once you have downloaded the wp-content folder, delete it.
Keep wp-config.php
Upload the new WP files and wp-config.php
That will get your blog working – albeit with a default theme.
The most likely files to have been damaged are in /wp-content/themes.
You can examine those for extra code that has been added, or you can trash the whole lot – and get new copies from wherever they came from.
Once you have those, upload and put theme and plugins back together.
It was very probably a rogue script on the server that did this. To protect yourself, no Directory should have permissions greater than 755, and no File greater than 644.
Ask anything you need 🙂
Thread Starter
Sue
(@kadian)
Podz thank you so much – I already backed up the db, I’m waiting for the templates now and will try these fixes once they’re in hand. Thank you!!
Thread Starter
Sue
(@kadian)
This happened again today on a fresh install I just finished. All the directories are at 755 or lower, no files are greater than 644 and it *still* got hacked.
Will removing the install.php file help? Are there any known plugin issues that could be faciliating a hacker?
Any assistance greatly appreciated. You can see the hacked site here (I’ve left the hack up): http://mariaangeline.com/
Sue
Thread Starter
Sue
(@kadian)
Update:
I just heard from my hosting company and they’re saying the problem is that it’s WordPress and a vulnerable script. Help! I am running 10+ wordpress sites and am not minded to change.
Sue
The hacked file is an index.html file. If there is an index.html and an index.php file at the same place, the server may serve the html file first. When, I type:
mariaangeline.com/index.php , I got your WP site. When I type:
mariaangeline.com/index.html, I got the hacked page.
I guess the hacker got your FTP password. Change it. Or, do you have a script somewhere that allows to upload, create files online? Or, maybe the hacker put this script somewhere on your site.
Have you removed the .htaccess file? (there may be a backdoor there).
Is your password a dictionnary word or a combination of 2 words that can be found in a dictionnary? Invent a long password (10-12 characters) with numbers in it.
Blaming WordPress? How many security alerts with WP? Quite a few, and quickly fixed. This cheap talking is very easy for people who try to hide their ignorances. Maybe you can blame your provider for not securing its servers enough?
Kadian,
Get a new host. I don’t see any evidence wordpress was the vulnerability. And I don’t think they know enough about where the problem is. Unless they can tell you exactly how it happened, and can reproduce it, don’t believe their conclusion. It’s easier to throw blame around than it is to close security holes. I would bet the whole account is compromised n0ow, and possible the entire server. Wipe it clean and start fresh is my recommendation.