Visited a site I don’t use much today, and got a virus warning as I opened the index in my browser, saying there was an issue with a plugin page (superslider). Went into my Dashboard, opened the plugins page and got several warnings that plugins had been ‘disabled’, but underneath that in the list of installed plugins I got the message “You do not appear to have any plugins available at this time.”
When I looked at the site in an FTP editor all my plugin folders are still there (I deleted the superslider one), but none of them show in the plugins page on dashboard. None of the plugins are working either – pages just say [nggallery1] etc where galleries should show. What’s happened to my plugins, and how can I get it back. I don’t want to just install plugins again because they’ve all been customised to suit my wants, and the gallery obviously has all my pictures in it!
This has happened to me too. I was checking for up dates and I saw that all my plugins had disappeared. But when I tried to reinstall one, it said failed because it was already installed. I can’t see them on my plugin page and they are not working so what do I do?
Check your site, you may be hacked.
If it’s not that (and I hope its not!) then:
Have you tried:
– switching to the Twenty Eleven theme to rule out any theme-specific problems.
– resetting the plugins folder by FTP or PhpMyAdmin.
– re-uploading the wp-admin and wp-includes folders from a fresh download of WordPress.
Sorry to be the bearer of bad tidings but Jan is right, we’ve been hacked. Badly, too 🙁 . In case you’re a novice like me, I’m going to list the steps I’ve taken to remove the infection. It won’t take you too long, and you’re going to have to do it to get rid of the hack.
Step 1. Download a fresh copy of latest version of WordPress here: http://wordpress.org/download/
Step 2. Log in to your Dashboard and install Exploit Scanner here: http://wordpress.org/extend/plugins/exploit-scanner/
Step 3. Run the scanner, it will confirm you have been hacked by showing you a huge list of files. Near the top of my list was wp-activate.php, which had the content
/*god_mode_on*/eval (base64_decode("ZXZhbC hiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0 phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1 (loads more characters)
Needless to say, your installation should not have anything like that in it – ‘base64_decode’ is a *BAD* sign.
Step 4. Now that you’ve confirmed you’ve had an intrusion, use the fresh copy of WordPress you just downloaded to get rid of it. You *should* start by deactivating plugins, but since your plugins aren’t showing up you can’t do that! Follow this sequence:
Step 4a. Delete the complete wp-includes and wp-admin directories via your FTP client.
Step 4b. Upload the wp-includes and wp-admin directories from your downloaded new version.
Step4c. DO NOT DELETE your existing wp-content folder, but upload all the files in the wp-content folder from your downloaded fresh copy ‘over the top’ of existing files, allowing them to be overwritten.
Step 4d (optional). Having done this, I looked at my dashboard and ran Exploit Scanner again. Still a long list of files, but far fewer than I had previously. Okay, its going well…
Step 4e. Upload the files in the root folder of your download, again allowing the files on the server to be overwritten, these are the files like wp-activate, wp-blog-header, etc.
I’ll continue in another post in a moment, in case there is a limit to how much I can enter in one post!
Okay, you’ve now cleared MOST of the problems, but we’re not done yet.
Step 5. Inspect the remaining files in your root folder. I’m thinking of specifically wp-config.php, but there are others too. Open each of them in your FTP editor and look for the /* god_mode telltale. Any files you find there with that content are going to have to go, so delete those.
Step 6. You just deleted your wp-config, so your site isn’t going to work at all. Good news – WP will recreate it for you. Just load your site in a browser and follow the instructions – get the necessary info from your original setup, or phpMyAdmin etc.
Step 7. Now, log back into your dashboard, and run the Exploit Scanner again. You’ll probably find that all your theme files still show infections. The ‘basic’ themes are there in your freshly downloaded copy of WordPress, but if you’re running a different theme you’ll have to get a fresh copy of that too. Regardless of which theme you are running, there is one more thing you can do (which I unfortunately forgot when I just did mine – oops…). Download and save a copy of your style.css file, THEN delete the theme, and replace it with your fresh copy. Make sure you do it like that – delete the WHOLE theme folder, because our pal the hacker might well have uploaded additional files which wouldn’t be overwritten, and then upload a whole brand new copy of the theme. Then you can open your style.css file and check it for anything odd, and if you don’t find anything then replace the default style file on the server with it.
Step 8. Any OTHER themes that you have on your site but that you’re not actually using will ALSO be infected. Delete and replace those too.
Step 9. Another run of the Exploit Scanner will show you that unfortunately all your plugins are dodgy too – every one of them will have ‘god_mode inclusions all over them. You’re going to have to delete all of the folders, so you have no plugins left APART FROM THE EXPLOIT SCANNER. That’s ‘safe’, because you only just downloaded it!
Step 10. Run the Exploit Scanner yet again. Hopefully now you’ll not have any results, or results that are benign.
Now, its over to Jan for some help, because although we’re back running again and clean, we have no plugins. Can we just download and install them again Jan, or will WP complain that it thinks we already have them? Anything else we need to check?
Many thanks for pointing me in the right direction – I might well not have noticed I’d been hacked otherwise
Now, its over to Jan for some help
No no, you’re doing fine. 😉
That’s quite a read and thanks for participating. I’m on a train so I’ve only skimmed it over. At first blush I’d say Step 0 is make complete backups of your files and database as a safety net but you may have stated that already.
If there is a concern about the plugins (and if you’re hacked there is) then after you have a full backup, delete all of them and get fresh copies from the source. That goes for your themes too.
There’s two things left, if what I’ve suggested so far hasn’t been too far off. First up is the database itself – I haven’t checked that, because I don’t know how to.
And then there’s the question of how my hacker got in in the first place?
Thanks for all your help. I am registered with Sucuri who have just cleaned my site. Since I get hacked all the time, I decided a while ago to pay the money and get someone else to clean it each time. Even though I always follow their instructions and change all my passwords each time, I still get hacked again. Any ideas on why this keeps happening?
Either your site is hosted on an insecure server or Sucuri are not cleaning the hacker back doors out of the site. See:
Sucuri say they search for back doors and I guess I have to trust them. My host is Bluehost, which I imagine is secure but something is sure going on. Not sure what to do next. Meanwhile, I will check those links. Thanks, Esmi.
So, having followed the steps above, do I need to worry about the database itself, or is that going to be okay?
No – you should also check your database for anything suspicious.
I was infected with this virus as well, but found a really good guide here: http://marketingsiden.dk/how-to-remove-god_mode_on-wordpress-virus/
- The topic ‘ALL my plugins have disappeared’ is closed to new replies.