Support » Fixing WordPress » Can I use this Guide to clean up a hacked WP?

  • I have some trouble with all these helps about how to clean a corrupted WordPress once it was infected by a hacker with Backdoors and such.

    I have read several Guides and found http://ottopress.com/2009/hacked-wordpress-backdoors/ quite helpful, while others were a pain in the butt to understand.

    To make things easy. Would the following steps proivide me with a CLEAN WP again?

    • !! Backup EVERYTHING, even if that means backing up corrupted files, but better having these corrupted files, than losing everything
    • Tools -> Export -> Everything that can be exported into the XML
    • Noting all Settings / Widgets to recreate the Blog to its former ‘glory’
    • Download complete wp-uploads
    • Check all noted Informations for any suspicious Contents
    • Open downloaded folders in Explorer, delete all files that are NOT jpg (check if other files that JPG’s that were uploaded with purpose if they are still the files that you had uploaded)
    • Open downloaded folders in Explorer, check jpg Files if they have a Thumbnail, if not, jpg might be corrupted or no jpg file to begin with .. remove all corrupted files
    • Open the exported XML file and search for eval, lave, base64_decode and edoced_46esab, once found, take an even much closer look if there is more hidden
    • Remove everything from Server
    • Download clean WP
    • Create NEW Database
    • Install NEW WP
    • Follow as many steps as possible using the Information provided by the Codex: https://codex.wordpress.org/Hardening_WordPress
    • Install a CLEAN Theme, like Twenty-Xteen
    • Add your noted and checked Settings and Widgets
    • Install Plugins using trusted Sites, or even ONLY from WordPress itself
    • Upload the wp-uploads
    • Import the XML file
    • Check if Postings are still working as intended

    From my understanding, by doing this, what looks to me way more easy to understand than most Guide i have found, the site should be good to go.

    Or did I miss something?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator t-p

    (@t-p)

    Otto’s guide you linked is pretty good. He knows WordPress in and out.

    I’d add a set of steps before this guide, to ensure currently open exploit vectors (how hackers access system) are closed.

    1) Update OS + all software packages.

    If you can’t do this, then you’re running with shared hosting + likely will be hacked again, depending on LAMP versions – Linux Kernel + Apache + SSL libraries + MariaDB/MySQL + PHP.

    If you’re running a hobby site, live with continual hacks.

    If you’re running a money site, move to dedicated hosting where you have control over OS + software package updates.

    2) Run wpscan against your site + see what turns up.

    For example, if a plugin shows up with a known hack with no fix, then add this plugin to your banned plugin list, because if you install a hackable plugin on a clean site, you’re site will be hacked again.

    3) If your running a non-core theme, run Theme Check on the theme + if there are exploit vectors add this theme to your banned theme list.

    ThemeForest is the worst. I’ve tested… probably close to 300 themes from TF at this point + only two themes tested were clean. All other tested themes contained some form of exploit vector (backdoor).

    4) Disable the ability to run *.php files via external URL. So http://foo.com/foo.php should fail to execute. Then add exceptions to allow *.php files to be run from localhost, if you use system cron, rather than WP cron… or… if some external service requires running *.php files by URL (shudder), create exceptions to alone running only the required *.php files from the external service published IP addresses.

    At this point your site’s runtime environment will be secure enough to unhack your site.

    Yes, These all points are quite impressive to check if any backdoors left on site or not. You can try these steps.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Can I use this Guide to clean up a hacked WP?’ is closed to new replies.