I've just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.
Disclaimer : This is not the way to go, but just a way I followed.
Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
Perpetrator : Haxorsistz
Morale : Do remember to update both WP and plugins regularly
The site was defaced on all pages with a death note for the admin (it's a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.
Here's what I did to recover the site:
- Access site by FTP and PHPAdmin
- Backup to separate location
- Check the errorlog
- Search the server for recently changed files
- Update WP (I did it through a one-click installer in cPanel)
- Upload a clean twentyeleven theme
- Sift through the _options table in the database.
- Deface code was in fields blogname and widget_text
- Set new password for DB and change wp-config accordingly
- Set new salt in wp-config according to inline instructions in that file
- Reset the encoding, it had been changed to UTF-7