Clean up of one hacked site (7 posts)

  1. mort3n
    Posted 2 years ago #

    I've just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.

    Disclaimer : This is not the way to go, but just a way I followed.

    Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
    Perpetrator : Haxorsistz
    Morale : Do remember to update both WP and plugins regularly

    The site was defaced on all pages with a death note for the admin (it's a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.

    Here's what I did to recover the site:
    - Access site by FTP and PHPAdmin
    - Backup to separate location
    - Check the errorlog
    - Search the server for recently changed files
    - Update WP (I did it through a one-click installer in cPanel)
    - Upload a clean twentyeleven theme
    - Sift through the _options table in the database.
    - Deface code was in fields blogname and widget_text
    - Set new password for DB and change wp-config accordingly
    - Set new salt in wp-config according to inline instructions in that file
    - Reset the encoding, it had been changed to UTF-7

    Resources :

  2. Viscosity
    Posted 2 years ago #

    To clean up is uninstall and install back all the wordpress in order to perform a clean wipe out in which may contain backdoor left behind.

  3. stabiasport
    Posted 2 years ago #

    Even my website was hacked two days ago from this team and I noticed that I changed the encoding to UTF-7 and changed the name of the title. I changed everything. Now I am sure? What I occore not to suffer more attacks?

  4. mort3n
    Posted 2 years ago #

    A fresh install of WP is one way to go. I checked for recent file modifications. After that, as noted above, I updated WP.

    The attack appears to have been an SQL-injection.

    Do also check widget_text in your _options table.

    To prevent it from happening you could use the advice about
    and perhaps install a security plugin such as (just one example)


  5. Viscosity
    Posted 2 years ago #

    There are several things in which you have to look into.

    For application, fresh clean up and re installed help to clear up those mess. Re-installed and update all your required plugins,then do a full backup. Used security plugins like bulletproof security, wordfence, Timthumb Vulnerability Scanner, Theme Authenticity Checker (TAC),etc does not grant u that your sites is not hackable.

    For network, disable all your ftp and ssh when you are not using it connected to your panel.Use strong password with a minimum 15 characters length contain, upper & lower letter, number and including special character to prevent any dictionary attack on your password.

    The attack appears to have been an SQL-injection.
    What make you so sure it is SQL attack? If so, then your gonna look into your SQL updates and version used.

    It did mention clearly the steps to take to harden your wordpress.

    External Service
    Cloudflare * Incapsula help to reduce your chance getting hack even though your are using their free service.

  6. stabiasport
    Posted 2 years ago #

    Thank you.
    Can you provide the exact path? widget_text in your _options table.

  7. mort3n
    Posted 2 years ago #


    In your database you have a table called yourprefix_options. That is the table I refer to.

    In the table there is a field called widget_text. Apart from the blogname field, that is where I found altered content.


Topic Closed

This topic has been closed to new replies.

About this Topic