Support » Fixing WordPress » Help! Phishing attack :(

Viewing 12 replies - 1 through 12 (of 12 total)
  • Moderator cubecolour


    1. I doubt it but I don’t use it so I don’t know. I’ve added the BackWPUp tag to this topic, so someone who uses that plugin may chip in with a better answer.

    2. copy the files in & for the db see:

    3. if both the file & database backups are good then yes, but if it hasn’t been tested before we have no way of knowing

    4. Probably the least of your worries at the moment, but its not likely to improve it


    Some resources that may help:

    You need to start working your way through these resources:

    Additional Resources:

    Thanks for the info cubecolour. This really is a can of worms 🙁 Seems to be that there’s really not a lot I can do until the host allows me access to the back end so I can get a fresh back-up – IF they will allow it.

    At that stage I go through the process in “FAQ_My_site_was_hacked” right? And try to clean out the code. Which sounds like a total nighmare for a newb.

    If anyone is familiar with BackWPUp, I’d love to know if they have some advice. Specifically, does it make a back-up anywhere other than the failed DropBox attempt? Perhaps into a folder I can access via cPanel (again, IF I’m given access back)?

    So annoyed, thought it was happily backing up every day for the past 2 months.

    If you do not have a backup of your site, request your host for a backup of the site, including database. Most hosting companies do have this facility. Who is your host? Can you post the URL of your site?

    Thanks Krishna. I have still not heard back from the host’s tech dept (getting pretty frustrated at the delay now) but I will request this. URL is

    So I finally heard back from the tech guys at my hosting company. They have made a back-up of the cPanel which I have now downloaded via FTP. Their email reads as follows:

    We have generated full cPanel account backup and have placed it under the account root folder. Also we have enabled ftp access for the account, you can access the account through ftp and downloaded the backup file. Please note that you would need to extract and clean up this backup, since the backup was generated from the account in its current, compromised, state.

    A reset will be required to unsuspend your account. Please understand you will lose ALL data including any email addresses set up. Please confirm you understand this and wish to proceed and please provide us with the last 4-digits of your credit card we have on file for you. Please also put Yes or No next to each of the following. We will not proceed until you do:

    I understand all website files will be deleted:
    I understand all email messages and addresses will be deleted:
    I understand all addon domains/subdomains will be deleted:
    I understand all databases will be deleted:

    Again, apologies if my questions are dumb, but what now…?

    1. Will the host’s “full cPanel backup” include my database – Krishna said I should make sure I’ve got this?

    2. There’s nothing else my host can/should do right? Should I just answer ‘Yes’ to all their questions and get them to push the button asap?

    3. Is it simple to clean up this compromised back-up? Are there step-by-step instructions on doing this anywhere, that a non tech person could follow?

    4. Do I need to do anything else to preserve all my images/links? I was confused by point 2 on this page you directed me towards:

    5. Anything else I should know or any other advice/instructions?

    Thanks guys!!

    The most important thing is your database. If you can get it you can still rebuild your site. Anyway you should have kept a backup of your database, which you should have done and you failed to do. What else can you do now? The problem is that under the terms and conditions you agreed while you signed up, you agreed to all these conditions. Moreover, keeping a hacked site in the server will infect all other sites there if it is a shared hosting account.

    Anyway, download them and have a look at it. Possibly the database also will be there. In that case, there is nothing much to worry about as it can be disinfected/ cleaned.

    I did try to make back-ups every day but didn’t read the logs – my bad. I do also have a clean back-up from 2 months ago if all else fails.

    Where will I find the database? Is it the files in mysql? I have horde.sql, radsh482_radshot_wp.create and radsh482_radshot_wp.sql

    The database is in the files with .sql extn.

    Great. So could you answer my other q’s?

    What you can do is as follows:
    Make a copy of your sql files and open it using a text editor and see if all the content is there. Then you can setup a local host like WAMP or XAMP (search and download free) and recreate your site locally and upload. Cleaning the database involves removing unusual characters and codes inserted by hackers.

    Once everything is fine, you can re-upload to your site.

    Looking in my cPanel via FTP, I can see a sub folder within the public_html folder called:

    This is the same name as the page that got the site suspended in the first place (it ended with my domain name).

    Within this folder are several more folder, including one called Credit-card.htm

    Is it possible that deleting this alone would clean the site? Obviously it would be best practice to go through everything with a fine tooth comb, but I thought I should mention this.

    Lastly, how is a newb like me supposed to spot “unusual characters and codes” if they are more carefully hidden in lines of code?!

    It is a little embarrassing, time-consuming, tiring and intimidating. But I think it something good that happened to you because you can learn a few things that a self-hosted webmaster and site owner must know. It is essential to know because even if you are ready to hire someone, you may not get the right person in time. When you get someone it may be too late and you may lose everything.

    So, don’t you now think it is better to learn the basic things to keep your blog running without trouble?

    Like you describe, anything that do not belong to you and looking suspicious need to be treated as such. A little bit of search around this forum will help you how to deal with it.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Help! Phishing attack :(’ is closed to new replies.