Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
The problem is I can’t log in or access the site, so I can’t change the password or keys or see what users are there, and they don’t have any backups of the site.
Right, you’ll need to follow all of the things in the guide, many of which deal with not being able to log in.
After this is all cleaned up, you really should keep some backups too.
http://codex.wordpress.org/WordPress_Backups
I don’t see anything on that link regarding what to do if I can’t log in.
If I’m having trouble reading it and understanding, can you please copy/paste the paragraph that talks about what to do if I can’t log in?
Sure, look for the section under “Find and remove the hack.”
Sorry about that, the document has changed around a bit since I last remember it.
@literalpoet, apart from the WordPress login, there is also a login to the website hosting. Using the hosting login or FTP access you can access the files and database of your website. Someone at your work, possibly the bookkeeper will have details on the web hosting, then there is also the name registration, this is separate from the hosting.
So it may be circuitous but there are ways back in.
Hi
If you’re getting a 403 forbidden it could be a couple different things.
1 – Log in via FTP / SFTP and look at your .htaccess. Sometimes attackers like to be funny and block all traffic by deny all traffic. Not very funny to you, but very funny to them.
2 – If that’s not it, check with the host to see if they have your IP blocked – sometimes they shut access to the site if they notice it’s been compromised. Annoying, I know.
Usually, one of those two things will address the problem.
Once you can regain access, you can then follow the steps here to regain access to the box itself: http://codex.wordpress.org/Resetting_Your_Password
Another option is to use something like Adminer or PHPmyadmin via your host control panel.
What you’re facing is known as Defacement. It’s often very simple, but can be very annoying. If you’re lucky, you’ll find the defacement in the index.php file at the root of the install or in the root of your theme files.
If you’re unlucky, they’ve injected into your widgets etc.. either way, not to worry it’s easy enough to repair (in most cases).
This should help you regain access and start the process of getting cleaned up.
All the best
