Support » Fixing WordPress » Recently Hacked? Quick fix here.

  • bmac


    It seems this is a huge problem, possibly with old / outdated WP sites (automated hack?). I don’t want to give the group more publicity, but their name includes the word ‘Crows’.

    I am not sure of the vulnerability, but I’ve developed a ‘routine’ by fixing so many that I thought I would share.

    With what little expertise I have, it seems to be an old WordPress + character encoding vulnerability that adds encoded javascript to a custom text widget (and removes all your sidebars). Luckily this doesn’t seem very destructive of a hack. Of that I’m thankful for, lol.

    Fix it:

    1) Log in to your admin panel (you should be able to).
    2) Go to Settings -> Reading and change the character encoding to UTF-8 from UTF-7.
    3) Go to Settings and change your page title back to normal
    4) Go to Appearance -> Widgets and delete their text widget

    Get your old text widgets back:

    It seems all old sidebar widgets are deleted in place of their own custom text widget. If your site has some custom text widgets with HTML that you really don’t feel like redoing, do this.

    1) Go to Google and type in your site’s URL.
    2) Hover the > arrow next to the search result and click on the ‘cached version’.
    3) View page source and copy the HTML that goes in your custom text widget, and recreate the custom text widget with the copied HTML.

    From here you should have your website in the same condition it was before you got hacked.

    Backup and update your site:

    After this, I would backup your database (cpanel, phpmyadmin), and zip your entire site, should an update break anything in your current site/theme/plugin files.

    I’m not sure if being up-to-date will prevent you from being hacked again, but its the best prevention you can do.

    Hopefully this can help someone else!

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Recently Hacked? Quick fix here.’ is closed to new replies.