Title: Site Hacked -Scripts Compromised Last modified: August 21, 2016 --- # Site Hacked -Scripts Compromised * [Ifx](https://wordpress.org/support/users/ifx/) * (@ifx) * [11 years, 10 months ago](https://wordpress.org/support/topic/site-hacked-scripts-compromised/) * I received the following messages from my hosting provider: * _We could see mass mailing from your account and it is disabled now._ * I could see that your script installations are compromised. Please see account scan report below. * I don’t want to post the logs here but, I have the logs and several folders/files from the compromise, if it’s of use to someone who can help prevent this again. * I ended up shutting the entire site down because several plugin folders would not delete or kept reappearing after deletion. * Pls contact me if these logs would be of assistance… Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [t-p](https://wordpress.org/support/users/t-p/) * (@t-p) * [11 years, 10 months ago](https://wordpress.org/support/topic/site-hacked-scripts-compromised/#post-5086920) * You need to start working your way through these resources: * How to clean and fix hacked WP blog: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) [http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/](http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/) [http://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/](http://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/) [http://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/](http://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/) * Harden your WP installation: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) * Additional Resources: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/) * (@tvcnet) * [11 years, 10 months ago](https://wordpress.org/support/topic/site-hacked-scripts-compromised/#post-5086927) * Hi Ifx, Sadly, you really don’t have many options, other than to recover the site from a good backup, and then fully lock it down against future hackers. * The damage has already been done, so there is nothing an outside person can do for you, without login access and a few hours of time to fix. * I recommend you first start by asking your host how far back their backups for your site go. Then backup to the oldest one you are comfortable in doing. That may just get you back up and running nicely again. * Then likewise, work to change all of your passwords, hosting company pass, FTP, email accounts and WordPress admin passwords. * Of course, make sure to update everything immediately following the recovery process. * [BenSucuri](https://wordpress.org/support/users/rngdmstr/) * (@rngdmstr) * [11 years, 10 months ago](https://wordpress.org/support/topic/site-hacked-scripts-compromised/#post-5087024) * If you’re able to take a look at a spam e-mail with full headers you can often track down the script/file responsible for it. * PHP has an option to add a custom X-HEADER to the email header part. * It’ll show which script has been responsible for sending the message. * This can be done by adding the following to php.ini: * mail.add_x_header = On * After adding this option you’ll have to wait until a new spam sample is captured and read the message headers looking for something like: * X-PHP-Originating-Script: 33:spammer.php * That will be the culprit. There is likely more than one of those files, so once you track down the one file take a look at the code and see if there are any distinguishing bits that can be used to track down the others. * You can search within the contents of a file by using the ‘grep’ command if you are using an SSH connection. If you have a recent copy of your site locally ( or can download your site via FTP) you can just use a regular desktop search in that folder to see if you can find any other scripts/files that look similar. * But restoring from backup is much easier 🙂 Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Site Hacked -Scripts Compromised’ is closed to new replies. ## Tags * [Compromised](https://wordpress.org/support/topic-tag/compromised/) * [hacked](https://wordpress.org/support/topic-tag/hacked/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 4 participants * Last reply from: [BenSucuri](https://wordpress.org/support/users/rngdmstr/) * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/site-hacked-scripts-compromised/#post-5087024) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics