Support » Fixing WordPress » Website repeatedly hacked

  • Resolved cwinkler78


    Hi all. I’m hoping maybe someone can help me out with this. I’ve been banging my head My website has been hacked several times in the past week. Last week, it was taken down by:

    +ADw-/title+AD4-Hacker By Hacker alajman +ACo-// +ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    This week it is:

    +ADw-/title+AD4APA-META http-equiv+AD0AIg-refresh+ACI content+AD0AIg-0+ADs-URL+AD0 style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    They keep inserting a script with document.documentElement.innerHTML = unescape into my WordPress menus. (I have the full code if you need to see it) I have removed the script and gotten the site working again, only to have the problem reappear a few hours later. I have reset all of my passwords, completely deleted and reinstalled WordPress, upgraded my WordPress version, and installed a security plugin (Better WP Security) to close any gaps. But no matter what I do, this latest hack just keeps happening.

    I’m wondering if perhaps its something on my host ( If you Google the title they’ve been inserting there seem to be a large number of sites effected.

    Anyone have any experience fixing this? Tips, tricks, advice.. anything would be appreciated.

Viewing 15 replies - 16 through 30 (of 37 total)
  • I can’t be sure it’s a core issue.

    @houlejo: Then please do not make unfounded comments about core security. Your site being hacked is NOT a sign of a core security issue.

    It was a guess because it’s my second wordpress site hacked with this since yesterday.

    Then I would suggest that you did not completely remove all traces of the hack – including hidden backdoors – from your site. You need to start working your way through these resources:

    Additional Resources:

    @esmi : Ok. Thanks for the info.

    Thank you all so much for the help. I wanted to leave an update here in case anyone else has the same problem.

    I have two WordPress sites that I administer and I had made the following changes to one of the sites, but not the other. This morning, the site without the changes was hacked again. The one with the changes was not. I’m going to take that as a sign this fix works. =)

    Here’s how to get your site back online fast.

    Step 1 – Login to your WordPress dashboard as an administrator and go to Appearance -> Widgets. In my case, the two widgets I was using had been moved to the Inactive Widget box and replaced with a Text Widget in the sidebar.

    Step 2 – Open the Text widget and click the Delete link on the bottom left. Once you’ve deleted it, reset your widgets to the way they were prior to the hack.

    Step 3 – Next go to settings -> Reading. Change your character encoding back to UTF-8. This will fix any lingering issues with your RSS feed and IE.

    Step 4 – Lastly, reset the Site Title & Tagline for your site. The location for this will vary based on your theme. For my site, I selected Appearance -> Themes and then clicked the Customize link for my theme.

    That will fix your site immediately. Clear out your cache and confirm that everything works.

    Now that your site is up and running, you will need to make it more secure so that this problem does not happen again.

    Step 1 – Change your passwords for your hosting service, WordPress, etc.

    Step 2 – Upgrade to the latest version of WordPress.

    Step 3 – If you have a backup of your site, do a restore to a version prior to the attack just for good measure.

    Step 4 – Login to your WordPress dashboard and install the plugin Better WP Security and resolve issues 1-19 on the dashboard. For item 20, you will need to enable/purchase SSL from your hosting provider. NOTE – some of the changes the plugin makes will break links or images on your website. You will need to go back and update all of them, but that is a small price to pay for having your site more secure. The easiest way to fix all of the links at once is to download an export of your blog’s content (Tools -> Export), open it in Notepad and do a find and replace.

    Step 5 – Move your wp-config.php up one level. You can find instructions for doing so on ProBlogger’s Take 5 Minutes to Make WordPress 10 Times More Secure post.

    Step 6 – Change your database password and make a note of it. How to do this will vary by host. For GoDaddy users, click here. For those with cPanel, click here.

    Step 7 – Go to your wp-config.php and open it in your favorite code editor. Update your database password to your newly updated password. Then go to the Secret Keys section and follow the instructions to update your keys.

    You have saved my life – I have the exact same issue through my Webhostingpad site. They “cleaned the site” only to have the same problem happen – same hack, same issues. I will follow these steps and hopefully I can get my site back on track as well!!

    Bummer, well I followed all of these steps and thought I was hack free until today. Same hack, same issues.

    @cwinkler78 – have you had any further problems?

    @cbouchard – I’m still hack free (knock on wood). Sorry the fix didn’t work for you.

    I’m not sure what else to recommend.

    @cwinkler78 – have you had any further problems.

    Thanks – it did supply some really great tips I am going to use on all the other sites I develop. Thanks again!

    @cbouchard, do you still experience this re-hacks ?

    @shay – I’ve got a security expert (one of the top ranked ones on Elance) on it, but even he seems stumped. It seems that the problem is that the hacker is injecting the malicious code through photos in the uploads folder – but besides removing this folder I’m not sure what to do.

    Interesting, I wonder if this fix would help then

    At the bottom of the article it explains how to add some code at the bottom of your .htaccess file that prevents malicious PHP code from being inserted using images

    That’s sad to hear. Hopefully you’ve received a full refund from the elance person (who could not figure out the issue).

    A money back guarantee is something WordPress peeps should require of anyone doing security work (since solving the problem or recommendation a solution is what you are paying him/her for respectively).

    @cbouchard, after having the exact same problem from the same hacker and got re-hacked over and over again in the last 36 hours, I followed @cwinkler78‘s instructions plus moved wpconfig.php upper in the directories hierarchy. I then changed the WP tables prefix again.
    I also wrote a Nagios script that determines if the site is being hacked by the same hacker so it won’t take long to fix the site if bad things happen.
    All have been done a few hours ago, I’ll post again if I get re-hacked.

    @shay Thanks for the message. I passed it along to my security guy – do you mind sharing the Nagios script that you used? I am VERY interested in knowing if you get rehacked! Please keep me updated.

    @shay One more question – do you used I am going to switch hosts if this seems to a problem on their end!

    @cbouchard, I do use… hmm.. makes me wonder.

    To determine if get re-hacked I’m checking the website’s Title tag using the perl script below.

    If you have nagios, run this script like this:
    perl http://your_site_url “The title you are expecting to get”

    Here is the source of the Nagios script:
    use strict;
    use HTTP::Request::Common qw(GET POST);
    use LWP::UserAgent;
    my $url = shift;
    my $html_title = shift;
    if (!$url) {
    print “URL is missing”;
    exit 3;
    if (!$html_title) {
    print “html title is missing”;
    exit 3;
    my $ua = LWP::UserAgent->new;
    my $random = int(rand(9*time));
    my $req = POST $url,
    Referer => $url,
    Content => [
    ‘r’ => $random
    my $answer = $ua->simple_request($req);
    $answer = $answer->as_string;
    my $tmp = (split(/\<title\>/,$answer))[1];
    $tmp = (split(/\<\/title\>/,$tmp))[0];
    if ($tmp ne $html_title) {
    print “Title is not $html_title!”;
    exit 2;
    print “Ok.”;
    exit 0;

Viewing 15 replies - 16 through 30 (of 37 total)
  • The topic ‘Website repeatedly hacked’ is closed to new replies.