Another friend got his self-hosted WordPress site hacked into. This also happened to several other bloggers last summer - see my post Don't get hacked! How to prevent WordPress blog hijackings for how they dealt with it.
He wrote this up for the people who were hosting his site, so it’s for the technically inclined blogger who knows his or her way around FTP and databases. If that’s not you and find your WordPress blog hacked into, send your hosting company a link to this post.
Bottom line: make sure you are always running the most current version of WordPress. (The most current version as of this posting is 2.9.2.)
Backup
First, back up using the Export function of WP Admin before starting. Also, use FTP to backup any custom them files.
FTP
Make sure you have the most current ftp download version. Smart FTP is a good program to use. The current version is 4.0 and it costs around $60.
Fake users and admins
- At the Host Level, login to cpanel and change the password. (Make it an easy password to remember since you’ll be changing it again.)
- Login to wp-admin and change the password. (Make it an easy password to remember since you’ll be changing it again.)
- While changing your password in the wp-admin check for any strange admins that may have registered. There should only be the blog owner and anyone else they have given privileges to. Unauthorized admins and fake users could be named MYSQL and Feedburner. You may also find that you have one or two “hidden” admins. Follow these steps to get rid of them.
Update WordPress and Plugins
- Next make sure that you are using the most current version of WordPress and all the plugins. Update any as necessary through Smart FTP.
- If you are currently up to date, you will still need to overwrite all your files with a fresh download of WordPress and all plugins. Do this in Smart FTP and make sure you OVERWRITE the files.
Odd files
- Now that the files are updated take a look in Smart FTP for anything unusual. Sort the files by date modified. You will most likely find a strange file or two. Compare the file list to the new versions you just uploaded. You could find odd files like “index.main.php” and other strangely worded index and cat pages.
- Double check that the “odd” files they are not part of the WordPress download and then delete them.
- Take a look at your .htaccess file in your root. It should only have this unless you are using some plugins like wp-cache that would re-write it. Even so, those plugins should clearly identify themselves. The code should be:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
You will more than likely find that your .htaccess has been changed. Edit using the above code, reupload and then change file permissions to 644.
Install plugins
- Install and activate these three plugins:
- WP Security Scan
- WP Firewall Plugin from SEOegghead.com
- WordPress Exploit Scanner
Run plugins
- Run Exploit Scanner. You will find it under the dashboard link. It probably won’t find anything but do it anyway.
- Run Security. This will found at the very bottom on your left column. It will probably give you a list of things in red that they find. You are going to fix those next.
- Run Security-Scanner. Here are all your file permissions that are out of whack. You need to fix these in Smart FTP.
Fix the database
- Click back to Security-Security. These are the things you are going to fix. (WARNING! You NEED to know your way around your database for this. Don’t attempt if you are not completely comfortable. You have to do this to make the WordPress blog as secure as possible so you may need to get some help if you are unsure what you are doing.)
- Login to your cpanel and go to “Mysql Databases.” Under current databases delete the user that is there. There should only be one. Go back. Add a new user with a very strong password. Give that user permission to access that database. That person should have all permissions.
- Now go back to cpanel-home. Navigate to ‘phpmyadmin’. Back up your database. Here’s how.
- Follow the steps here to change your wp_ prefix.
- Go to SmartFTP. Edit wp-config in your root (public-html unless you have your blog in a folder) with the new password and the new db prefix. Use the WP link provided to change your secret keys too. Save and reupload.
- Remove your newly loaded wp-config to one level up. This means if it is in public_html you are going to drag it all the way to the IP folder up top and drop it in those IP numbers. If the blog is in a folder than don’t do this.
- Just double check that everything is OK. If you are prompted to re-install wp you did something wrong . Don’t panic. Just repeat steps 16, 17, 18.
- Now back to the database. Click on Structure. Click on _users, browse. Edit admin. Change admin to your new user name. You will change it in 2 or 3 spots depending on how you had it set up to begin with. You will login to WP with that name now instead of the default “admin.”
- Go to the WordPress admin panel. You will be prompted to re-login in with your new user name.
- Click on Security-Security again. The last thing in red you should see is a prompt about putting .htaccess in the wp-admin folder. If the blog owner consistently access the panel from one or two computers with a static IP then this is a GREAT security step. However they use a dynamic IP and/or access their WordPress panel from other computers, don’t do this. If they share this blog with someone else, you will need to put their IPs in as well. Here’s how.
Final steps
- Install the WP-DB-Backup plugin. Have a copy emailed to you and the blog owner depending on the frequency they post. (Note: I had to manually create the file on smartftp on each blog I installed it on. Make sure after you create the folder and the plugin installs correctly to change the permissions back to 777. Have it emailed to you so that it does not stay on the server with a 777 permission code.)
- Change the wp-admin password and cpanel password to something strong. Write these down!
- Last but not least, re-run both Security and Exploit plugins. Then login and out. Check everything. You should be good to go and way more secure than ever.
More help with WordPress security
- WordPress Security: Remove Wordpress Generator Meta Tag from How-to-Blog.tv
- WordPress Security Recap from How-to-Blog.tv
- SecurePress WordPress Plugin from How-to-Blog.tv
Comments