I’ve just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.
Disclaimer : This is not the way to go, but just a way I followed.
Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
Perpetrator : Haxorsistz
Morale : Do remember to update both WP and plugins regularly
The site was defaced on all pages with a death note for the admin (it’s a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.
Here’s what I did to recover the site:
– Access site by FTP and PHPAdmin
– Backup to separate location
– Check the errorlog
– Search the server for recently changed files
– Update WP (I did it through a one-click installer in cPanel)
– Upload a clean twentyeleven theme
– Sift through the _options table in the database.
– Deface code was in fields blogname and widget_text
– Set new password for DB and change wp-config accordingly
– Set new salt in wp-config according to inline instructions in that file
– Reset the encoding, it had been changed to UTF-7
A WP Support thread