Clean-up of one hacked site : a view from the trenches

I’ve just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.

Disclaimer : This is not the way to go, but just a way I followed.

Setup : WP 3.3.2. The site had been live, but not updated since March 2012.

Perpetrator : Haxorsistz

Morale : Do remember to update both WP and plugins regularly

The site was defaced on all pages with a death note for the admin (it’s a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.

Here’s what I did to recover the site:

– Access site by FTP and PHPAdmin

– Backup to separate location

– Check the errorlog

– Search the server for recently changed files

– Update WP (I did it through a one-click installer in cPanel)

– Upload a clean twentyeleven theme

– Sift through the _options table in the database.

– Deface code was in fields blogname and widget_text

– Set new password for DB and change wp-config accordingly

– Set new salt in wp-config according to inline instructions in that file

– Reset the encoding, it had been changed to UTF-7

Resources :

A WP Support thread