Virus / Hacked

 Help I think I've been hacked/compromised

So you've carefully installed WordPress, you've made it look exactly how you like with a decent theme, you've maybe installed some fancy plugins and you've crafted some fine posts and Pages. In short, you've put a lot of time and effort into your site.

Then, one day, you load up your site in your browser, and find that it's not there, or it redirects to a porn site, or your site is full of adverts for performance-enhancing drugs. What do you do?
Some steps to take

    * Scan your local machine.
          o Sometimes the hacks have been introduced because a hacker has compromised a program on the computers being used to upload files. Give your local machine a full scan.

    * Check with your hosting provider.
          o The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.

    * Change your passwords.
          o Change passwords for the blog users, your FTP and MySQL users.

    * Take a backup of what you have left.
          o If your files and database are still there, consider backing them up so that you can investigate them later at leisure, or restore to them if your cleaning attempt fails. Be sure to label them as the hacked site backup, though...

    * Read Donncha O Caoimh's guide on what to do.
          o Donncha wrote a good article on what to do if you suspect a hack, it is well worth reading through and acting on, as it goes into more depth than this page.

    * Read How to clean your hacked install on Smackdown!
          o Again, this goes into detail on the steps you might need to take.

    * Check your .htaccess file for hacks.
          o Hackers can use your .htaccess to redirect to malicious sites from your URL.

    * Consider deleting everything.
          o A sure way to remove hacks that currently exist, is to delete all the files from your web space, and clear out your WordPress database. Of course, if you do this, you would need backups to restore to, so ...

    * Consider restoring a backup
          o If you restore known, clean, backup of your WordPress Database, and refresh your WordPress, plugin and theme fils through FTP, that will ensure all those bits are clean of malicious code. At the very least ...

    * Replace the core WordPress files with ones from a freshly downloaded zip.
          o Replacing all your core files will ensure nothing is left behind in them in a hacked state. Remember to replace plugins and theme files, too.

    * Upgrade!
          o Once you are clean, you should upgrade your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.

    * Change the passwords again!
          o Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now.

    * Do a post-mortem.
          o Once your site is recovered, check your site logs to see if you can discover how the hack took place. Donncha's article goes into detail on this.


  • 32 Users Found This Useful
Was this answer helpful?

Related Articles

Slow loading

Your Wordpres core files and Plugins already updated but you feel that the loading/execution a...

Memory Exhausted Error - Plugin /Worpdress upgrade

Go to plugin section and disable a few/or all plugin. Upgrade Wordpress using upgrade button....

Blank Page Plugin Error

Deactivate All Plugins Using FTPIn this method, you will need to either use a FTP client, or your...

Defaut .htacess for Wordpress

# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond...