You never expect it to happen to your website. You think they will not be interested in such a small player like you. Why would they want to hack your website? Well, they do. Any website really and WordPress is the number one target. Just like Windows is the main operating system hack favorite, it is the largest target.

In this blog I will talk about cleaning up slash restoring options or WordPress websites. How to clean up a hacked WordPress website?

Restoring a Full Backup Scenario

If you do have a full backup of the website and one that is recent enough and clean, well by all means use that backup. That is why we always recommend using a backup plugin like BackupBuddy to backup and store copies in a third party location

Partial Backup Scenario

If you do have a backup but somewhat older you could use the theme files after a thorough check and replace:

• wp-admin,
• wp-includes,
• plugins directories and
• clean up the other wp-content directories.
• check all the file in the web root

with new copies.

Admin and Includes

The admin and include folders are system folders that you never touch so they can easily be replaced. Do not overwrite them preferably. Remove them completely and replace them with new ones from the WordPress repository.

Web root

The files in the root tend to be similar to a basic setup too but a file like .htaccess or wp-config.php is unique and these need to be checked separately. Files that are not unique like

• index.php,
• wp-activate.php
• wp-blog-header
• wp-comments-post.php
• wp-config-sample.php
• wp-cron.php

need to be replaced with original ones. Always good to compare the root of a standard clean setup to yours. Sometimes files look like standard WordPress files but aren’t

Uploads

The uploads folder tends to be a folder inside wp-content you also want to keep. It contains all your media after all. It does have to be checked for contamination though. Could be that a backdoor has been added there.

Database

If you do need to keep the database as well you may need to clean that up as well. Sometimes spammy SEO data is added for example. Sometimes junk is just added to articles or products. With MS Workbench, PHPMYAdmin or another tool it is often relatively easy to run queries.

Tools

There are tools you can use to clean up. Some tools are used by your hoster like SpamAssasin, some tools you can use on your site directly like Wordfence or iThemes Security – both WordPress plugins. Other tools are good old fashioned command line tools.

Plugins

Wordfence is an excellent plugin that will help you out digging up contaminated files, but there is never a guarantee it catches all. So do do some manual work with commands mentioned later on. iThemes security pretty much does the same thing and offers some login security options out of the box for which Wordfence has a separate plugin.

Sucuri and Google Webmaster Tools

Another option is online scanner tools like Sucuri, which will scan your site for you and let you know where potential issues are. Google, Chrome and Firefox will tell you when your site is infected too. But they will not show more details on this. Once they located infected pages they will also show warnings to users in the browser and that will stop most from visiting your page. And that is often how you find out and panic. Sucuri might locate the issue before you get blacklisted and won’t report it so you have time to clean up.

Google Webmaster Tools will see the same but could potentially pinpoint pages that have the issue better. It will mention whether it is phishing issue or whether there is content injection. See Google Developers article for more on that.

Search Files for Contaminated Code

As said you can also use command line tools to check files for contaminated code. Code that has been injected with malware or spam. For that we mostly use grep and find as command

grep -rnw 'directory' -e "pattern"

grep -nrl "badcode" domain.com --exclude-dir=domain.com/wp-content/cache

find inside-directory-x -name name

Base64 and Hex Code

The code or pattern we tend to look for is base64 or Hex code which is used a lot to obfuscate the code they added. But also for variations like

• base64_decode
• gzinflate(base64_decode
• eval(gzinflate(base64_decode
• eval(base64_decode

Readymade Grep Commands

Here some readymade grep commands:

• grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
• grep -lr --include=*.php "eval" .
• grep -lr --include=*.php "base64" .

Find Hex Code

The only things we did not look for yet is code hidden inside hexadecimal code. This is sometimes done to double hide stuff.. base64 inside hexadecimal code. You can search for that using

find . -type f -name '*.php' | xargs grep -il x29

Modified Code Check

It is also useful to check for files that have been changed recently. You could use something like

find /home/mywebsite -type f -ctime -7

to check for changes in the last 7 days. This is very handy as you often have loads of files that are months old and few that are very recently changed

NB Excellent article on using all these commands by Greg Freeman: How to tell if your PHP site has been compromised.

False Positives

You still need to understand that some plugins or themes, though rarely, use base64, eval, or hex code. So you cannot just search for these indicators and delete it all. Try to replace by clean copies if you can and do check what the code is about if you can.

Often is is code at the top of files before clean code and if you do decode you will see it is an online shell script for example or a way to load spam on pages. But do take some time. And always backup

File and Directory Permissions

Always good to check if file and directory permissions are in order. Sometimes they were not and sometimes a hacker adjusted these. So use the following to set these permissions correctly.

find  -type d -not -perm 755 -exec ls -ld {} \;

find  -type f -not -perm 644 -exec ls -la {} \;

The 644 for files and 755 for directories tend to work for the majority of the server setups. They make sure only root, a specific user like web often can change these files or directories. Sometimes people get stuck making WordPress work and then use 777. This is very bad as it opens that file or directory to the entire web.

File Comparison

If you do have a decent backup you can also do a file comparison to see if there are any file changes that have taken place and then check the code in detail. This is something WordFence does as well basically. Two commands are often used: diff and md5sum. The former I use the most. Here are two example commands:

diff -qr www/ backups/full-backup-20120124/

also

md5sum <current-page> <backup-page>

Conclusion

Well we have mentioned a lot of tools here. They key is of course to backup and have a host that is secure including an up to date WordPress website. Always remember that just because a website is launched it doesn’t mean your are done. You always have to remain vigilant.