Hacked (pt.3) or how to clean a compromised WordPress site

The word 'hacked' within ones and zeros.
Source: iStock (10623991)

This is the kind of post that I’ve thankfully not needed to post for over nine years. Today one of my WordPress sites got compromised.

It all began with an email this afternoon from AntiVirus a WordPress plugin that scans your theme templates for malicious code injections. The email read:

The daily antivirus scan of your blog suggests alarm.

I had to laugh at the phrase “suggests alarm”. But after I laughed, I accepted their suggestion and for a few moments felt alarm, before realising that panic was no use and besides, I knew what to do.

Two candidates

I’m still not 100% sure what caused the code injection but I currently suspect two potential sources of infection:

MailPoet

I may have been one of 50,000+ victims of the MailPoet vulnerability that was made public days before I went down with viral meningitis! I had that

As the MailPoet site states:

There was a security issue in all the versions of MailPoet lower to 2.6.8, this security issue was making your site highly vulnerable (blog post).

It can really only have been a plugin vulnerability as I have to manually unlock FTP access whenever I want to upload anything. So it had to be an ‘inside job’. And I had MailPoet (formerly WYSIJA) installed that account.

Outdated theme

Alternatively, it may have been a premium theme that I was using that had the Slider Revolution plugin embedded. This was reported to have a critical vulnerability last month.

I thought I had patched it…, but, perhaps with my meningitis-muddled head I didn’t do it properly.

How to clean an infected WordPress site

Whatever it was, it injected a bunch of obsfucated code into the top of all the PHP files on that site. A give away was that in the WordPress plugins screen all the plugins were disabled and reporting “the plugin does not have a valid header”.

If something similar happens to you, then you might find the following steps useful:

  1. Change passwords for:
    1. WordPress admin
    2. FTP
    3. MySQL database
  2. Backup all the files on the site. (That took ages!)
  3. Delete all WordPress core files including themes and plugins (Do not delete user-uploaded content, e.g. images, PDFs, etc.)
  4. Download clean installation of WordPress.
  5. Upload clean WordPress files (except wp-config-sample.php).
  6. Rename wp-config-sample.php to wp-config.php, update with database details and upload.
  7. Upload a clean version of your theme (remove themes that you are not using).
  8. Install and activate required plugins including antivirus and security plugins.
  9. Check other PHP files for compromise, not just WordPress files.

I found this post on the WordPress support site useful: I am getting hacked evry two weeks? Help please. There are some useful links listed on how to clean a WordPress installation.

The main lesson for me to learn from this episode is to make sure I never get viral meningitis again when there are two (or more) critical vulnerabilities in the wild!

Oh, yeah, and always keep your WordPress themes and plugins updated… and if in doubt just delete them before they can cause any problems.

Update

Sunday 19 October 2014

It looks like, based on this blog post from Sucuri WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability that the source of the infection was indeed MailPoet.

Published by

Gareth Saunders

I’m Gareth J M Saunders, 46 years old, 6′ 4″, father of 3 boys (including twins). Latterly, web architect and agile project manager at the University of St Andrews and warden at Agnes Blackadder Hall. Currently on sabbatical. I am a priest in the Scottish Episcopal Church, and I sing with the NYCGB alumni choir.

2 thoughts on “Hacked (pt.3) or how to clean a compromised WordPress site”

  1. Hi Gareth, our clubs wordpress website recently suffered this same problem. I’m very much a novice but will try resurrecting our model engineering club’s website using your technique. How can I be sure that I have deleted all the core wp files or is it just a matter of going through the freshly downloaded WP and ticking each one off? Do I reinstall the WP files using FTP? Will I be able to reinstall the plugins without errors like this :- Fatal error: Cannot redeclare WP_Filesystem_Base::get_base_dir() in /home2/bristolm/public_html/wp-admin/includes/class-wp-filesystem-base.php on line 590? At the moment it all seems pretty scary and I really don’t want to lose the website. Many thanks Quenton

  2. Hi Quenton, the WordPress Codex is a great resource that contains a guide on how to update WordPress. You can follow this advice too for carrying out clean installs after a hack. Scroll down and look for the “Manual Update” heading.

    I would do this:

    1. Backup all the files via FTP (if you can log in to your hosting account and use the file explorer there you may be able to zip up all the files, which will make the download much quicker).

    2. Backup the database.

    3. Follow the instructions on the Codex:

    a. Deactivate plugins
    b. Delete the old wp-includes and wp-admin directories on your web host using FTP.
    c. Delete all the loose files in the root, except wp-config and your .htaccess file.
    d. Using FTP upload the new wp-includes and wp-admin directories to your web host, in place of the previously deleted directories.
    e. Upload the individual files from the new wp-content folder to your existing wp-content folder, overwriting existing files. Do NOT delete your existing wp-content folder. Do NOT delete any files or folders in your existing wp-content directory (except for the one being overwritten by new files).
    f. Upload all new loose files from the root directory of the new version to your existing wordpress root directory.

    I hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.