My WordPress Site Has Been Hacked, How Do I Fix It?

Recently, three of our WordPress websites were hacked – jeremy.com.my, kualalumpurbookfair.com and malaysiafair.com. Hacker message:

It was unfortunate because malaysiafair.com for example has a lot of sponsor ads and content. It is hard to trace the affected files and additional codes injected to the SQL, because the number of files and codes is huge.

So what do you do when something like that happens?

First, don’t panic. Panicking won’t help fix the problem, stay calm and analyze the situation. After some internal discussion, we settled on the following:

1. Contact the hosting provider and request a server restore. Generally, most server providers have a backup copy to prevent data loss in case of device failure.

2. The server restore request may take a few hours. While waiting, we moved quickly to change the CPanel, FTP, Secret API Key and SQL passwords, to prevent the same hacker from revisiting the site and doing more damage.

3. What if the server provider doesn’t have a backup copy? In this case there is no way for us to retrieve the full data, but don’t give up. You can still reduce the extent of loss by visiting Google Cache or using Wayback Machine to recover partial data. Google only stores the cache for a few weeks, so you have to copy the indexing data quickly.

Google Cache

- To check your cache, go to http://webcache.googleusercontent.com/search?q=cache:http://hplan.com/ (replace the hplan.com with your domain or any url).

- You can also use the advance command search “site: sunshine.com.my” (replace the domain with your domain) to retrieve the page index list by Google.

Wayback Machine Cache

- Permanently stores cache data, but it is mostly old data.

- Go to http://web.archive.org/web/*/aeroshield.com.my (replace aeroshield.com.my with your domain)

4. If you must fix problems, first backup the entire site including infection files. Follow this guide:

a) Get familiar with the common WordPress Malware infections, and fix the security tweaks.

b) Backup the entire server including the infected files and SQL, then delete everything. Download the latest version of WordPress, and recover the site part by part.

c) Images and CSS files are the least likely to be infected, so we focus on those folders first, followed by php, htaccess, js, and SQL files because these files execute CMS functions.

d) At file level, we can narrow down the area that needs to be checked by logging into FTP and tracing the latest modified files.

e) At SQL level, we can open the code in text editor to search out the hacked text, e.g. “please wait…” or “feel the power of Pakistan”. We can also try to find the line of code that gets the images. If you can’t detect the text or image path, the hacker most likely injected an iframe e.g <iframe src=”http://www.example.com/” width=”320″ height=”240″></iframe> to call out the message.

f) If your URL keeps redirecting to another page, then chances are something is wrong with htaccess. Find more information on cleaning up an infected website, follow this guide

5. Once everything looks good, you can proceed to the next step of securing your wordpress site through strong passwords, removal of admin user name, and restrictions in htaccess. Next week we will have a tutorial on further improving WordPress security.