- This topic has 0 replies, 1 voice, and was last updated 10 years, 2 months ago by
.
-
I receive emails regularly from folks whose websites were already hacked before getting BPS Pro. They want to know if BPS Pro will automatically clean up a WordPress website that is already hacked. Unfortunately, BPS Pro cannot do that automatically, but you can use the BPS MScan Malware Scanner to help find hacker files or code anywhere under your hosting account and your WordPress database and remove/delete those hacker files or code. Using the manual hosting account hack cleanup steps below is not difficult, but it can be time consuming if you have a lot of websites under your hosting account.
The good news is that once your site is completely clean of all hacker files and code it will never be hacked again if you have BPS Pro installed. BPS Pro has a security feature called AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS), which is much more advanced, automated and superior to all/any malware scanners including MScan. ARQ IDPS is also a file scanner, but ARQ IDPS does not scan for malicious hacker code and instead uses an unbeatable method to protect website files in real-time. ARQ IDPS is a real-time security prevention feature that automatically autorestores files that have been tampered with and quarantines any malicious files that are uploaded to a website.
Manual website hack cleanup/repair steps important notes:
Typically a website/hosting account has been hacked for months to years before a website owner becomes aware that the hosting account is hacked. Typically any/all recent website backups will also contain the hacker’s files and code. If you do not have a good backup of your WordPress website that you know 100% for sure is clean/not infected/does not already contain hacker’s malicious code and/or files in your WordPress backup files then these manual hack cleanup/hack repair steps below will guarantee that your WordPress site/hosting account is 100% clean of all hacker files and code. Most likely your WordPress database does not contain any hacker code or if it does then that hacker code in your database will not work correctly once you remove and replace all hosting account files. So removing and replacing all hosting account files renders any hacker database code ineffective in most cases. Doing the Quick Hack Clean Up steps below is not difficult, but it is a bit time consuming depending on how many websites you have under your hosting account.Quick Hack Clean Up – Est. Clean Up Time: 30 minutes per website
Note: If 1 of your websites is hacked then your entire hosting account is most likely hacked and needs to be cleaned of all hacker code and files.
Note: Run MScan first and set the Automatically Delete /tmp Files option setting to > Delete Tmp Files On. You do not need to use/set any other MScan option settings. You just want to delete all temporary files since hackers sometimes hide hacker files in your hosting account /tmp/ folder. Or you can login to your web host control panel, use the File Manager tool, find your server’s /tmp folder (note: the tmp folder might be named differently. ie temp) and delete all temporary files in the /tmp folder.
Note: If you have the BPS Pro plugin installed do this step first: Go to the BPS Pro > AutoRestore page > Turn AutoRestore Off > click the 4 Delete Backup Files buttons for Root Files, wp-admin Files, wp-includes Files and wp-content Files. A significant number of people get BPS Pro and then discover that their hosting account is already hacked. Been doing this stuff for 10+ years now; in my experience hosting accounts have been hacked for months or years before a website owner becomes aware that their hosting account is hacked.
Note: If you are unable to access the AutoRestore page you can turn Off AutoRestore by going to the WordPress Plugins page > click the Must-Use link at the top of the page > click the BPS Pro MU Tools Turn Off AutoRestore link. Then use FTP or your web host control panel file manager and delete all the folders under the /autorestore/ folder: /wp-content/bps-backup/autorestore/.
1. Change/switch your PHP version in your control panel. When you change your PHP version in cPanel it resets/kills all processes. If you are using PHP 7.4 then switch to 7.0 and then back to 7.4. AnonymousFox hacks attack/hack the server/control panel itself and also your website. Note: See this additional forum topic to check for indicators that the hack is an AnonymousFox hack > https://forum.ait-pro.com/forums/topic/wp-dester-and-wpyii2-hacker-plugins/
2. Take a screenshot of your WordPress Plugins page or make a list of the Plugins that you have installed.
3. Create a new secure FTP password. Example: j5!H*4%bN8#
4. Use FTP and download your Theme folder from your website.
5. Use FTP and download all files in your Root WordPress installation folder (the same folder where the wp-config.php file is).
Note: If you also have files in your hosting account Root folder then download those files too. Example: /public_html/{download all of these files}.6. Delete all files in your Root WordPress installation folder.
Note: If you also have files in your hosting account Root folder then delete all of those files. Example: /public_html/{delete all of these files}.7. Delete these WordPress Core folders: wp-admin and wp-includes.
8. Delete all Theme folders under your WordPress Themes folder: /wp-content/themes/. Check these files: /wp-content/index.php and /wp-content/themes/index.php folder. The only thing you should see in these files is this: // Silence is golden. Delete and replace these files if you find hacker or other code in these files.
Note: Manually deleting your Theme folder will not delete your Theme settings since those settings are saved in your WP Database.9. Delete all Plugin folders under your WordPress Plugins folder: /wp-content/plugins/. Check this file: /wp-content/plugins/index.php. The only thing you should see in this file is this: // Silence is golden. Delete and replace this file if you find hacker or other code in this file.
Note: Manually deleting your Plugin folders will not delete your Plugins settings since those settings are saved in your WP Database.10. Look in all default Hosting Account folders & any personal folders that you have created: cgi, cgi-bin, stats, errordocs, logs, etc. and if you see anything unusual that does not look like it should be there or is obviously a hacker file then make a backup of it on your computer and delete it from your Hosting Account. If you accidentally delete a default Hosting Account file then your Host will be able to restore that for you if there is a problem.
11. Download the WordPress Zip file to your computer and unzip it.
12. Make zip files for the WordPress wp-admin and wp-includes folders by right mouse clicking on each folder and selecting Send to > Compressed (zipped) folder (assuming you have Windows installed). Other computer OS’s will have something similar to this or you can use a zip app like 7-Zip or WinZip to zip the wp-admin and wp-includes folders.
13. Upload the WordPress wp-admin and wp-includes zip files to your website and extract/unzip them using your web host control panel file manager. Note: Unzip/extract the wp-admin and wp-includes folders in the same website folder where the old wp-admin and wp-includes folder were before you deleted them.
14. Upload the WordPress Core root files (index.php, license.txt, readme.html, etc.) to your WordPress installation folder.
15. Upload your WordPress wp-config.php file that you saved to your computer.
Important Note: Open and check your wp-config.php file to make sure there is not any hacker code in it before uploading it to your website.16. Upload a new Theme or a good backup copy of your Theme to your WordPress Themes folder: /wp-content/themes/.
Highly Recommended: Upload a new copy of your Theme instead of a backup copy.17. Login to your website and re-install all of your Plugins.
18. Upload any personal files (Root WordPress installation folder files and Hosting account Root files) that you downloaded to your computer.
Note: Open and check them first to make sure there is not any hacker code in them before uploading them to your website.19. Remove/Delete any Spam Link Injections in your database: Run an MScan scan and choose to scan your DB. If you see any suspicious results then use phpMyAdmin in your web host control panel and check the database Table, Column and Row where the suspicious DB entry was detected by MScan.
Note: If you have the BPS Pro plugin installed go to the BPS Pro > Setup Wizard page > run the Pre-Installation Wizard and the Setup Wizard after doing all the hack clean up steps.
Additional Things you should do or check: Check for any hidden Administrator User Accounts by creating a DB backup of your wp_users database table, unzip the backup and open the .sql file with a code editor to check all the Administrator User Accounts. Or you can use phpMyAdmin to check your DB for hidden Administrator User Accounts. Create a new DB password in your WordPress database using phpMyAdmin and in your wp-config.php file using a code editor. Check the cPanel Cron tool for any malicious cron jobs and delete them. Search your entire hosting account for .ico files. Hackers very commonly use .ico files these days. Check the .ico files code and if they contain hacker code then delete them. Search your WordPress /uploads folder for .php files that contain hacker code and delete them. Note: See this additional forum topic to check for indicators that the hack is an AnonymousFox hack > https://forum.ait-pro.com/forums/topic/wp-dester-and-wpyii2-hacker-plugins/
- You must be logged in to reply to this topic.