WordPress hacked, WordPress hack cleanup, WordPress hack repair

Home Forums BulletProof Security Pro WordPress hacked, WordPress hack cleanup, WordPress hack repair

This topic contains 0 replies, has 1 voice, and was last updated by  AITpro Admin 4 years, 5 months ago.

Viewing 1 post (of 1 total)
  • Author
  • #12794

    AITpro Admin

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account and your WordPress database.

    We receive emails regularly from folks asking if BPS Pro will automatically clean up a WordPress website that is already hacked.  Unfortunately, BPS Pro cannot do that automatically, but you can use the BPS MScan Malware Scanner to find hacker files or code anywhere under your hosting account and your WordPress database and remove/delete those hacker files or code.

    The good news is that once your site is completely clean of all hacker files and code it will never be hacked again if you have BPS Pro installed.  BPS Pro has a security feature called AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS), which is much more advanced, automated and superior to all/any malware scanners including MScan. ARQ IDPS is also a file scanner, but ARQ IDPS does not scan for malicious hacker code and instead uses an unbeatable method to protect website files in real-time.  ARQ IDPS is a real-time security prevention feature that automatically autorestores files that have been tampered with and quarantines any malicious files that are uploaded to a website.

    Manual website hack cleanup/repair steps
    If you do not have a good backup of your WordPress website that you know 100% for sure is clean/not infected/does not already contain hacker’s malicious code and/or files in your WordPress backup files and/or Database then these manual hack cleanup/hack repair steps below will guarantee that your WordPress site is 100% clean.  You should of course use the BPS MScan Malware Scanner first since there is a very good chance that MScan will find all hacker files and code and you would not have to do the manual website hack cleanup/repair steps below.  Some of the steps below can now be done using MScan. Example: You can scan your wp-config.php file (the wp-config.php file is scanned by default in all MScan scans with the exception of “Skipped File Scans”) instead of checking it manually.

    Important Note:  Most likely your WordPress database does not contain any hacker code and does not need to be backed up or restored in the steps below.  You should skip any manual database steps below and only do them if the manual file cleanup/repair steps do not completely remove all hacker files and code.

    1.  Put your website in maintenance mode or take it offline by using Directory Password Protection in your Host control panel or you can rename your WordPress wp-config.php file (Caution: if you rename your wp-config.php file then WordPress will not load and you will not be able to login to your WordPress site and will have to do all cleanup and backups by using FTP or your web host control panel tools).

    2.  Create a new secure FTP password.  Example:  j5!H*4%bN8#

    3.  Backup your WordPress /uploads folder (download to your computer), which contains all of your uploaded files (image files, etc.) and backup any personal files that you uploaded to your website to other folders.  You do not need to backup WordPress Core files (wp-admin, wp-includes, wp-content) since you will be deleting these folders and files and uploading/installing new folders/files.  If you have a custom or customized Theme then back that up as well (download to your computer).  It is recommended that you upload or install a clean/new/backed up copy of your Theme when you get to the restoring personal folders/files step.  If you have plugins installed that have extensive plugin settings then most likely those plugins will have export/import capability.  Export any plugin settings that you want to save to import those plugin settings after you have deleted and reinstalled all of your plugins.

    4.  Backup your WordPress Database using BPS DB Backup or phpMyAdmin directly.  To make things simple you want to do a selective backup and only backup Database Tables that contain content that you added to your website:  ie Post content, Page content, Link content, User content.  Select only these WordPress Database Tables below when you do your WordPress Database backup.  In BPS Pro DB Backup that means check the checkboxes for these Database Tables below.  Note: plugins and themes store their settings in the xx_options table, but hackers also use the xx_options table to store hacker code.  It is recommended that you do not keep/backup the xx_options database table and instead export any plugin settings that you want to keep so that you can import those plugin settings after reinstalling all of your plugins.

    Important Note:  Go to the WordPress Users page and check all Administrator User Accounts.  If you see any Administrator User Accounts that you did not create then delete them before backing up your WordPress Database.


    5.  General Search through Hosting Account Default folders (different Hosts have different default folder names for Hosting Accounts on that particular Host) & personal folders that you have created:

    Look in all default Hosting Account folders & any personal folders that you have created:  cgi, cgi-bin, stats, errordocs, logs, etc. and if you see anything unusual that does not look like it should be there or is obviously a hacker file then make a backup of it on your computer and delete it from your Hosting Account.  If you accidentally delete a default Hosting Account file then your Host will be able to restore that for you if there is a problem later in these steps.

    6.  You should have backups of all personal files and your WordPress content Database Tables at this point so you can now delete all WordPress folders/files and your WordPress Database.  Important Note:  Check your wp-config.php file for any hacker code and delete the hacker code if you are going to use your old wp-config.php file.

    7.  Install a new WordPress website with a new WordPress Database. Important Note:  Check your wp-config.php file for any hacker code and delete the hacker code if you are going to use your old wp-config.php file.

    8.  Upload your backed up WordPress /uploads folder, a new WordPress Theme or reinstall your Theme or use your backed up Theme (if you are sure it is 100% clean).  Note:  before uploading your backed up /uploads folder, look through all the subfolders for anything that looks suspicious.  Typically you should only see image files:  jpg, png, gif, etc.

    9.  Restore your selective WordPress Database backup that should contain ONLY your WordPress content Database Tables using a backup plugin that has restore capability or using phpMyAdmin directly.

    10.  Reinstall all of your WordPress Plugins.

    11.  Backup your new WordPress site’s database and files (only personal files).  It is very important that you make a backup here in case the same hack occurs again.  See Additional Notes below.

    12.  At this point you should be ready to take your website out of maintenance mode and put it back online.

    Additional Notes:  If you have completely cleaned up a hosting account of all hacker files and code and the same hack occurs again then at this point you will need to find the Point of Entry (POE) for how the site(s)/hosting account is being hacked.  Example POE:  An file upload form in a plugin or theme that contains a coding mistake or vulnerability that can be exploited by hackers to upload hacker files to your website/hosting account.  BPS Pro does not interfere with the normal functionality of other plugins and themes.  If the upload form code is allowing hacker files to be uploaded to the site(s)/hosting account then BPS Pro will not be able to stop that since that would appear to be the normal functionality of that plugin or theme.  So in this example case the solution would be to fix the coding mistake/vulnerability in the file upload form in that plugin or theme so that hacker files can no longer be uploaded to the site(s)/hosting account.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.