WordPress hacked, WordPress hack cleanup, WordPress hack repair

Home Forums BulletProof Security Pro WordPress hacked, WordPress hack cleanup, WordPress hack repair

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #12794
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account and your WordPress database.

    We receive emails regularly from folks asking if BPS Pro will automatically clean up a WordPress website that is already hacked.  Unfortunately, BPS Pro cannot do that automatically, but you can use the BPS MScan Malware Scanner to find hacker files or code anywhere under your hosting account and your WordPress database and remove/delete those hacker files or code.

    The good news is that once your site is completely clean of all hacker files and code it will never be hacked again if you have BPS Pro installed.  BPS Pro has a security feature called AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS), which is much more advanced, automated and superior to all/any malware scanners including MScan. ARQ IDPS is also a file scanner, but ARQ IDPS does not scan for malicious hacker code and instead uses an unbeatable method to protect website files in real-time.  ARQ IDPS is a real-time security prevention feature that automatically autorestores files that have been tampered with and quarantines any malicious files that are uploaded to a website.

    Manual website hack cleanup/repair steps important notes:
    Typically a website/hosting account has been hacked for months to years before a website owner becomes aware that the hosting account is hacked. Typically any/all recent website backups will also contain the hacker’s files and code.  If you do not have a good backup of your WordPress website that you know 100% for sure is clean/not infected/does not already contain hacker’s malicious code and/or files in your WordPress backup files then these manual hack cleanup/hack repair steps below will guarantee that your WordPress site/hosting account is 100% clean of all hacker files and code.  Most likely your WordPress database does not contain any hacker code or if it does then that hacker code in your database will not work correctly once you remove and replace all hosting account files.  So removing and replacing all hosting account files renders any hacker database code ineffective in most cases.  Doing the Quick Hack Clean Up steps below is not difficult, but it is a bit time consuming depending on how many websites you have under your hosting account.

    Quick Hack Clean Up – This works 99% of the time (30 – 60 minutes)

    If you would like to hire me to do your hosting account/website hack cleanup my rate is: $35 base hosting account hack cleanup cost + $15 cost per website. Example: Hosting account/website hack cleanup for 1 site = $50. Hosting account/website hack cleanup for 4 sites = $95. Note: If 1 of your websites is hacked then your entire hosting account is hacked and needs to be cleaned of all hacker code and files.  Contact me via my Contact Form for hosting account/website hack cleanup.

    Note:  Run MScan first and set the Automatically Delete /tmp Files option setting to > Delete Tmp Files On.  You do not need to use/set any other MScan option settings.  You just want to delete all temporary files since hackers sometimes hide hacker files in your hosting account /tmp/ folder.  Or you can login to your web host control panel, use the File Manager tool, find your server’s /tmp folder (note: the tmp folder might be named differently. ie temp) and delete all temporary files in the /tmp folder.

    Note: If you have the BPS Pro plugin installed do this step first: Go to the BPS Pro > AutoRestore page > Turn AutoRestore Off > click the 4 Delete Backup Files buttons for Root Files, wp-admin Files, wp-includes Files and wp-content Files.

    Note: If you are unable to access the AutoRestore page you can turn Off AutoRestore by going to the WordPress Plugins page > click the Must-Use link at the top of the page > click the BPS Pro MU Tools Turn Off AutoRestore link. Then use FTP or your web host control panel file manager and delete all the folders under the /autorestore/ folder: /wp-content/bps-backup/autorestore/.

    1. Take a screenshot of your WordPress Plugins page or make a list of the Plugins that you have installed.

    2.  Create a new secure FTP password.  Example:  j5!H*4%bN8#

    3.  Put your website in maintenance mode or take it offline by using Directory Password Protection in your Host control panel or you can rename your WordPress wp-config.php file (Caution: if you rename your wp-config.php file then WordPress will not load and you will not be able to login to your WordPress site and will have to do all cleanup and backups by using FTP or your web host control panel tools).

    4. Use FTP and download your Theme folder from your website.

    5. Use FTP and download all files in your Root WordPress installation folder (the same folder where the wp-config.php file is).
    Note: If you also have files in your hosting account Root folder then download those files too.  Example: /public_html/{download all of these files}.

    6. Delete all files in your Root WordPress installation folder.
    Note: If you also have files in your hosting account Root folder then delete all of those files. Example: /public_html/{delete all of these files}.

    7. Delete these WordPress Core folders:  wp-admin and wp-includes.

    8. Delete all Theme folders under your WordPress Themes folder:  /wp-content/themes/. Check these files: /wp-content/index.php and /wp-content/themes/index.php folder. The only thing you should see in these files is this: // Silence is golden. Delete and replace these files if you find hacker or other code in these files.
    Note: Manually deleting your Theme folder will not delete your Theme settings since those settings are saved in your WP Database.

    9. Delete all Plugin folders under your WordPress Plugins folder: /wp-content/plugins/. Check this file: /wp-content/plugins/index.php. The only thing you should see in this file is this: // Silence is golden. Delete and replace this file if you find hacker or other code in this file.
    Note: Manually deleting your Plugin folders will not delete your Plugins settings since those settings are saved in your WP Database.

    10. Look in all default Hosting Account folders & any personal folders that you have created:  cgi, cgi-bin, stats, errordocs, logs, etc. and if you see anything unusual that does not look like it should be there or is obviously a hacker file then make a backup of it on your computer and delete it from your Hosting Account.  If you accidentally delete a default Hosting Account file then your Host will be able to restore that for you if there is a problem.

    11. Download the WordPress Zip file to your computer and unzip it.

    12.  Make zip files for the WordPress wp-admin and wp-includes folders by right mouse clicking on each folder and selecting Send to > Compressed (zipped) folder (assuming you have Windows installed).  Other computer OS’s will have something similar to this or you can use a zip app like 7-Zip or WinZip to zip the wp-admin and wp-includes folders.

    13. Upload the WordPress wp-admin and wp-includes zip files to your website and extract/unzip them using your web host control panel file manager. Note: Unzip/extract the wp-admin and wp-includes folders in the same website folder where the old wp-admin and wp-includes folder were before you deleted them.

    14. Upload the WordPress Core root files (index.php, license.txt, readme.html, etc.) to your WordPress installation folder.

    15. Upload your WordPress wp-config.php file that you saved to your computer.
    Important Note: Open and check your wp-config.php file to make sure there is not any hacker code in it before uploading it to your website.

    16. Upload a new Theme or a good backup copy of your Theme to your WordPress Themes folder: /wp-content/themes/.
    Highly Recommended: Upload a new copy of your Theme instead of a backup copy.

    17. Login to your website and re-install all of your Plugins.

    18. Upload any personal files (Root WordPress installation folder files and Hosting account Root files) that you downloaded to your computer.
    Note: Open and check them first to make sure there is not any hacker code in them before uploading them to your website.

    19. Take your website out of Maintenance Mode if you put it in Maintenance Mode.

    Note: If you have the BPS Pro plugin installed go to the BPS Pro > Setup Wizard page > run the Pre-Installation Wizard and the Setup Wizard.

    Additional Things you should do or check: Check for any hidden Administrator User Accounts by creating a DB backup of your wp_users database table, unzip the backup and open the .sql file with a code editor to check all the Administrator User Accounts. Create a new DB password in your WordPress database using phpMyAdmin and in your wp-config.php file using a code editor.

    Extensive Hack Clean Up – ONLY use these steps if the hack returns after doing the “Quick Hack Clean Up” steps

    Note: If you have the BPS Pro plugin installed do this step first: Go to the BPS Pro > AutoRestore page > Turn AutoRestore Off > click the 4 Delete Backup Files buttons for Root Files, wp-admin Files, wp-includes Files and wp-content Files.

    1.  Put your website in maintenance mode or take it offline by using Directory Password Protection in your Host control panel or you can rename your WordPress wp-config.php file (Caution: if you rename your wp-config.php file then WordPress will not load and you will not be able to login to your WordPress site and will have to do all cleanup and backups by using FTP or your web host control panel tools).

    2.  Create a new secure FTP password.  Example:  j5!H*4%bN8#

    3.  Backup your WordPress /uploads folder (download to your computer), which contains all of your uploaded files (image files, etc.) and backup any personal files that you uploaded to your website to other folders.  You do not need to backup WordPress Core files (wp-admin, wp-includes, wp-content) since you will be deleting these folders and files and uploading/installing new folders/files.  If you have a custom or customized Theme then back that up as well (download to your computer).  It is recommended that you upload or install a clean/new/backed up copy of your Theme when you get to the restoring personal folders/files step.  If you have plugins installed that have extensive plugin settings then most likely those plugins will have export/import capability.  Export any plugin settings that you want to save to import those plugin settings after you have deleted and reinstalled all of your plugins.

    4.  Backup your WordPress Database using BPS DB Backup or phpMyAdmin directly.  To make things simple you want to do a selective backup and only backup Database Tables that contain content that you added to your website:  ie Post content, Page content, Link content, User content.  Select only these WordPress Database Tables below when you do your WordPress Database backup.  In BPS Pro DB Backup that means check the checkboxes for these Database Tables below.  Note: plugins and themes store their settings in the xx_options table, but hackers also use the xx_options table to store hacker code.  It is recommended that you do not keep/backup the xx_options database table and instead export any plugin settings that you want to keep so that you can import those plugin settings after reinstalling all of your plugins.

    Important Note:  Go to the WordPress Users page and check all Administrator User Accounts.  If you see any Administrator User Accounts that you did not create then delete them before backing up your WordPress Database.  You should also manually check the WordPress wp_users database table for any hidden WordPress Administrator User Accounts and delete them.  You can use either PhpMyAdmin to check the WordPress wp_users database table or you can make a backup of just the wp_users database table using BPS DB Backup and open the extracted DB backup .sql file to check the wp_users database table for any hidden WordPress Administrator User Accounts.

    wp_commentmeta
    wp_comments
    wp_links
    wp_postmeta
    wp_posts
    wp_terms
    wp_term_relationships
    wp_term_taxonomy
    wp_usermeta
    wp_users

    5.  General Search through Hosting Account Default folders (different Hosts have different default folder names for Hosting Accounts on that particular Host) & personal folders that you have created:

    Look in all default Hosting Account folders & any personal folders that you have created:  cgi, cgi-bin, stats, errordocs, logs, etc. and if you see anything unusual that does not look like it should be there or is obviously a hacker file then make a backup of it on your computer and delete it from your Hosting Account.  If you accidentally delete a default Hosting Account file then your Host will be able to restore that for you if there is a problem later in these steps.

    6.  You should have backups of all personal files and your WordPress content Database Tables at this point so you can now delete all WordPress folders/files and your WordPress Database.  Important Note:  Check your wp-config.php file for any hacker code and delete the hacker code if you are going to use your old wp-config.php file.

    7.  Install a new WordPress website with a new WordPress Database. Important Note:  Check your wp-config.php file for any hacker code and delete the hacker code if you are going to use your old wp-config.php file.

    8.  Upload your backed up WordPress /uploads folder, a new WordPress Theme or reinstall your Theme or use your backed up Theme (if you are sure it is 100% clean).  Note:  before uploading your backed up /uploads folder, look through all the subfolders for anything that looks suspicious.  Typically you should only see image files:  jpg, png, gif, etc.

    9.  Restore your selective WordPress Database backup that should contain ONLY your WordPress content Database Tables using a backup plugin that has restore capability or using phpMyAdmin directly.

    10.  Reinstall all of your WordPress Plugins.

    11.  Backup your new WordPress site’s database and files (only personal files).  It is very important that you make a backup here in case the same hack occurs again.  See Additional Notes below.

    12.  At this point you should be ready to take your website out of maintenance mode and put it back online.

    Note: If you have the BPS Pro plugin installed go to the BPS Pro > Setup Wizard page > run the Pre-Installation Wizard and the Setup Wizard.

    Additional Notes:  If you have completely cleaned up a hosting account of all hacker files and code and the same hack occurs again then at this point you will need to find the Point of Entry (PoE) for how the site(s)/hosting account is being hacked.  Example PoE:  An file upload form in a plugin or theme that contains a coding mistake or vulnerability that can be exploited by hackers to upload hacker files to your website/hosting account.  BPS Pro does not interfere with the normal functionality of other plugins and themes.  If the upload form code is allowing hacker files to be uploaded to the site(s)/hosting account then BPS Pro will not be able to stop that since that would appear to be the normal functionality of that plugin or theme.  So in this example case the solution would be to fix the coding mistake/vulnerability in the file upload form in that plugin or theme so that hacker files can no longer be uploaded to the site(s)/hosting account.

    • This topic was modified 1 month, 1 week ago by AITpro Admin.
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.