Creative Themes Design

Recovering a Hacked WordPress Blog

07/05/2010  |  Category: Blog, Creative Designs  |  376 views  |   Print This  |   Email This  | 

Did you just find out that your WordPress Business website has been hacked? The hackers have put up their own page and you cannot access any of the hosted files from the CPanel either? The first thing to do – Don’t Panic!

You may be able to restore your website again, and there is a possibility that you may not have lost much (or any) data either. Many hackers break into websites & hosts for fun & rarely do much damage to the data. If your is one of these cases, you are lucky!

Case Study: Pro Media Blog‘s business website was hacked by a group of Iranian hackers & the Purgatory Virus team at http://p-vx.co.cc/ & http://persiangig.com at around 2:00 AM EST on the 4th of July.

Nature of the attack: Shared Hosting from MM Hosting services were all infected with the hack files & there were no access to the CPanel either. We could not reach MM Hosting’s Helpdesk & we were told that in a similar situation earlier, the MM Hosting Help Desk had told the customers not to call them!

The Lucky Part: Though CPanel & Wodpress Login were hacked (and unavailable to us), the FTP ports still worked!

When we set up Pro Media Blog we had taken some measures so that we could switch hosts in a moment’s notice & we felt this is the right time. Along with the recovery from the attack, we decided to migrate the site onto a better host.

This is not the exact steps we did to restore ProMediaBlog. We were requested to put up a short step-by-step guide to help anyone whose WordPress Blog or Website may have been hacked & needs to be recovered.

Steps to Recover WordPress CMS Blog After Hack or Attack

1. Accessing your files on the server – try accessing your WordPress files, first through the normal WordPress Admin Login screen (/wp-admin/ or /wp-login.php) pages.

If the hackers have blocked this page, try your host’s CPanel. If the hackers have only attacked your website, you may still be able to access the CPanel. On the other hand, if your host is attacked, your CPanel access may be compromised too.

Try accessing the FTP folder. You could be using FileZilla or any other free FTP client. If the hackers have not changed the passwords, you may be able to access the FTP mount with the client.

2. Try to Isolate the Intrusion & the Hack Files

Depending on the extent & nature of the hack, you may be able to isolate the corrupt files & any modifications the hackers have made to your website’s essential files. In this case, the hackers penetrated all directories (& all subdirectories) & modified the index file with their own.

The most likely places are the main WordPress folders of admin, includes, plugins etc. Look in these folders for files that have changed very recently (sorting on the ‘Last Modified’ column on FileZilla could help). View these files on your local machine for any new lines of codes added.

What to Look For?

1. javascripts that look unfamiliar

2. php codes that are compiled or uses the eval function

3. inclusion of external files using the ‘include’ statement

4. completely unknown files in the directories

These are some of the ways to find out the extent of the damage. If your CPanel is hacked, you may not be able to access the database at all.

Since WordPress stores all the information (posts, pages, categories, tags, comments etc etc) in the database, you would not know if your data is still available!

3. Re-Install WordPress

If you are not an expert in handling hacks & intrusions, the best thing for you to do is to re-install WordPress files, completely. Be sure to save the data from the wp-config.php files about the database, so that when you can finished installing the files, you can use the same wp-config.php file to connect to your original database.

Once done, run the upgrade.php file. If your WordPress database requires upgrade, this will do it. If not, nothing will happen & your database will be kept as it was.

4. Log into the WordPress Admin Panel

Unless your website hosting provider is badly hacked, you should now be able to access your own WordPress dashboard. A few things to do immediately:

1. change your admin / log in password
2. take a complete dump of your WordPress with the Export tool
3. take a count of the number of posts, pages, comments & media files
4. verify if any data is missing (like lost posts or pages)
5. verify that you can still open & edit your posts & pages

Unless your hosting service provider is completely cured of the hack, database connections may not be available externally. So even though you may be able to edit your posts, you may not be able to view them on your browser like any other user would do. You have to wait for your hosting provider to clean up & restore the Apache systems before you can do that.

In our case with ProMediaBlog, the service provider MM Hosting was completely thrown off. And since they closed their communications with the customers & those affected, we had no idea as to how badly they were impacted or how long it would take them to restore services.

We used that time to migrate the content onto the new provider. Though this sort of attacks are rare & could potentially happen to any provider, we were told that it repeated very frequently with MM Hosting. And the fact that their support teams were not willing to help any customer, were good reasons to move away from them.