22 Steps to Restore a Hacked WordPress Site

Via:MyTutorialGuru.com

how to restore a hacked wordpress site

Have you ever had your WordPress site hacked and did you have to pay somebody to restore it? It’s a bit of a mare when your website gets hacked. Most security specialists will charge you a premium to restore your site but they won’t tell you what’s involved. Shhhhh – it’s a secret!

We’re different so I’d like to share our 22-step plan on how to restore a hacked WordPress site so that you can see exactly what we do and how much effort it takes.

I love it When a Plan Comes Together:

  1. zip up the entire remote site files and download to local
  2. wipe the remote root folder (everything goes)
  3. Change FTP, cPanel, email account and MySQL passwords
  4. unzip local site and scan for any malware using, say Norton IS or SpyBot
  5. search all the local site file contents for terms such as preg_replace(“/.*/e” and base64_decode
    Note: there are legitimate uses base64 decoding.  What you are looking for are a large number of hex or escape strings
    i.e. “\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65″
  6. do a windows search across the local folder for timthumb.php – if found – you need to scrap the plugin and find an alternative – read why timthumb.php is evil !!
  7. check that your .htaccess file hasn’t been compromised and check that there are no other .htaccess files in any other folder (windows search)
  8. create a new separate root folder and unzip latest wordpress version there
  9. copy your wp-config.php fom the old site over to the new folder
  10. change your DB_PASS and your secret keys (leave wp_ table prefix for now)
  11. upload new clean bare WP to remote site
  12. login to WordPress and immediately change all user passwords – try to use random password generator like http://www.thebitmill.com/tools/password.html and bump the characters up to 12 or 16
  13. install “WordFence” or “BulletProof Security” firewall plugins
  14. if you don’t want to install a full firewall plugin (whaaat are you nuts? Your site just got hacked!) at the very least install “Limit Login Attempts” plugin and set to 3 attempts
  15. install “WordPress Security Scan” plugin. Remove meta generator tag and rename DB prefix from wp_ to something else
  16. create a new administrator user. Hint: don’t call it Admin, Sys, System, Administrator, Operator, WordPress or anything like that
  17. delete the old administrator users making sure the posts/pages are inherited by the new administrator user created in the previous step
  18. now you have a working and secured core WP installation
  19. reinstall all the plugins from the Admin Dashboard and reactivate them if WP has already had them deactivated. The settings should be already stored in the DB
  20. upload / ftp your theme to the live server and reactivate the theme. Theme settings should be picked up from the DB but I’ve had instances where you have to set up menus again – bad theme!
  21. last to upload / ftp is your wp-content/uploads (and any other non-WP folders in there after checking they are OK and contain only the correct media)
    Note: this is a favoutire place for hackers to store their .php or .cgi scripts sometimes named “cache”
  22. I recommend using xcloner as a backup tool and setting up a cPanel crontab job to perform your backups. Either ftp them to another site or purchase an Amazon S3 storage bin – it’s ultra cheap

Depending on how familiar you are with WordPress and hosting control panels and how many plugins and uploads a site has, this process is very time consuming.  Restoration time depends on how many files make up your website as they all need to get checked.

Has your WordPress site been hacked recently?  Tell us your story.
Via: limecanvas.com

 

Advertisements

Posted on March 29, 2015, in Uncategorized and tagged , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: