WordPress hackers of malicious software and viruses

This is a howto or a step-by-step post on successfully repairing a hacked site. This guide is meant to walk you through repairing your current problem and preventing it from happening again in the future. Just simply restoring the files is not enough to fix the site. We need to implement stronger security measures to prevent hackers from invading your site again in the future.

Repair

Step 1: Log into your cpanel

If you are using any of the name brand hosting platforms they usually provide an application called cpanel, which allows you to edit your server side information. The Cpanel for Just Host for example can be reached by going to . On the cpanel there is a usually a Stats section on the left that will have the last logged IP address for the person who accessed your cpanel last. Go to and see if the IP address the cpanel gives and the website whatismyip have the same. If they are not this may be the IP address of the hacker, however, don’t jump to conclusions because IP addresses get reset often and it may have been yours previously or your web hosts IP address if they have accessed your cpanel recently. Simply write the IP address the Cpanel gives if it is different and we can use this later.

Step 2: Check log files

All servers should keep log files that show every connection to your site. There are several different types of logging software such as AWStats or Webalizer. Almost all webhosting servers will have what is called Raw Access Logs (name may vary from platform to platform). Go ahead and and download the log file for each of your domains. This can be used later to further track down possibly where the hacker is located.

Step 3: Contact your hosting company

Most webhosts will have courtesy backups available. If you know when your website was hacked ask if there is a backup before that date they can use to restore your site. It is ALWAYS a good idea to have your own backups saved on your local machine in case there is something wrong with the server.

Step 5: Change ALL passwords

// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define('DB_NAME', 'username_wrd2');/** MySQL database username */define('DB_USER', 'username_wrd2');/** MySQL database password */define('DB_PASSWORD', 'new_user_password');/** MySQL hostname */define('DB_HOST', 'localhost');

Third we will want to change all the FTP user passwords. This is done through the FTP Accounts section of the Cpanel. If you have added any ftp users change the passwords for each user. The Special FTP Accounts is set by the cpanel username and password and the password for this changes when the password for the cpanel changes. Special FTP Accounts Next we will want to change the login passwords for your web application. Here are a couple examples of common password resets for the following popular web applications: , , Prestashop. Lastly you will want to change the email passwords for every email account you created. This is done through the cpanel in the Email Accounts section.

Step 6: Make sure your code is up-to-date

Always make sure your code is up-to-date. Here is a list of common scripts and the security advisories for each. Also always be wary of plugins and themes because they are also places of weakness.

Latest Version Info Security Advisories at Secunia.com

Step 7: Examine your code for weak points

Check your code for basic vulnerabilities. Some really common hacks include inserts of small lines of code that are hidden in your scripts. The following is just an example of a single line of hidden code that could be inserted into one of your files.

eval(base64_decode('WW91J3JlIHNpdGUgaGFzIGJlZW4gaGFja2VkIQ=='));

The last thing to check security is to make sure your are secure. You should almost never have a folder that has permissions set to 777. Most folders and files should either be set to 755 or 644.

Step 8: Identify and block the attacker’s IP address

If you have been able to identify the IP address of the hacker you can block that IP address from ever accessing your site in the future. In the folder where your domain is stored is a hidden file called .htaccess. Open this file in any text editor and and add the following lines of code near the top.

order allow,denydeny from 123.45.6.7deny from 012.34.5.allow from all

By saying deny from IP Address you will have successfully blocked that IP of the hacker. Most likely a hacker will have used a proxy or IP address that does not belong to him/her, but this small preventive measure is always a good practice. Also be aware that IP addresses assigned to people can change and in the future the blocked IP address may be assigned to a different person that had nothing to do with hacking your site. The last thing you should do if you are confident you have the right IP address is contact the Internet Service Provider that issued that IP address and report the hack to them. Most of the time the ISP will take action against that IP address because hacking is another person’s site is against their terms of service.

Prevent

Strengthen security on the computer you use to maintain and manage your website If your own personal computer is at risk then so is your website. Certain viruses will keep track of every key that you hit on your computer and this will give the hacker all the information needed to break into your website, bank account, etc. Make sure your computer has good antivirus software installed and up-to-date. Make sure each week you’re computer has all the necessary security updates. Make sure your web browser (e.g. Firefox, Internet Explorer, etc) and all the plugins are up-to-date. Be weary about using open wireless access points. These can be very easy for someone to watch and grab all the internet content you use.