Anatomy of fixing a hacked WordPress website

• ~600 words • 2 minute read


This is a good followup to my piece about why I don't like using WordPress sometimes.

A client of a client had his WordPress site hacked the other day. What follows is a summary of the general chronology involved and steps taken to remedy the situation:

  • Received a 1am email about the site not working. Pretend you're not awake to see it and handle it in the morning. Sigh heavily.
  • Read forwarded correspondence with host providers determined it was *not* their server and must be the theme or a plugin. Grumble a little.
  • Pull up the site for the first time. Note the 500 Internal Server Error. Note that could be a million things.
  • Recognize that the WordPress login URLs are still accessible, meaning the host providers email was likely right. Grumble a little more.
  • Try to login and see which files have changed recently. Discover the (S)FTP credentials you'd securely saved don't work anymore.
  • Discover not a single password/admin combo (SFTP, cPanel, WordPress, hosting login) you had saved for this account works anymore. Email the person who subcontracted you and wait for a second-hand reply. Specifically explain you don't really need the WordPress login info.
  • Receive the WordPress admin password but not others.
  • Login anyway. Discover that WordPress hasn't been updated since the site launched a year ago and that the editor is enabled. Recall the user manual you wrote noting the importance of occasional updates and how to do them. Cry a little inside.
  • Use the built-in file editor, which most likely was the source of this problem, to remove the nefarious code from various theme files and the weird file they added. Wonder why that features is shipped on by default, or at least not easily turned off.
  • Seriously — who uses that? I only look at that thing when I'm fixing hacked sites. Grumble.
  • And turning it off isn't even a simple setting like you might expect! You have to add a constant to the wp-config.php file to explicitly state you don't want to use it! I HATE THIS.
  • Notify the person who contracted you that that you'll still need the other passwords to properly disable the editor and double-check file permissions to make sure this doesn't have again, but otherwise the site is functioning again.
  • Check if there is a security plugin of some kind installed, since you know that's the next question this person will probably ask. Realize the Secure WP plugin didn't really do shit for this particular situation.  Laugh a little.
  • Wait a couple days. Receive the passwords in a plain-text email. Yay.
  • Login to cPanel so you can reset the (S)FTP password, update your records and log-in to see what files were touched.
  • Disable the WordPress editor
  • Remove the maliciously added code. Make a note of the clever use of 404.php to upload more malicious files. No two hacks are quite the same; like malicious little snowflakes.
  • Delete unused plugins and themes. Upgrade WordPress to the latest version; hope that 3.8 auto-updating itself will help.
  • Make sure there's nothing weird sitting in the upgrade or uploads folders.
  • Realize the website, with all the custom post types, layouts and other accommodations made to allow WordPress to update the specialized portfolio pages haven't been used since the site launched last year. Shrug shoulders depressively.

It's a little like being Sherlock Holmes, but way less satisfying.