How to Recover from a WordPress Malware-Injection Hack?

You might not know this, but my site have just recovered from a serious WordPress hack that injected a malware to my wordpress installation files. The worse part is that it also infected other sites that I host on the same web hosting that I used.

After hours of research, I found a way to clean my wordpress sites. So if your site was marked as a “harmful site” by Google or if you got an HTTP Error 500 Internal server error in your server’s error log, allow me to help you fix that.

First of all, how do you know your site was hacked and injected with malware? You need to check the source code of some important files in your wordpress to see if you found a “<?php eval” at the beginning of the file. Check these files to begin with:

  • /index.php
  • /wp-config.php
  • /wp-includes/functions.php

If you found the “<?php eval” piece of code at the beginning of the source code of the files above, your site has been successfully injected by malwares. So what’s next? What should I do, you might ask.

Backup Your Website

I know it was probably be too late for you to do this step, it was also in my case. I wish I have a clean backup of my site, which include the MySQL database, wp-content directory, and your wp-config.php file. These are the basic things that you should always backup at least once a month.

Replace ALL of Your WordPress Installation Files

That’s right. You need to replace all of your wordpress files with the new clean-fresh one. Don’t try to clean the infected files. Why? because you don’t know how deep and how much your files have been infected. Plus, it will take so much time to clean the files one by one.

There’s one caveat though. You need to have a clean backup of your WordPress’ MySQL database, wp-content directory, and your wp-config.php file, so that after you re-upload the fresh WordPress installation files, you can replace the wp-content directory and the wp-config.php file with yours.

  • MySQL database (.sql) contains all your posts and wordpress settings. Contrary to what I know previously, WordPress does not keep each of your WordPress postings as a single file. Instead, it will store them as text in your MySQL database. So if you have this file, your blog posts and WordPress settings are safe.
  • Wp-content directory contains all of your plugin, themes, and uploaded files. Remember when I told you WordPress saves blog post as a database entry above? Now…it saves all pictures that are attached to your posts in this directory wp-content/uploads. So if you want to keep all of those precious images in your blogs, you might want to save wp-content/uploads somewhere safe. I would say that this is the most important directory to save from other directories in wp-content/. The wp-content/themes and wp-content/plugins are important, but you can always install them back manually, if necessary. All the settings will stay intact (even without the plugins and themes backup files) since settings are stores in your MySQL database.
    If you modified any of your plugins or themes, your modified files are stores in this directory also.
  • wp-config.php file contains the information to connect between your WordPress files and your MySQL database, such as the database host, username, and password.

What if you don’t have clean backups of the files above? Well…the only way is to copy your current wp-content/ directory and wp-config.php file (the current and infected ones) to your local drive, run a find and replace function using your favorite text editor to find any occurrence of “<?php eval” and delete them. I recommended you to use a text batch editor software like TextCrawler to the the job for you.

….and backup your MySQL database manually.

After all the necessary files in hand, then you can delete all of your files and re-upload WordPress’ new installation files. Once the upload process is done, restore your WordPress database, and replace the wp-content/ directory and the wp-config.php with your backup ones.

You can download the latest wordpress installation file from http://wordpress.org/download/ 

The Result

I’m not saying this whole backup and restore task is gonna be, but if everything went smooth, you will have your WordPress clean and working again!

Tips

  1. Keep your WordPress updated all the time. This includes ALL WordPress installation in your web hosting. I made a mistake to only pay attention my main site, which is this blog and keep it up to date. I missed to check the other installations whether they are up to date or not. I think that’s my biggest mistake in my case.
  2. Install a security plugin on your WordPress. I recommended WP Security to do the job for you.
  3. Install a backup plugin on your WordPress. I recommended Backup Scheduler to do the job for you.
  4. When you backup your files, don’t forget to backup your .htaccess and any WordPress non-default files (images, videos, etc.)

Good luck on your journey. I hope you can have your WordPress site back (clean and sound). Let me know if there’s anything I can help by dropping a comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *