How to rescue a WordPress Hack

livesaverThis evening, I rescued a client’s WordPress website from a hack that was so bad their host shut it down. I have a checklist that I use now to recover WordPress sites, which I’d like to share with you. Or you can hire me to do it for you as it requires some technical confidence!

You’d save a lot of heartache, if you backed up your database regularly!
The following step are for when you haven’t and your site is trashed. These should get you back up and running. Take them at your own risk and don’t blame me or sue me – hey your site was trashed anyway!

Gather your account passwords

You’ll need to be able to access PHPMyAdmin and FTP.
PHPMyAdmin is a script on most webhosts control panel that allows you to work on the MySQL database that drives WordPress.
FTP means File Transfer Protocol – it’s the way that you can make changes to the files on your server using a program like Filezilla.
You’ll need usernames and passwords to get into both.
I’m going to assume you know how to use them – if not hire me!

1) Put WordPress in maintenance mode

If your host hasn’t taken the site offline, you’ll want to prevent anyone from doing anything within a wordpress login by putting the site into maintenance mode.
Create a one line php file with the filename .maintenance (just like .htaccess it’ll be a “hidden” file)
the one line you need is

Upload the file to the root directory of the install – usually the same directory as wp-config.php
That forces WordPress into maintenance mode with the message “Briefly unavailable for scheduled maintenance. Try again in a minute.”

2)Change the database passwords

Delete the database user in your webhost control panel and create a new one with a completely different password.
Download the wp-config.php file and edit it. Most wordpress hacks are through a compromised login, where the hacker then uploads a plugin. Assume they know now your db password.
Adjust the wp-config.php lines

Replacing the hashes with the new username and password combination.

Next scroll down to the Authentication Unique Keys and Salts section.
It will look something like this…

Changing these will force logout of anyone logged in.
The WordPress boys and girls have provided a useful tool to regenerate these at https://api.wordpress.org/secret-key/1.1/salt/. Don’t be lazy and copy the above 😉

Go ahead and change these in wp-config.php.
Have a quick scan through the rest of the file to check nothing weird is in there. You can compare it to wp-config-sample.php to be sure!
Your wp-config.php is now ready – but don’t upload yet.

3) Delete the current WordPress Install

I think it’s safest to upload a complete fresh install, rather than update.
So delete the following directories – wp-admin, wp-includes and all the files in the root except .htaccess. Do not delete wp-content!

4) Note what plugins and theme were active

If your site is down and you can’t remember which plugins and theme were active then follow this step
Login to PHPMyAdmin and find your WordPress table and click the wp_options (you may have a different prefix than wp_) and then SQL tab

Use the statement SELECT * FROM wp_options WHERE option_name = “active_plugins”
Click on edit to see what the value is
It will look something like this

Yikes! That is a serialized arrray – but I can see PostLikes, akismet, church-admin-csv, church-admin, emergency-password-reset, never-loose-contact-form and signup-before-leaving are the plugin directories of active plugins.

Simpler is finding which theme was active
The SQL statement
SELECT * FROM gateway_options WHERE option_name = “current_theme”
will show which theme was active!

5) Clean up the users

Go to the wp_users table and delete any unknown users – especially with date stamps around when your site was hacked.
If you still have an “admin” user – change the username away from admin right NOW! That is likely how the hackers got in!

6) Check the Database for hacked posts and comments…

In phpmyadmin, click your database name at the top, so that all tables are showing and then click “search” – search for “iframe” in all tables

search-database

You can then check the entries that show for anything untoward.

7)Clean the wp-content directory

This is where the hacker will have most likely done damage. You should have the directories plugins,themes,upload and upgrade there. Some plugins may have added other directories or even files too.
The index.php file in wp-content should just have

Goto the plugin directory – delete everything! You will upload fresh copies later.
Next the themes directory – again delete everything (careful you have copies of bespoke/child themes stored elsewhere!)
Then go through the uploads directory, by year and month. Delete any .php files – should just be images, pdfs and other user uploaded files.
Delete anything in the wp-content directory that looks suspicious and especially any files ending in .php that don’t look like above.

8) Download fresh copies of plugins and themes

The quickest approach is to download them all as zips, unzip and uplaod back to wp-content/plugins, so that when you get wordpress going again, they are already in their activated state.

9) Download a fresh copy of wordpress from wordpress.org

Unzip all files and upload

9) Upload your prepared wp-config.php files

10) Finally delete the .maintenance file

Delete the .maintenance file from the root directory and you should be live again

I’m happy to help – get in touch for a quote

Does anyone have any other steps they take to clean hacked wordpress sites?

Video Recording sermons for smaller churches!

Have you noticed that you can easily embed video to sermons in the Church Admin plugin?
We’ve just started doing at The Gateway Church and it is already increasing reach!

It doesn’t need to be expensive

Big churches can afford high end video cameras and edit suites costing thousands – but did you know you can get great results with your iphone?! I downloaded James Wedmore’s Iphone buyers guide where he claims you can “Transform your iPhone into a $2,000-Quality Camera…for less than $80!” For recording sermons it cost us less than a tenner!

If you want to use an iphone to record your church’s preaching in HD, then you will need three things…
1) An iphone (we use an iphone 4!)
2) A tripod
3) An iphone tripod adapter
Available for £0.93 from Amazon.co.uk*
And an optional 4th if you want full control yourself!
 Topwell®Wireless Camera Bluetooth V3.0 Self-timer Remote Shutter Controller for iPhone £2.54 from Amazon.co.uk*

Video Recording with the Iphone

The iphone comes with a great camera app built in. Mount your iphone on the tripod holder and tripod. Click on the camera icon, slide it over to video and push the red button when you are ready to go. We have our iphone mounted on the front row of seating and the inbuilt microphone picks up preaching really well!
You’ll need about 3.5GB spare capacity for a 40min sermon.

Editing

It’s pretty easy to record iphone video upside down! Don’t despair – there’s a great free Windows 7 app to rotate it back from http://movierotator.com/.

If you buy Movie Pro at £2.99 you can also edit on your phone.

We run our video through Roxio Creator NXT 2 (PC) to tidy up the start and end.

Hosting the video

You have a couple of options here Vimeo or Youtube. The advantage of youtube is that it is the world’s second largest search engine after Google, so your hits will increase naturally.

We use youtube – you’ll need a google account to upload.

Youtube accounts normally have a 15min limit per video, so you will need to increase your limit (which is still free).

Once the limits is lifted, go to www.youtube.com then click “upload” having logged in
upload

You’ll be presented with a fairly familiar looking upload screen.
upload-screen

You’ll need a good broadband connection to upload the videos which will be a couple of gigabytes in size. What you end up with is a church sermon videos every week for less than a tenner!

While it is uploading, fill in title, description and give it some tags.
tags and stuff

It’ll take a while to upload and process, so leave the browser open!

You can always edit the title and tags later in the video manager section…

video-manager

Adding Video to the church Admin Plugin

Firstly you will need to update your sermon file template with [VIDEO_URL] by editing in the Sermon Mp3 podcasting section and the link “iTunes Compatible RSS Settings”.

Here’s my file template
mp3-file-template

<div class="ca_podcast_file">
<h3><a href="[FILE_URI]">[FILE_TITLE] </a> </h3>
[VIDEO_URL]
<p>By [SPEAKER_NAME] on [FILE_DATE] as part of the [SERIES_NAME] series. [FILE_PLAYS]>br/>
[FILE_DESCRIPTION] </p>
[TRANSCRIPT]
<p><audio class="sermonmp3" id="[FILE_ID]" src="[FILE_NAME]" preload=”none”></audio></p>
<hr/>
</div>

Then you can add video embedding to your sermons very easily…

add-a-file

The plugin will then embed your video nicely on your sermons page…

[church_admin type=”podcast” file_id=”1″]

Newday 2014 Live album

ND14-Cover-220x218I’m looking forward to getting the Newday Live 2014 album in a few days time. Newday is a youth Bible week for 7,000 held at the Norwich Showground every year.
It’ll have live worship from this years event, featuring Simon Brading, Matt Redman, Sam & Becki Cox, Jordan Dillon, Jules Burt, Jorge Mhondera and Sarah Benton.


Tracks include:
Call you Faithful – which we have introduced at our church already!
Anchor
You died for me
Gracious
Mercy
Rebuild
Nothing but the blood
Forever
I worship You
Here I am
Oceans
Why not order on Itunes now!

Urgent Update

Please update your church admin plugin to the latest version 0.5968 ASAP
Previous versions have created a plugin database backup in case of problems, with a message to download and delete it.

message

Someone kindly pointed out a number of sites where the backup hadn’t been deleted by the user. That means personal data can be downloaded by people who know where it is.

V0.5968 deletes the file if it exists and then recreates the backup with a very hard to guess filename.
It’s always worth downloading and then deleting the file, so no personal data is accessible.

Hope Team

OLYMPUS DIGITAL CAMERAYou may have noticed a “Hope Team” section has been added to the main admin screen.

We have just started a practical helps ministry called “Hope Team” in our church. We’ve added some functionality into the WordPress Church Admin plugin. You can create jobs like babysitting, hospitality, visiting, DIY etc and then add people to the team and select jobs.

At the moment you can just print a pdf and sync it to Mailchimp. Soon I’ll be adding bulk sms and email functionality so you can communicate needs to hope team members.

Hope it helps

Has your WordPress site switched to Alpha updates

There was a problem with some localised builds of WordPress 3.9 – including UK English en_GB, where it switched the site over to beta testers mode and upgraded to an Alpha build of 4.0.

For me it didn’t look different, but for some people it broke plugins.

Here’s how to get back to normal

1) Using your FTP client – download version.php from the wp-includes folder.
version-dot-php

2) Then edit the variable $wp_version (line 7) so it reads
$wp_version = '3.9';
version-3dot9

3) Upload it back up and browse to the updates page
(http://www.YOURDOMAIN/wp-admin/update-core.php?force-check=1)
As of 9th May 2014 9:24 (and probably a few hours before) it will tell you 3.9.1 is available in your language. Update and you will be back to normal.

The WordPress peeps have fixed the bug in some of the localised versions.

If that’s beyond you – get in touch I can help!

Address List Changes for v0.5943

I’ve made a few improvements for the Address List section of the plugin over the last few weeks.

Firstly display is valid HTML5 with microdata – it looks the same, just works better!

There’s now an edit link next to each entry.

If a site user is logged in and they click their edit entry icon, they will be able to edit their household.

For that to work, admins need to make sure that directory households have a site wordpress username and password setup by the plugin – that can be done from the Display Household page and by editing each member of a household.

Household Maps

Ugly dummy imageWe bumped through our Google Static Maps courtesy limit, so I have put the requirement for an api key if you want to use the little maps.
You can sign up for an api key here, then just add api_key=# to the shortcode or you will get the ugly dummy image!

American English

Version 0.5941 of the Church Admin will contain an American English translation of the plugin – so Rota becomes Schedule! If there are any other ways you’d like the Queens English mangled, please do let me know Old Chaps!

If you use UK English – make sure define(‘WPLANG’,’en_GB’); is set in your wp-config.php file.
If US English – make sure define(‘WPLANG’,’en_US’); is set in your wp-config.php file.

Blended Families

Here are the latest improvements (v0.5935) to the Church Admin plugin for Church websites using WordPress…

  • I’ve finally updated it to display blended families better.
  • There’s now a first name next to a mobile number or email address, where a houshold needs that clarity!
  • All phone numbers are clickable for dialling on smartphones and tablets (for the geeky “tel:” works that magic – bit like “mailto:” for email addresses.)
  • The rota pdf is now formatted in columns month to view