So your WordPress site has been hacked

  |   By  |  2 Comments

Aaaaaagh!
Aaaaaagh!

Last night we were hacked by Turkish Jihadi’s who replaced our index.php, disabled Akismet and one other plugin. What do you do when that happens?

Change your host password and FTP password immediately.

Let the host what has happened and ask them to investigate how it happened.

We have a plugin called Simple Login Log and from that I could see that I had apparently logged in from Turkey – but I live in the UK, so my password had been cracked.

Check the access log on your host’s Cpanel. On ours we could see that someone whose IP was Turkish had been using the plugin editor around that time – so that’s why Akismet was bust.

Urgent action is needed.

1) Change the SALT’s in wp-config.php – that will force all currently logged in users to be logged out!
The SALT section looks a bit like this with goobledegook instead of ###!:

define('AUTH_KEY',         '###');
define('SECURE_AUTH_KEY',  '###');
define('LOGGED_IN_KEY',    '###');
define('NONCE_KEY',        '###');
define('AUTH_SALT',        '###');
define('SECURE_AUTH_SALT', '###');
define('LOGGED_IN_SALT',   '###');
define('NONCE_SALT',       '###');

The wordpress boys have provided a tool to generate a new one here. Don’t copy the one above! Update your wp-config.php and get it uploaded asap.

2) Next you need to force all passwords to be reset to new WordPress generated ones – so all users have a new password (of course they can change them quickly back though). I couldn’t find an emergency password reset plugin, so I wrote one called emergency-password-reset – just upload it, activate and if you are the administrator you can reset all the passwords in the Users section on the left hand menu. Do step 1 first though to force all users off!

3) You can block IPs in your hosts Cpanel – if you have analytics that shows ips of users when the hack happened (the exact time will be available in your FTP program), then you can block ’em! They will just try from another IP, but now you are more secure again.

4) I reinstalled all plugins as they had been fiddling. Some hackers try to add some code to insecure plugins (particularly ones using old versions of Timthumb for image management) – so the safest bet is to delete them and re-add them

5) If your username is “admin” change it – either in phpmyadmin or create another user and then delete it!

name

ABOUT THE AUTHOR - ANDY MOYLE

Andy Moyle is a church leader and web developer. His biggest project is the Church Admin WordPress plugin and app. He also runs, mainly so he can eat pizza.