So your WordPress site has been hacked

Aaaaaagh!

Aaaaaagh!

Last night we were hacked by Turkish Jihadi’s who replaced our index.php, disabled Akismet and one other plugin. What do you do when that happens?

Change your host password and FTP password immediately.

Let the host what has happened and ask them to investigate how it happened.

We have a plugin called Simple Login Log and from that I could see that I had apparently logged in from Turkey – but I live in the UK, so my password had been cracked.

Check the access log on your host’s Cpanel. On ours we could see that someone whose IP was Turkish had been using the plugin editor around that time – so that’s why Akismet was bust.

Urgent action is needed.

1) Change the SALT’s in wp-config.php – that will force all currently logged in users to be logged out!
The SALT section looks a bit like this with goobledegook instead of ###!:

The wordpress boys have provided a tool to generate a new one here. Don’t copy the one above! Update your wp-config.php and get it uploaded asap.

2) Next you need to force all passwords to be reset to new WordPress generated ones – so all users have a new password (of course they can change them quickly back though). I couldn’t find an emergency password reset plugin, so I wrote one called emergency-password-reset – just upload it, activate and if you are the administrator you can reset all the passwords in the Users section on the left hand menu. Do step 1 first though to force all users off!

3) You can block IPs in your hosts Cpanel – if you have analytics that shows ips of users when the hack happened (the exact time will be available in your FTP program), then you can block ’em! They will just try from another IP, but now you are more secure again.

4) I reinstalled all plugins as they had been fiddling. Some hackers try to add some code to insecure plugins (particularly ones using old versions of Timthumb for image management) – so the safest bet is to delete them and re-add them

5) If your username is “admin” change it – either in phpmyadmin or create another user and then delete it!


2 Comments on “So your WordPress site has been hacked”

  • Bulk Wordpress Password Reset | The Moyles March 26th, 2013 10:36 pm

    […] Sometimes it is a good idea to reset all the passwords for your WordPress website and email the users to let them know their new password. Especially when you have been hacked – if you have been hacked, read about what to do […]

  • Jeff Hebert January 3rd, 2014 3:27 pm

    Thank you very much for both the post and the plugin. I’ve used both to respond to a hack that happened yesterday and they were extremely helpful.

Leave a Reply