Cleaning A Hacked WordPress Site

Geek Girl Tech Con - San Diego 2015

Created for Geek Girl Tech Con - San Diego 2015

https://helf.us/ggsd2015

Have You Been Hacked?

Is your site really slow?

Do you get errors all over the place?

Are you using a lot of resources?

Do you have strange users?

Is your site defaced?

Hacks are Serious Business

ISIS Defacement

Cleaning WordPress Is Easy

WordPress Is Just Files (and a DB)

What You'll Need

  • A File Transfer App (SFTP ONLY!)
  • Access to your server
  • Access to your database
  • Access to all your plugins and theme's source

Step One

Backup Your Files

$ cp -r public_html public_html_backup

Cyberduck's download

Step Two

Backup Your Database

$ mysqldump -u DB_USER -p[DB_PASSWORD] [DB_NAME] > filename.sql

$ wp db export

Example of your password and user ID

Step Three

Make an Inventory

  • What plugins?
  • What theme(s)?
  • What else?
  • Are they all updated?
  • Are they safe?

Step Four

Delete (Almost) Everything

DO NOT DELETE THESE!

  • wp-config.php
  • .htaccess
  • wp-content/uploads/
  • wp-content/blogs.dir/

Step Five

Check What's Left

$a51a0e6bb0e53a=str_rot13('tmhapbzcerff')
$a51a0e6bb0e5e4=str_rot13(strrev('rqbprq_46rfno'));
eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/')));
eval(gzinflate(base64_decode('dVRtb6NGE.....')));
					

Step Five (B)

Command Line Is Our Friend

$ find ./wp-content/uploads/ -name "*.php"
$ find . -name ".htaccess"

$ grep -R --include=*.php "[0-9A-Za-z]\{30,\}" * |
  grep "[a-zA-Z][0-9]" | grep "[0-9][a-zA-Z]"
				

Step Six

Reinstall It Clean

  • https://wordpress.org/latest.zip
  • wp core download --force
  • wp plugin install [slug, url, zip]

Step Six (B)

Clean The Theme

  • wp theme install [slug, url, zip]

Step Seven

What About The Database?

wp-options -> class_generic_support
wp-options -> widget_generic_support
wp-options -> wp_check_hash
wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf
wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea
wp-options -> rss_552afe0001e673901a9f2caebdd3141d
					

Step Eight

So What Happened?

$ grep -R --exclude=*.{png,jpg,gif,jpeg,sql,ttf}
  "[0-9A-Za-z]\{30,\}" * | grep "[a-zA-Z][0-9]"
  | grep "[0-9][a-zA-Z]"

Step Nine

An Ounce of Prevention

No software is bug free. It's how you respond to these bugs that makes you good. Trust the people who update quickly & explain what's wrong.

Resources - Software

Resources - Command Line

THE END

Mika "Ipstenu" Epstein

DreamHost WordPress & DreamPress Guru

My tech blog: https://halfelf.org

These slides: https://helf.us/ggsd2015