How to clean up a hacked WordPress site

One of client’s WordPress site got hacked. The client can’t access the site, even admin dashboard at the back-end, because the site is always being redirected to a phishing site: http://www.indoforextrading.com/. If you run into exactly same problem, here is how I fixed it.

FTP to the hacked site, and check the file structure. It is clearly that which files (marked out in red rectangle) are suspicious.

indoforextrading-redirect-hacking

  • First of all, the site is not up to date. Readme.txt & license.txt show the correct installation date, which is “Sep 23, 2013”. The site has not been update since then.
  • There is no index.htm in WordPress installation. This file is fake, and should be checked out.
  • .htaccess & index.php file are hacked. Because they have the same date as index.htm and both file size are wrong.

It is easier to understand why the redirect is happening after checking these 3 files. Here is code example from these hacked files.

# From hacked .htaccess
RewriteOptions inherit

RewriteEngine on
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^(.*)$ "http\:\/\/www\.indoforextrading\.com\/$1" [R=301,L]

----------
// From hacked index.php


----------
// From the fake index.htm
<meta http-equiv="refresh" content="0; url=http://www.indoforextrading.com/">

Clearly, the hack does nothing, but just be very determined to redirect your site traffic to the phishing site.

To fix this hack is simple:

  • DELETE index.htm
  • Replace index.php with a clean matching version of installed WordPress.
  • Replace .htaccess with the correct content. Or you can regenerate one in dashboard. (Re-save the permalink structure can generate the correct .htaccess file for you).

After these steps, your site should be back to normal. You should then:

  • Update WordPress to the latest version. Or
  • If WordPress is already the latest version, reinstall it. (This step can reassure your WordPress core is clean).
  • Update all plugins to latest version.
  • If there are plugins on the site have been abandoned by the developer, you should consider to replace the plugin sooner than later.
  • BACKUP your site.

2 thoughts

  1. It’s also worth mentioning that some hackers will not modify their files, but instead alter your database. I’ve worked with people who have had entries in their database changed to redirect to different URLs. For instance, one person had the post_title of every entry in their posts table changed to a redirect so any almost page load would cause the site to redirect. Another had an entry in their options table that was the actual HTML code that displayed, so rather than sticking it in a file like index.php, they put it in the database. This made finding the problem harder because you don’t expect that as much as a file hack.

  2. Great point! Thank you for the comment.

    That’s something I personally haven’t met during my daily maintenance job on client’s sites. But I know it is no doubt hard to deal with in that case.

    It was also when I realized the possible “database hacking”, I changed all the database backup schedule to daily, even twice a day on some sites.

Comments are closed.