How to clean (reinstall) a wordpress site after being hacked

  1. Make a new folder that you will use to store the old site, normally something along the lines of ‘domain-infected-date’.
  2. Move the entire WordPress install into the newly created folder.
  3. We do not want this folder accessible to the outside so we will change permissions to 750(000 if you are doing this as root) and move it to the home directory.
    Example, from /home/user/public_html/domain-infected-date to /home/user/domain-infected-date
  4. After ensuring no files are left over from the previous install, we want to now extract a fresh install of WP in its place to ensure all files are clean. You can use File Manager in cPanel to upload the latest version(https://wordpress.org/latest.zip), right click and extract the install or if your using SSH, run the following command in the folder where you WP should be.
    # wget http://wordpress.org/latest.zip --no-check-certificate ; unzip latest.zip ; mv wordpress/* . ; rm -rf wordpress latest.zip

    Make sure to chown the files as the cPanel user(if you are logged in as root) if using the command shown above

  5. Copy the database details from the old wp-config.php to the new wp-config-sample.php.
    These 4 lines are what you want to copy and replace.

    define('DB_NAME', 'db_example');
    define('DB_USER', 'user_example');
    define('DB_PASSWORD', 'example-p@ssw0rd');
    define('DB_HOST', 'localhost');

    then rename wp-config-sample.php to wp-config.php

  6. The only thing we want to copy directly from the old install is the uploads folder but before we do, we want to make sure there are no PHP scripts lurking around, there shouldn’t be any php scripts at all within the uploads folder. The best method to do so is SSH, if you do not have access or are not savvy please ask your host to do so.
    Example command to use:

    # find /home/user/domain-infected-date/wp-content/uploads/ -type f -iname '*.php'

    If it gives any results, you can view the contents to see if they are legit but 9.9/10 they will be malicious. If there are lots you can use this command to remove them all with the find command:

    # find /home/user/domain-infected-date/wp-content/uploads/ -type f -iname '*.php' -exec rm {} \;

    Now once you’ve ensured no PHP scripts are lurking, you can go ahead and move the /home/user/domain-infected-date/wp-content/uploads folder to the new install /home/user/public_html/wp-content/

  7. Next, you will want to download a fresh copy of your theme and extract it into /home/user/public_html/wp-content/themes/
    To limit the potential risk of issues in the future with other themes, its best to remove all other themes except for the one you are using.
  8. Last but not least is the plugins. This is normally the most difficult part depending on how many plugins you have, how many are paid for plugins and replacing old plugins if they are no longer in development.
    You can either reinstall each plugin via WP admin backend or if you have lots of plugins, I would recommend SSH as it will speed up the process, if you do not have SSH access I would recommend grabbing all of the direct download links to each plugin file and give them to your host so they can do the following for you in SSH:
    In the plugins folder: /home/user/public_html/wp-content/plugins
    create a plugins.txt file

    # nano plugins.txt

    Browse to https://wordpress.org/plugins/, search and copy down the direct download link for each plugin. Quick time saver, on the actual plugin page, if you are using Chrome, right click the download link and hit E on your keyboard. This will copy the URL to your clipboard, then simply copy and paste it into the plugins.txt
    Example of plugins.txt:
    https://downloads.wordpress.org/plugin/wp-publication-archive.3.0.1.zip
    https://downloads.wordpress.org/plugin/mailchimp.1.4.2.zip
    https://downloads.wordpress.org/plugin/recent-posts-widget-plus.1.1.zip
    https://downloads.wordpress.org/plugin/search-and-replace.zip
    https://downloads.wordpress.org/plugin/simple-links.3.0.3.zip
    https://downloads.wordpress.org/plugin/visual-form-builder.2.8.1.zip
    https://downloads.wordpress.org/plugin/wp-maintenance-mode.2.0.3.zip
    https://downloads.wordpress.org/plugin/google-analytics-for-wordpress.5.2.8.zip
    https://downloads.wordpress.org/plugin/google-document-embedder.zip
    https://downloads.wordpress.org/plugin/google-sitemap-plugin.2.9.5.zip
    Once all the URL’s are in there, save it and run the following:
    This will download all the plugins

    # wget -i plugins.txt

    This will extract all the plugins and remove the .zip files

    # for i in `ls *.zip` ; do unzip $i ; done && rm -f *.zip

    If you are logged in as root, make sure to chown all files to the cPanel user
    *** Quick note about plugins, when you are on the plugins page, example: https://wordpress.org/plugins/shortcodes-in-sidebar-widgets/
    It will tell you if the plugin has not been updated in over 2 years, if so, its best to scrap the plugin all together.
    “This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”

 

That should just about wrap things up. You now have a brand new fresh, fully up to date WP install, all updated plugins, clean theme, clean uploads. Now make sure to change the admin username and passwords, and to prevent brute force attacks its always recommended to password protect your wordpress admin login script. There is a write up on this found here: https://www.bigscoots.com/portal/knowledgebase/article/5/password-protect-wordpress-using-cpanel-and–htaccess/

Related Articles

Leave A Comment?