What To Do When Your WordPress Blog Got Hacked

It’s been two years i’ve been blogging with WordPress. And all the knowledges and articles i wrote in this blog comes from many sources and experiences. And in 2 years blogging, i got 2 hacked attack and survive. And now if pay attention to my access log, there are still some attempt to inject the malicious code to my site. You can read my article: Someone Trying To Inject IvanKristianto.com.

I’m not saying that my blog is secure and bullet proof. But i have done everything i could do, trying to secure my blog. And i’m not an expert in security. But i want to share my experience when my blog got hacked. And wish that you can fix it and rise again.

From my experience what they have done is inject the malicious code that can control your website. At first they trying to find the vulnerability hole in your blog, then inject the shell code. Usually they are using c99 shell code, that act like a control panel (cPanel). So they can have directory access and database access, and i think that’s a whole website including all the website under subdomain or addon domain. They can control everything.

In my case, they successfully inject their malicious code from my addon domain, which is not secure enough. And they take control my main website. What they have done is not stealing anything, but they make a web content forgery which make mirrors site of Australian Bank, and spam the link. It’s a nightmare. I found out 2 hours after the intruders successfully inject my website.

So what i have done after my blog got hacked? Here is the tips:

  1. Block all access to your blog, and subdomain too if exists. And exclude your IP address. So only you have the access to your site. Other than you, redirect them to 503 or under maintenance.
  2. Really pay attention to your access_log from your cPanel or apache. (wish that they don’t delete the access log)
  3. Change all your password immediately!
  4. From the access_log you can find out where is the shell file. Last time they change my labels.rdf file. So i would suggest you to overwrite all the wordpress files with the official files.
  5. Purge all cache files and delete cache folders. And create a new fresh one.
  6. Download all the wp-content folder and open it one by one, see if any malicious file. Usually your upload and plugin folder. Or backup whole your website and download it to your computer, and scan it.
  7. Update all your plugin and wordpress core if not up to date.
  8. Record all the ips which access the malicious shell file, and block them with firewall or .htaccess. You don’t need such visitors from that ips.
  9. If you think your blog is clean, then upload everything up. And release the block from .htaccess. And keep continue pay attention with your access_log every 1-2 hours in 7 days. If something is going wrong, block it again and scan again. Until you feel it safe.
  10. Ask your hosting provider support to help you out. Or pay an security expert that you know.
  11. Upgrade your knowledge about security, so you know a little bit and know what to do when you got attacked.

So once again, i’m not a security expert. But what i have done is just for survive from the hack attempt. And i want to share with you my experience that may help you someday or someone which come to this article because they having such trouble.

Comments

  1. Reginald says:

    Same thing happened to my wordpress blog–first they injected some code in the header which i found and easily removed. Then it happened again, but I couldn't find any malicious code in the template files. Luckily I backed up the whole site, but right now it is still messed up and redirecting people to some spammy ad sites. I think I will just take the whole site down and reinstall wordpress….and maybe move to a new host

  2. I pretty much knew about the majority of of this, but nevertheless, I still think it is informative. Great work!

  3. Salem90 says:

    I got some one trying to access to labels.rdf file from my main site i test the address and give me Error is that that labels.rdf not there or it safe

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.