Recover from compromised wordpress site issue

Home > CentOS > CentOS 6.x > Web based tools or applications > Wordpress configuration > Recover from compromised wordpress site issue

As is the case with all Linux based servers, once the server is compromised we should not try to clean it and rather use just data (and not config) to setup a new fresh server. However, in case the circumstances require the same server to be fixed (or attempted to be fixed) then following steps might work:

1. First step should be to take entire backup (files and database) and keep it safe. Treat this as GOLD-backup.
2. If possible host the site in a new VM / container using backup and then perform cleanup locally. This is faster and in case of mistakes we can restore from GOLD-backup as and when necessary.
3. Login as admin and update wordpress to latest version
4. Using admin login delete all unwanted plugins and also deactivate plugins that can be deactivated for a short time. If GOLD-backup is present then deletion can be done with considerable freedom as in worst case the plugin can always be restored from backup.
5. Even after automated update, again update wordpress using manual steps suggested at Upgrade wordpress installation. We tried automated update first so that various database updations happen automatically.
6. During manual update also various plugins from wp-content/plugins can be deleted using appropriate judgement. If GOLD-backup is present then deletion can be done with considerable freedom as in worst case the plugin can always be restored from backup.
7. Update all wordpress plugins, themes, etc. after upgrading wordpress
8. The above process only cleans wp-includes and wp-admin folder. Now wp-content cannot be deleted or cleaned so easily. Hence manually go through each php file in wp-content using

   find . -iname '*.php' | xargs head -v -n 3 '{}'

   For all files that have obfuscated code remove the initial <?php to ?> lines. Note that attacker would have created new files or infected existing files in almost all locations including even folders meant for js, css, plugins, etc.

   It is possible to come across large files with considerable obfuscated code and nothing useful. Such files can be deleted.

   Be prepared to clean hundreds of files manually. This process will take long time.

9. Specifically in wp-content/uploads you can delete all php files if there is no reason for people to upload php files to your site

   find . -iname '*.php' -delete

   Do this only from wp-content/uploads folder, if there is no reasonable expectation of users uploading php file to your site

10. Take backup of site (all files and database) after cleaning. If cleaning was done on alternate VM / server then use this backup to delete/restore files on infected production server. If you have GOLD-backup intact then you do not need to worry about deleting things on production.
11. Normally site infection is learned when site is blacklisted at google or spamhaus.org etc. Again visit these sites and request for de-blacklisting. It is possible that some pages were not cleaned properly and then site can get blacklisted again. In such cases very often compromised file / URL is shown. Use this information to clean site again and try re-de-blacklisting.
12. You can also try scanning site and changing its various SALTS and KEYS using security plugins such as as https://wordpress.org/plugins/sucuri-scanner/
13. Also consider installing plugins that improve security such as https://wordpress.org/plugins/wp-limit-login-attempts/

    For plugin installation refer article Installing a new wordpress plugin

Home > CentOS > CentOS 6.x > Web based tools or applications > Wordpress configuration > Recover from compromised wordpress site issue