Welcome to Rise Forums

Join our fantastic community to connect with like-minded website owners, WordPress users, and online entrepreneurs.

Dealing With A 'compromised' Site?

Discussion in 'WordPress Questions & Support' started by Joe F, Jan 27, 2017.

Thread Status:
Not open for further replies.
  1. I'm looking after a WordPress website that has been taken offline by the host.

    First, there was a problem with it so they renamed the plugin directory and the site seemed to be OK.

    Then something else happened, which they haven't specified, and they appear to have taken the whole site offline.

    They send me a list of suspicious files to check - about 57 PHP files - but I wouldn't know what to look for when checking that many PHP files (mostly from plugins).

    I can access the files on the server via FTP and possible through the cPanel.

    What's the best way to package up the site, move it somewhere else, and then install some plugins and try and fix the problem? Or is there a better approach?

    I can't login to the WordPress Dashboard as the site appears to be offline.

  2. There are a number of things you can try.

    Firstly, take a backup of the full website including all core files, the database, .htaccess etc.

    Next, I would delete the .htaccess file from the root of the domain. If this isn't configured properly you can get a lot of problems. There's a good chance a plugin has been messing with it.

    You could also reupload the core WordPress files.

    If that doesn't resolve the situation, delete the live theme and deactivate all plugins. You should hopefully be able to connect using a default WordPress theme. If it works with the default theme then reupload the old theme and activate it. If the website is still working, reactivate the plugins one by one.

    There may be some other files that aren't part of the core causing problems.

    If that is indeed the case, I would upload WordPress to a new directory and then start from there.

    For example, say the website is at www.domain.com.

    Upload the latest version of WordPress to www.domain.com/test/.

    Edit the wp-config file so that it accesses the same database as before (you may have to temporarily disable the main website whilst you do this so you are sure you avoid any conflicts). You should be able to connect correctly as all you are using are core WordPress files. If you can't, then perhaps this has something to do with the database.

    I suspect that if you upload a new version of WordPress to another directory and then connect to the live website, everything will be ok. You can then upload the theme and see if it works. Then onto the plugins etc.
  3. Ok, first things first - when it comes to security, never assume that because a location is hidden means it's secure. At best it buys you time before the attacker comes back. Rather, act as if any potential hackers know everything about how your website is set up. Can you hack into your own site? If yes, patch it up.

    Secondly, this would seem to indicate the problem is a security vulnerability with one of the installed plugins (and, just because the plugin is temporarily disabled doesn't mean there's an exploit that can't be used). So, you can start by going through all the installed plugins (enabled or otherwise), and make sure they are all up to date.

    Another thing worth checking out is arachni. It scans your website and looks for vulnerabilities. Since you still have FTP access, you can download the site files to a local server (whether it's a Virtual Machine or even XAMPP), and do a scan. It will spit out every vulnerability it can find (and at what URL it was found), this should help to further clean things up.

    Finally, depending on the value of the compromised site, you'll want to hire someone to do a line-by-line audit. If you have access to detailed server logs, this will greatly help as they can go through it looking for any anomalies. Yes, this will cost a good amount of money, but you can either pay now or 6 months down the line when the site is attacked again.
  4. Thanks guys, I will have to have a proper look at this.

    I can't access the WP Dashboard - only via FTP or cPanel. I should take a backup via cPanel and move it to another host and then try and see if I can access the WP Dashboard and run some plugins.
  5. @Joe F first thing to do, remove all files and directories, just keep wp-config.php (but take a look into it, change salts, compare with default wp-config.php from brand new download) and wp-content folder.

    In wp-content, remove all that can be replaced (plugins, themes if they were not modified, cache).

    Now comes the hard part, you have to go through uploads folder, one by one, search for .php files and any other weird files other than images (BUT there can be malicious code inside png file too).

    Last step is to get it back together with brand new WP core files and upload online again.
    Then harden the website, update it often. Also change any logs on server and try to find how the site was compromised.
Thread Status:
Not open for further replies.

Share This Page