Posted on Jun 22 2010 by Alistair Barnett in Tutorials WordPress
If you’re reading this, I can empathize. It’s really a downer when you’ve realized that your database has been compromised, but hopefully we can get things working right again.
1. Harden the security in WordPress
Read all of the information at http://codex.wordpress.org/Hardening_WordPress and implement as many of the precautions as you can for your site. For instance, if you are using shared hosting, make sure that the permissions for wp-config.php are 750 and not 604 (as explained in the “File permissions” section).
2. Change your database password
This is very important as the hacker may have gotten access to your database due to a simple password. The best one to use is a combination of letters, numbers, and symbols. To change it, refer to your host’s help documentation or give their support team a call (if they have that as an option).
3. Modify database to delete passwords for all users
Using the interface that your host uses to real the MySQL database (usually phpMyAdmin), navigate to your database and click ‘Browse’. You should immediately see the user(s) on the site along with the hacker’s information. What you need to do is this:
a) Copy the shown user_email value, which is likely the hacker’s email address
b) Click the “Edit” link for the affected row(s)
c) DELETE the user_pass field entry
d) CHANGE the user_email field entry to be your own
e) Click ‘Go’ to save changes
4. Log in to WP Admin
As you normally would do:
a) Access your site’s WP Admin interface by going to http://www.mysite.com/wp-admin/
b) If you get a message that a database upgrade is required, before doing anything confirm with your host that they support the latest version of PHP then click ‘Upgrade WordPress Database’
c) Click ‘Continue’ when that’s done
d) Click “Lost your password?”
e) Enter your username or email then click ‘Get New Password’
f) Check your email for the message from “WordPress” ([email protected]) with a link to follow to reset your password
g) Check your email again for your password then copy it
h) Log in with your new password and change it if you’d like (click “Yes, take me to my profile page”) or not (click “No thanks, do not remind me again”)
5. Does everything look OK?
Click around to check your posts, pages, categories, tags, etc. Edit or delete anything that doesn’t look right.
6. Switch to one of the default themes
a) Go to Appearance -> Themes and click “Activate” for one of the default WordPress themes
- WordPress Classic 1.5 by Dave Shea
- WordPress Default 1.6 by Michael Heilemann
- Twenty Ten 1.0 by the WordPress team
b) If your site content appears normal after doing the above, you’ll need to fix your theme files (hopefully you have a backup!)
7. Replace any files modified recently
Most likely only the main file, index.php, has been modified. Go ahead and replace it with the one you made from your backup. If you don’t have this, ask for the theme files again from the designer (or download them again if it’s a free theme) and replace just index.php within the theme folder, /wp-content/themes/theme-name/ (NOT where all core WordPress files are).
8. Activate your main theme again
a) Go to Appearance -> Themes and click “Activate” for the theme that you were using before your site was hacked
b) Refresh your site’s home page and hope for the best!
9. To hopefully make it so this doesn’t happen again:
a) Consider getting a new domain name or changing the content of your site. You may have inadvertently used some word that describes someone from another country that can be used against you. This actually happened to my brother’s WordPress site even with the “I would like to block search engines, but allow normal visitors” option under Settings -> Privacy. He will be using a different domain name from now on and will make sure that it has only “safe” words.
b) Read on to see PART III: Plugins to Make Your Life Easier