For most people the threat of hacking is simply a threat. It’s a risk anyone with a website lives with, but until it happens, most of us give it little thought.

So I was surprised to notice on my way to bed last night that the front page of my blog had been replaced with this screen which reads “Hacked by Amin Safi”:

How could this have happened? Had my passwords been discovered through a brute force attack? Would the blog I’d recently migrated have to be recreated from scratch? Was my entire material wealth currently being sucked from my grasp by some enormous virtual vacuum cleaner?

When I’d calmed down, I set about finding out how to repair the damage and prevent it happening again. Naturally there is a lot of information available on-line.

First, it’s not an uncommon experience: this cyber crime site lists a number of similar violations. And there are no teams of pale, dark-eyed teenagers. It’s mostly done by code which exploits vulnerabilities in WordPress, WordPress plugins and WordPress themes.

The damage was relatively minor: I couldn’t log in to WordPress, so first I had to go in via CPanel and reset the user passwords. This allowed me to enter the dashboard and select the default WordPress theme, which restored my blog to functionality, if not to its former glory.

How did that happen?

The following day I returned to understand more fully how my blog had been compromised.

I deleted the hacked index.php file, then reinstalled the theme I had been using, Stripe, which I had found on the web.

I then installed Antivirus and scanned the theme. Antivirus pointed out the footer was encoded in Base64 and decoding the characters in the footer, I found some code which displays an advertisement for acne medication.

I also installed Exploit Scanner, but there doesn’t seem to be anything else to worry about, so having removed the dubious code and replaced the Base64 encoded section with regular, the theme is up and running again.

The following pages all helped me:


3 Comments

Jesse Luna · August 8, 2011 at 2:29 pm

Thanks, this really helped. In my case, it wasn’t related to the theme because I developed it. Looks like an FTP hack.
-Jesse

Andy from Workshopshed · September 8, 2011 at 12:44 pm

Did you find out how it had been hacked? Did you keep the site/wordpress upto date?

Richard Hare · October 24, 2011 at 10:10 pm

Not sure Andy – had two more in the last week, will stick with the default theme for a bit, I think…

Comments are closed.