How I fixed my hacked Wordpress blog

Published by Richard Hare on

For most people the threat of hacking is simply a threat. It’s a risk anyone with a website lives with, but until it happens, most of us give it little thought.

So I was surprised to notice on my way to bed last night that the front page of my blog had been replaced with this screen which reads “Hacked by Amin Safi”:

How could this have happened? Had my passwords been discovered through a brute force attack? Would the blog I’d recently migrated have to be recreated from scratch? Was my entire material wealth currently being sucked from my grasp by some enormous virtual vacuum cleaner?

When I’d calmed down, I set about finding out how to repair the damage and prevent it happening again. Naturally there is a lot of information available on-line.

First, it’s not an uncommon experience: this cyber crime site lists a number of similar violations. And there are no teams of pale, dark-eyed teenagers. It’s mostly done by code which exploits vulnerabilities in WordPress, WordPress plugins and WordPress themes.

The damage was relatively minor: I couldn’t log in to WordPress, so first I had to go in via CPanel and reset the user passwords. This allowed me to enter the dashboard and select the default WordPress theme, which restored my blog to functionality, if not to its former glory.

How did that happen?

The following day I returned to understand more fully how my blog had been compromised.

I deleted the hacked index.php file, then reinstalled the theme I had been using, Stripe, which I had found on the web.

I then installed Antivirus and scanned the theme. Antivirus pointed out the footer was encoded in Base64 and decoding the characters in the footer, I found some code which displays an advertisement for acne medication.

I also installed Exploit Scanner, but there doesn’t seem to be anything else to worry about, so having removed the dubious code and replaced the Base64 encoded section with regular, the theme is up and running again.

The following pages all helped me:

Categories: Uncategorized
Tags:

3 Comments

Jesse Luna · August 8, 2011 at 2:29 pm

Thanks, this really helped. In my case, it wasn’t related to the theme because I developed it. Looks like an FTP hack.
-Jesse

Andy from Workshopshed · September 8, 2011 at 12:44 pm

Did you find out how it had been hacked? Did you keep the site/wordpress upto date?

Richard Hare · October 24, 2011 at 10:10 pm

Not sure Andy – had two more in the last week, will stick with the default theme for a bit, I think…

Comments are closed.

Related Posts

Uncategorized

Another leap forward for Morley Memorial School’s website

Thanks to fellow parent and graphic designer Andy Linney, Morley Memorial Primary School’s website has a handsome new header incorporating the school’s emblem. Existing versions of the emblem scaled poorly, so Andy redrew it some Read more…

Uncategorized

Morley update 2: more snow

One week on from last week’s snowfall and we get an even bigger deluge – and even more traffic to the Morley website. Last week the snow quadrupled visitor numbers, as parents checked the site Read more…

Uncategorized

Morley update: snow news

One week on from the new Morley school website update and “disaster” strikes: snow! From 6am, concerned parents were checking the site – nearly 40% on mobile devices, compared with only 15% throughout 2012. By Read more…

%d bloggers like this: