Fixing Compromised WordPress installations

/Home /Journal /Services /Projects

I work as an IT helpdesk but also do a bit of “sys admin”, most of the times i get compromised WordPress installation due to either an outdated installation, outdated plugins or outdated themes. Whenever this happens i always go through the same steps and then there’s a couple things you can do after it’s been fixed in order to keep your website protected.

  1. I start by taking note of the theme and plugins in use and removing everything from the website root folder with the exception of uploads folder inside wp-content and the wp-config.php file. Mainly because the uploads folder will contain all the media used in the website and wp-config.php the database configuration details. Check wp-config.php for encoded php code added to the top as malware can also be injected there. It might be worth checking uploads folder for php files and see what they are used for (check the content code), in most cases encoded code points to malware unless you’re using paid scripts

  2. I will then reset passwords for the database and WordPress users/admins. If you used the same password you use else where, reset this other places as well.

    Note: I would suggest you to use something like Keepass, Bitwarden, LastPass, set a unique master password for it and just use random passwords for everything else.

  3. For this third step you have two options, which is to use the WP-CLI from the terminal or to manually download the WordPress Core files.

WP-CLI

Go into the terminal and access the website root folder where the wp-config.php file is located and run the following commands: wp core download --force If you’re running this as root you will need to add --allow-root and correct the ownership.

You could also verify checksums and reinstall plugins and themes via this method but i prefer to remove everything and have them installed in a clean environment.

To install themes or plugins just run the following: wp plugin install plugin-name ~wp theme install theme-name

Manually

Once the zip file from WordPress has been uploaded to the Documentroot folder, extract the zip file and the website should become live. To install the plugins and theme you should sign in to the Administrator Dashboard and install from there.

Notes

There has been a recent ocurrence on CPanel servers where one WordPress installation would get compromised through the WP installation, the hacker would then have access to .contactinfo under .cpanel folder which is a file responsible for holding the email address for the password reset. By editing this file, the hacker would then get CPanel server to send them an email with a new password, escalating his access from website directory to hosting access.

In order to prevent this we’ve disabled password reset on all of our CPanel servers.

As to prevent your website from being compromised, keep your core files, plugins and themes up to date. Pay close attention to when the plugin was last worked on because a plugin can be on it’s latest version but from 5 or 6 years ago and those are usually the targetted ones. The same applies for themes.