Hacked WordPress site overview

If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (such as WordPress or Joomla). The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps hold true for many CMS installs.

A note on Base64

Base64 is usually bad. And yet there are legit use cases.

Running grep -R "base64_" /home/user/example.com/ should only give you these results for core WordPress:

./wp-admin/includes/class-wp-importer.php:	$headers['Authorization'] = 'Basic ' . base64_encode( "$username:$password" );
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode("\0".$username."\0".$password) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($username) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($password) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn,"AUTH NTLM " . base64_encode($msg1) . $this->CRLF);
./wp-includes/class-smtp.php:        		$challange = base64_decode($challange);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($msg3) . $this->CRLF);
./wp-includes/ID3/module.audio.ogg.php:		$flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));
./wp-includes/ID3/module.audio.ogg.php:		$data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']);
./wp-includes/class-IXR.php:                	$value = base64_decode($this->_currentTagContents);
./wp-includes/class-IXR.php:        		return '<base64>'.base64_encode($this->data).'</base64>';
./wp-includes/class-feed.php:			$data = base64_decode( $data );
./wp-includes/class-phpmailer.php:        	$encoded = chunk_split(base64_encode($str), 76, $this->LE);
./wp-includes/class-phpmailer.php:        	$encoded = base64_encode($str);
./wp-includes/class-phpmailer.php:        	$chunk = base64_encode($chunk);
./wp-includes/class-phpmailer.php:      	return base64_encode($signature);
./wp-includes/class-phpmailer.php:    		$DKIMb64  = base64_encode(pack("H*", sha1($body))) ; // Base64 of packed binary SHA-1 hash of body
./wp-includes/SimplePie/Sanitize.php:		$data = base64_decode($data);
./wp-includes/SimplePie/File.php:		$out .= "Authorization: Basic " . base64_encode("$url_parts[user]:$url_parts[pass]") . "\r\n";
./wp-includes/class-http.php:			return 'Proxy-Authorization: Basic ' . base64_encode( $this->authentication() );
./wp-includes/class-wp-atom-server.php:		explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
./wp-includes/class-wp-atom-server.php:		explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
./wp-includes/class-snoopy.php:			$headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";
./wp-includes/class-snoopy.php:			$headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";
./wp-includes/class-snoopy.php:			$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);

That said, you will see it in plugins and (sadly) themes. Are these safe? It's difficult to say since there are thousands of plugins in the WordPress.org database alone. The best thing to do is delete the plugins and reinstall them. Same goes for themes.

Splitting up your website users

Splitting up your user accounts is also a good idea to isolate your sites. By assigning one domain per user, you ensure that if that user gets hacked, only that site is compromised. Also you make sure that if that site is hacked, it can't infect the others.

DreamHost has One User Per Domain Policy which means each domain can only have one user assigned to it. View the article for further details on how to create a different user on your domain.

One more scan

Look 'one folder up' for an index.php and wp-config.php file. Sometimes if you install WordPress in subdirectory such as example.com/wp/ you'll run it out of example.com. When that happens, you'll have those two files in the example.com directory, and from time to time they get missed when you clean up.

Look for funny named files: Any file named ljkdhsf92328kjhsdfsdf or mai1.php (that's mai-one, not mail) is probably suspect. Delete them.

If you are still getting unwanted pop up ads from your site, please request a security scan by submitting a ticket. You can do so on the (Panel > 'Support' > 'Contact Support') page.

See also

Internal links

External links