Hacked WordPress site overview

Overview

If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (such as WordPress or Joomla). The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps hold true for many CMS installs.

If you're not comfortable fixing your WordPress site on your own, you can request DreamHost's Hacked Site Repair (a professional malware removal service). DreamHost experts will access your account and make the necessary repairs to get you back online quickly. See the Terms of Service page for more information.

A note on Base64

Base64 is usually bad. And yet there are legit use cases. Running the following command should only give you these results for core WordPress. Change username to your Shell user and example.com to your website.

[server]$ grep -R "base64_" /home/username/example.com/
    
./wp-admin/includes/class-wp-importer.php:	$headers['Authorization'] = 'Basic ' . base64_encode( "$username:$password" );
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode("\0".$username."\0".$password) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($username) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($password) . $this->CRLF);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn,"AUTH NTLM " . base64_encode($msg1) . $this->CRLF);
./wp-includes/class-smtp.php:        		$challenge = base64_decode($challenge);
./wp-includes/class-smtp.php:        		fputs($this->smtp_conn, base64_encode($msg3) . $this->CRLF);
./wp-includes/ID3/module.audio.ogg.php:		$flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));
./wp-includes/ID3/module.audio.ogg.php:		$data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']);
./wp-includes/class-IXR.php:                	$value = base64_decode($this->_currentTagContents);
./wp-includes/class-IXR.php:        		return '<base64>'.base64_encode($this->data).'</base64>';
./wp-includes/class-feed.php:			$data = base64_decode( $data );
./wp-includes/class-phpmailer.php:        	$encoded = chunk_split(base64_encode($str), 76, $this->LE);
./wp-includes/class-phpmailer.php:        	$encoded = base64_encode($str);
./wp-includes/class-phpmailer.php:        	$chunk = base64_encode($chunk);
./wp-includes/class-phpmailer.php:      	return base64_encode($signature);
./wp-includes/class-phpmailer.php:    		$DKIMb64  = base64_encode(pack("H*", sha1($body))) ; // Base64 of packed binary SHA-1 hash of body
./wp-includes/SimplePie/Sanitize.php:		$data = base64_decode($data);
./wp-includes/SimplePie/File.php:		$out .= "Authorization: Basic " . base64_encode("$url_parts[user]:$url_parts[pass]") . "\r\n";
./wp-includes/class-http.php:			return 'Proxy-Authorization: Basic ' . base64_encode( $this->authentication() );
./wp-includes/class-wp-atom-server.php:		explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
./wp-includes/class-wp-atom-server.php:		explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
./wp-includes/class-snoopy.php:			$headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";
./wp-includes/class-snoopy.php:			$headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";
./wp-includes/class-snoopy.php:			$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);

That said, you will see it in plugins and (sadly) themes. Are these safe? It's difficult to say since there are thousands of plugins in the WordPress.org database alone. The best thing to do is delete the plugins and reinstall them. Same goes for themes.

Splitting up your website users

Splitting up your user accounts is also a good idea to isolate your sites. By assigning one domain per user, you ensure that if that user gets hacked, only that site is compromised. Also you make sure that if that site is hacked, it can't infect the others.

DreamHost has One User Per Domain Policy which means each domain can only have one user assigned to it. View the article for further details on how to create a different user on your domain.

One more scan

Look 'one folder up' for an index.php and wp-config.php file. Sometimes if you install WordPress in a subdirectory such as example.com/wp/, you'll run it out of example.com. When that happens, you'll have those two files in the example.com directory, and from time to time they get missed when you clean up.

Look for funny named files: Any file named ljkdhsf92328kjhsdfsdf or mai1.php (that's mai-one, not mail) is probably suspect. Delete them.

If you are still getting unwanted pop up ads from your site, please request a security scan by submitting a ticket. You can do so on the Contact Support page.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?