Upstart Web

👋 Have you seen our signs around town? Awesome! Click here to see over 350 of my client testimonials or click here to send me a message!
Officecorp - david hadley

Repair Compromised WordPress Web Site

Freelancer project to recover a potential hacked website.

overview

Upon completion I found the website to be compromised, not just via WordPress but via cPanel. I removed the immediate threats, brought the website back to life and ensured images load.

Below I go through the entire project with screenshots and notes that I took during the investigation.

Step #1

After jumping into cPanel I immediately noticed a lot of bogus folders like the one below.

The folder name plus jumbled PHP file is a plain giveaway.
Step #2

A common tactic hackers use is hiding malicious files deep within directories. In this case the file was located 16 folders deep.

There was a bunch of these types of scenarios.
Step #3

After removing the bogus directories, I inspected the default WordPress files. Some files such as this index.php contained malicious code. You can compare the hacked vs clean version below.

Step #4

I started to remove malicious code, whilst checking the front-end of the website. This is an error I received after removing the index.php code.

A WordPress error indicating back-end problems.
Step #5

I continued looking for files that weren't the WordPress standard. This file was one of them.

Hackers use encryption to bypass automated malware scanners.
Step #6

I saw a single error in the error log that pointed me towards cPanel's cron job feature. A cron job is a scheduled task. Upon inspection I found a malicious action.

There are only a few ways to set up a Cron job within cPanel. I recommend changing your cPanel and web hosting passwords.
Step #7

This type of dynamic code execution based on cookies is associated with malicious activities.

This code is NOT default WordPress code.
Step #8

After seeing many files and folders containing malicious code I decided it was best to replace entire folders.

Replacing the entire /wp-admin/ folder with a fresh copy can be done without losing your website data.
Step #9

I also determined that it was best to replace the entirety of the wp-includes folder.

Replacing the entire /wp-includes/ folder with a fresh copy can be done without losing your website data.
Step #10

After completing these steps the website became accessible again.

Front-end is back up and running!
Step #11

I then checked the WordPress Dashboard and could see that the plugins were also now accessible.

Plugins are back, albeit requiring updates.
Step #12

Inspecting the images I could see that the images were being loaded from a 3rd party.

From experience this is due to a web hosting migration error where not all URL's are replaced.
Step #13

Using Elementor's built in URL replacer I changed the domain.

This is a feature within Elementor which is your Page Builder plugin.
Step #14

The URL replacer didn't work as the content is copy + pasted into Elementor with previous formatting still attached. A big no-no.

The website hasn't been built correctly to Elementor standards.
Step #15

The database search and replace was then done.

Hundreds of cells updated.
Step #16

Images are now loading fine.

That fixed the problem!
results

Basic actionable recommendations for your website:

  • Change your WordPress Dashboard credentials.
  • Change your cPanel login credentials.
  • Change your web hosting login credentials.
  • Change login credentials for email accounts associated with your web hosting and WordPress accounts.
  • Ensure your WordPress core files, plugins and themes are kept up to date.
results

Advanced actionable recommendations for your website:

  • Join my WordPress Care Package so that this never happens again. My WordPress Care Package puts me in complete control of your website from security, maintenance, updates, edits, additions and more. It’s like having the absolute best developer on retainer for less than 1/10th of the cost.
faq

Answering some questions you may have:

What caused this?
It is quite tricky to narrow down as there are a lot of moving parts. It could be from an outdated plugin, theme or core WordPress file. It could be a leaked password that hackers used to access your WordPress or cPanel account. The fact a Cron job was set up indicates to me that they had access to your web hosting / cPanel.
Will this happen again?

Unless proper precautions are taken this will most likely happen again. You need to ensure you follow at minimum my basic actionable recommendations. Websites have a lot of moving parts and if they're not maintained and kept up to date they will be taken advantage of by malicious users. When your customers are actively visiting your website you need to be pro-active instead of re-active, especially if they're being redirected to scam websites.