Verifying that I have fully removed a WordPress hack?

by

My for-fun WordPress blog at http://fakeplasticrock.com (running WordPress 3.1.1) got hacked — it was showing an <iframe> on every page like so:

<iframe src="http://evilsite.com/go/1"></iframe>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

I did the following

  1. Upgraded to 3.1.3 via the built-in WordPress upgrade system
  2. Installed the Exploit Scanner (lots of critical warnings on unusual files) and AntiVirus (this showed all green and clean, so I uninstalled and removed it after running)
  3. Changed MySQL password.
  4. Changed all WordPress user passwords.
  5. Connected via FTP and downloaded the whole filesystem (not large, this is a WordPress-only Linux shared host)
  6. Diffed the filesystem against an official ZIP of WordPress 3.1.3 and removed or overwrote anything that did not match.

I am quite sure that

  • all the files on disk are official WordPress 3.1.3 files
  • there are no “extra” files on disk other than my one /theme, the Exploit Scanner plugin (which I just downloaded), the /uploads folder, and a tiny handful of other expected files. My other plugin, wp-recaptcha, matches the current official downloaded version.
  • I also checked the .htaccess file and nothing looks wrong there

wordpress 3.1.3 file compare in Beyond Compare

I did not touch the database, but I am struggling to think how anything in the database could be malicious without special PHP code to make it work?

My WordPress blog appears OK and hack-free now (I think), but is there anything else I should check?

Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit.

Other things to consider:

  1. Change WordPress admin user passwords – done
  2. Change Hosting account user password
  3. Change FTP passwords
  4. Change MySQL db user password – done
  5. Change the db table prefix
  6. Update your wp-config nonces/salt
  7. Check your directory/file permissions
  8. Block directory-browsing access, via .htaccess
  9. Go through everything in the Hardening WordPress Codex entry
  10. Go through everything in the FAQ My Site Was Hacked Codex entry

Leave a Comment