My for-fun WordPress blog at http://fakeplasticrock.com (running WordPress 3.1.1) got hacked — it was showing an
<iframe> on every page like so:
<iframe src="https://evilsite.com/go/1"></iframe> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
I did the following
- Upgraded to 3.1.3 via the built-in WordPress upgrade system
- Installed the Exploit Scanner (lots of critical warnings on unusual files) and AntiVirus (this showed all green and clean, so I uninstalled and removed it after running)
- Changed MySQL password.
- Changed all WordPress user passwords.
- Connected via FTP and downloaded the whole filesystem (not large, this is a WordPress-only Linux shared host)
- Diffed the filesystem against an official ZIP of WordPress 3.1.3 and removed or overwrote anything that did not match.
I am quite sure that
- all the files on disk are official WordPress 3.1.3 files
- there are no “extra” files on disk other than my one
/theme, the Exploit Scanner plugin (which I just downloaded), the
/uploadsfolder, and a tiny handful of other expected files. My other plugin, wp-recaptcha, matches the current official downloaded version.
- I also checked the
.htaccessfile and nothing looks wrong there
I did not touch the database, but I am struggling to think how anything in the database could be malicious without special PHP code to make it work?
My WordPress blog appears OK and hack-free now (I think), but is there anything else I should check?
Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit.
Other things to consider:
- Change WordPress admin user passwords – done
- Change Hosting account user password
- Change FTP passwords
- Change MySQL db user password – done
Change the db table prefix
- Update your wp-config nonces/salt
- Check your directory/file permissions
- Block directory-browsing access, via
- Go through everything in the Hardening WordPress Codex entry
- Go through everything in the FAQ My Site Was Hacked Codex entry