WordPress hacked. Why? What to do now?
Here’s comment I made on LinkedIn WordPress Experts group:
1. Those backdoor scripts works in two ways mostly:
a) it’s a backdoor shell so hacker gets access to many services inside your hosting server (all files, easy to brute force passwords for ssh / ftp / mysql, etc)
b) it’s a dedicated backdoor that sits in WP core / other PHP file or in database (like this onehttp://smackdown.blogsblogsblogs.com/images/sql-injection-wp-optimize.txt) and does some ugly stuff inside your website (for example allows google to index “viagra”-style pages, just hit in google.com site:yoursite.com and see what pages are indexed, quite often after hack you will see that many extra subpages are indexed)
2. How to fix?
a) remove site -> change all passwords or hosting -> install LATEST WordPress and keep it updated (hacker can easily use many tools, such wpscan to detect MOST weaknesses of your WP site in ONE CLICK). Unfortunately this requires removing all content.
b) to keep content you could:
* temporary close the site
* change all passwords (ftp, ssh, mysql, admin)
* download original core and all plugins and themes and meld all files to find any changes
* search database for any bad scripts, code, links (be careful, code might be serialized, base64 encoded, etc.)
* this is unfortunately timeconsuming and not cheap but you will keep your content
Cleaning hacked site is very important because hacker may use your site for phishing, steal an identity, send spam to others, use your hosting as a part of botnet, and many more.
If your site was hacked and you need help, please contact me.