My WordPress Was Hacked, What To Do?

wordpress hacker.jpgHacking was an all time menace to all website and blog owners. I myself was not cautious enough and always thought that hackers only target websites that are popular. But anyone can be a victim, it can be you, me, your friends, brothers or sisters. Just last week I was one of the target of those hackers and spammers. It started last month, when my blog’s traffic is slowly dropping. I didn’t know that my forum was already spammed with porn and gambling advertisements. I discovered it only on the last week of April 2009 when I checked my forum. The spam post was dated from April 1 up to April 29. So what I did is I cleaned it up by deleting those posts. I had a hard time deleting them from the admin panel because the forum software does not have a feature for deleting by batch. But later on I remember that I can delete it in the MySQL database admin panel. I was not an expert nor formally educated in programming or handling MYSQL database but through trial and error I found ways to learn even the basic stuffs. So I deleted those malicious posts in the MYSQL panel. This is the forum I’m taking about >> and I’m using an SMF (Simple Machine Forum). To prevent spamming in the future, I upgraded it to version 1.1.8 and installed an akismet plugin (yes, not only WordPress have an akismet).

But the problem on spamming doesn’t stop there. I have to clean the Google index of spam because my blog is at stake. Not only will you loose traffic if those spam were not removed, your entire blog might be removed by the search engine. To solve it, I have to remove the entire forum from Google search since the forum don’t have much visitors anyway and does not have a lot of legitimate post, mostly spam posts. To remove those spam in the Google search, I have to make a robots.txt file. It is important to make that first so when I submit those URL for removal in the Remove URL option in the Google Webmasters Tools, it will be deleted and not denied. After all those cleaning up and troubleshooting, I still wonder why after a few days my blog isn’t recovering and worst, my traffic nosedived. I was clueless on what is happening. So the only option I have in mind it to check the Google search index to see what pages of my blog are indexed. Like what I did before when I was having a problem on my forum, I did a site search by using this command “site:” and typing it on the Google search box. On page 19 I saw a lot of  spam post from my blog. I can’t believe my eyes on those posts indexed by Google.  The hacker managed to create spammy multiple pages with a single URL with an additional query strings at the end ( see sample below). When you click those link from the Google search, you will be directed to another site, an anti-virus site. Imagine that was my URL and it has spammy title and descriptions and when you click on those link you will be redirected to another page! really scary!


Just looking at that page, you will think that you have no control of it because it’s hard to find out where is it coming from. I tried to ask and post in the Webmasters World Forum and read some blogs about ways to solve these problems. Some of the tips I’ve learned are upgrading my Wordpres to the latest version, upgrading all the plugins, browsing the files in your webhost server to check for some malicious files and browsing the MySQL tables. But I can’t still pin point where the hacker have done the damage. I was thinking that the hacker might have injected some code in the MySQL database but it’s hard to search for it in the database. Unlike an operating system like Windows XP, there is a software that can catch the virus. One advice I read on solving these problem that I thought might work is by upgrading my WordPress software. But the problem is it’s already upgraded and if I will use the admin panel to upgrade or reinstall  it, it’s not possible so I have to do it manually to reinstall it.

So there it goes, I started the re installation process by deleting the wp-admin and wp-includes folder using my favorite FTP program. Guess what I’ve discovered, the files I’m deleting on the server hosting have almost 4,ooo+ files where as the original, the one I downloaded from the WordPress download site only have 540 files.  And when I browse and compared the files between the webhosting server and on my local PC folder, I discovered that there are almost 3,900+ files located on this folder  wp-include>js>tinymce>plugins>inlinepopups>skins>clearlooks2>img (see below).

Comparison of files from Webhosting and Local PC Harddrive


Files from the webhosting


Files on My Local PC Hard Drive

After deleting those two folders, wp-admin and wp-includes and uploading the fresh copy to the server I tested it immediately to see if the bogus URL will redirect to another site. It worked! no more redirection. The only problem I have to solve after this is how to remove those URL in the Google index. Again, the same thing I did when I tried to remove my forum from the search index. But this time I just edited the robot.txt file and include those malicious URL the file to disallow the robots to index it and for the Remove URL in the Webmaster’s Tools feature to work. Before I forget, you have to change all your passwords before doing these stuffs just in case you encounter this problem too. Change the wordpress admin password, FTP password, your hosting account password and the MySQL database password so no one can access your files and for not wasting your efforts. And the most important, back-up all your files and MySQL database as often as you can. Just in case the damage was severe, you can always upload it.

I was thankful that the only purpose of the hacker who hacked my blog is to promote other websites and not those kinds that delights in destroying other peoples websites. How about you, maybe suddenly you are loosing your traffic, you might check and investigate your blogs too.

“Every problem has a solution. If it does not have a solution, then it’s not a problem” 🙂

Update: Again I’ve discovered something that the hacker did that might cause to trigger the spam page generation. Because those code will not be there if there are no purposes. Look at the source code of your blog and check the <body> html tag.  You might see something suspicious just tight after that html tag.  Most of this blogs pages indexed by Google still have those suspicious code but when I checked the current blog post, it’s not there already. It might have been removed after reinstalling my WordPress.