Removing hacked WordPress files


The other day someone kindly told me that this blog had been “hacked”. Actually what had happened was that someone had managed to inject PHP code in to the wordpress theme files, the wordpress blog files and all the plugin files.

What was particularly interesting was that it only showed up if you haven’t visited the site before, making it harder to spot. In the header of each PHP file there was a php eval base 64 encoded string which contained this redirect code.

If you have a simliar problem you either need to grep each file containing base64 encoded PHP or, replace the main wordpress blog, re-upload the theme and reinstall all the plugins. If you want an easy fix, sorry, next time consider using Fabric/Puppet/Chef and having a backup version of the site that you can deploy at the drop of a hat.

Suffice to say that I am only using WordPress really because its been making my life easier and I can concentrate more on Python, Javascript, GoLang and Erlang efforts for work and the fun stuff but I am seriously thinking about jumping platform. Also it doesn’t help that the host this blog is quite slow these days.

comments powered by Disqus