Reinstall WordPress after a hack
In this article we'll discuss the steps you'd want to take after a WordPress site has been hacked, to get your site back up and running quickly. In most cases when a WordPress site is hacked, it is because you are not running the latest secure version of WordPress, or one of the plugins that you have installed is outdated and has been used by a hacker to exploit the site.
A lot of the time a hacker will inject malicious code in your PHP scripts that can make it very hard to clean up manually after the injections took place. In some cases this might require our system administration department to quarantine your entire WordPress site outside of your [/public_html] directory, so that we can ensure further hacks aren't taking place and further damage isn't done to your WordPress database.
If you happen to have read our previous article on how to clean up a code injection attack, the steps mentioned in that article might allow you to clean up any injections that have taken place to get your site back online.
In the steps below we'll walk through an example site PrimaryDomain.com that has been maliciously injected to the point where it's not going to be easy to remove all the malicious code and ensure we've caught all of it. So in this case we're simply going to reinstall WordPress and then link up the new install with our old database.
- First you'll want to download the latest version of WordPress to your local computer.
- Extract the files in the .zip archive you downloaded to a local folder.
- Using FTP, upload all of the folders and files contained within the wordpress directory to your public_html directory. Or if your domain was an addon domain and its document root was in a sub-directory make sure you're uploading it there. You can do this by hitting Ctrl-A in your FTP client when you're in the left-hand pane to select all the files, then simply drag them onto the server.
- Once the files are done uploading, navigate to the quarantine directory on the server side, right-click on wp-config.php and choose View/Edit. Your FTP application should prompt you for what application you'd like to open the file with, you can just use a text editor such as Notepad. Then finally copy down the database information from the define('DB_...) sections.
- At this point if you try to simply access the site you'll get a WordPress error about no wp-config.php file.
- Back in your FTP client, navigate to your public_html directory and you should see a file called wp-config-sample.php, right-click on this file and choose View/Edit, open the file in Notepad then fill in your database name, database user, and database user password.
Then hit Ctrl-S to save the file, in a few seconds your FTP client should prompt you if you'd like to save this back to the server, click Yes. You can also place a check beside Finish editing and delete local file if your FTP client gives you that option.
- Now in your FTP client right-click on wp-config-sample.php choose Rename, and then name the file just wp-config.php.
- Now in this case if we try to go to our site again it's an all blank page, the reason for this is because our site used a custom theme, and those theme files are still quarantined. So next in your FTP client navigate to the /quarantine/wp-content/themes directory, and drag over the pinboard directory (or whichever theme you used) to your local computer.
- Now navigate on the server side to the /public_html/wp-content/themes directory, and then drag the pinboard directory from the local computer to the server.
- You should now be able to hopefully pull up your website again free of any malicious hacks.
Depending on the complexity of your WordPress site, you might want to also go in and reinstall any plugins that you had setup to get your site fully functional again. These steps above should at least get you to the point where you can start logging back into your WordPress administration panel again, and get your site back online for your visitors.
We value your feedback!
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
new! - Enter your name and email address above and we will post your feedback in the comments on this page!
2013-05-07 11:23 am
You should always check the theme for fake pages as well....
Don't ever just copy it from the quarantined installation to your new fresh installation.
Just drag it on to your local computer, do a full and extended virus sweep first (with avg and maybe spybot too).
Then download the original theme and compare the two theme-folders with each other (with winmerge).
If all oke, you can put your theme back :) If not oke, put the new downloaded theme back.
P.s. I am talking from personal experience here. They put a file in my theme in this directory (guess what it looked like a online bank's login page):
2013-05-07 1:25 pm
Hello rduinmayer, and thanks for your comment and sharing your experience.
I've gone ahead and updated step #8 above to suggest to others that might also read this article that they should scan their theme's folders for signs of a virus or malware, or preferably download a fresh copy of their theme.
Thanks again for your comment!
2013-09-14 11:08 pm
sir, i want to install security in my site www.learningall.com, if i edit .htaccess file, my site is not working please check whats problem and where i add .htaccess coding in my .htaccess.
2013-09-16 11:32 am
When adding your the lines to your .htaccess file according the below article, be sure that you are adding these in addition to what you already have there. Removing the existing lines that Wordpress requires for permalinks will cause 404 errors.
Lock down WordPress admin login with .htaccess