I recently helped a client recover his hacked WordPress blog. Normally, when a WordPress site is hacked, the hacker either modifies the core system files or injects malicious code into the theme files. A quick fix is usually as simple as opening the file manager, finding the injected code, and doing a global find and replace through the terminal.
This time, though, it was the database that was fubared. Every single post had content injected into it. All 903 of them. I’ve actually never run into this before, so I figured it was worth at least a post since the fix was so easy.
How to Fix Hacked WordPress Database
The first thing you need to do is go to phpMyAdmin and locate your database. If you have multiple databases, you can locate the hacked one by checking your
Select the database table and go to the SQL tab. Enter in the following command:
UPDATE `wp_posts` SET post_content = replace(post_content,’A COPY AND PASTE OF THE INJECTED TEXT’,"")
What this does is it finds each instance of the injected code and replaces it with a blank string. If I wanted to replace it with something about liking pie. I would do this:
UPDATE `wp_posts` SET post_content = replace(post_content,’A COPY AND PASTE OF THE INJECTED TEXT’,'MAN DO I LIKE PIE’)
This was a very simple yet interesting hack and to my surprise, it worked really well. So I get finished, shoot off a little bill, and start thinking (dangerous). I think I’m going to start injecting my own strange characters on all my auto blogs. Down the road, you can use this same method to insert or replace anything into your posts and pages (links, ads, code, you name it…)
How to Fix Hacked WordPress Files
Sometimes, a hacker will choose to attack your website’s files instead. In fact, this is the easiest method to penetrate any website. Just grab a premium theme, inject some backdoor in the header file, upload it to a nulled directory, then sit back and wait.
The use of nulled themes and plugins is the number one reason for hacked WordPress sites. A nulled script will usually contain malicious code meant to add some vulnerability to your site. So installing it on your server basically means you inject the malware yourself.
Usually, the malware contains executable PHP code that sits on your website’s directory waiting for commands from the hacker. The code can either mess with your theme or extend to “eat” the whole website. When this happens, you will need to do a thorough cleanup to remove any trace of the code. If all goes well, you should be able to recover the website to its original state.
Remove the corrupt theme
If you are sure your theme was the source of the hack, the first move would obviously be to uninstall and delete it. This cripples the source of the hack and allows you to close loopholes so you can do some internal ‘cleansing’.
Re-install core WordPress files
Most WordPress hacks will often corrupt your WordPress core files, which effectively makes your website inaccessible. Rather than going through each file trying to find the affected items (it’s very likely you will never get anywhere with this method), you can simply replace all WordPress core files with a new installation.
To ensure you don’t lose your website’s data, highlight everything in your root directory except the wp-content folder and
wp-config.php file. Then hit delete. The wp-content folder contains your actual website files while the
wp-config.php file calls your database. So deleting these 2 items would be rather silly.
Now head over the official WordPress website and download fresh files. In the downloaded zip file, delete the wp-content folder and zip the remaining files. Upload this new zip file to your root directory and extract… Voila!