TCS 002: Hackers gonna hack

Here is a story about dealing with a website that has been hacked. I got an email from a digital agency I work with who had one of their websites hacked. This podcast walks through the process I followed to find and remove the hacking in relatively simple terms.

This is what the website looked like

Cpanel access

You will need your cpanel login details for the webhosting you have for you website to follow these steps. Usually you can access it via your website addresss/cpanel
eg mywebsite.com/cpanel
then use the username and password they sent you when you set up your webhosting account.

Replace wp-admin and wp-includes (NOT wp-content)

Got to wordpress.org and download the latest version of WordPress.

Then replace the wp-admin and wp-includes folders on your website with the new ones you downloaded. This is done by unzipping the wordpress file you downloaded from wordpress.org and then zipping just the wp-admin folder and the wp-includes folder as a new zip file. The upload that via the cpanel file manager to your website and extract them to replace the existing wp-admin and wp-includes folders only.

**Warning** DO NOT REPLACE wp-content folder that is where all of your images, theme etc files live and you need to leave it alone.

Turn on debugging mode

Edit the wp-config.php file and change the debug setting to true. This is done by right clicking on the file via your file manage in the cpanel area and selecting edit. Remember to save the setting or it won’t actually change the setting.

Start renaming folded one by one and change them back in between tests

Now check the website and if it still has hacked files try changing the name of the wp-content folder to something else eg offline-wp-contents

If the hacking message isn’t there anymore you are on the right track.

Now rename it back to what it was supposed to be.

Rename the next level of folders under wp-content one by one and change them back to the correct name in between.

I tried plugins, wp-uploads with no change. Then I renames the themes folder and voila it changed to a white screen. I was getting close now.

Gotcha, hacked file found

I then saw a debugging message saying that a file called class-mega-menu.php was missing or something like that. When I opened that file to view it there was the actual little daemon figure and the hacking code.

I was now able to go and get the original theme files and replace the file in question and it all came back to life.

Username and password not working

One more issue remained, my login had been compromised via the hacking file. I now had to get my username and password sorted out via the cpanel -> phpmyadmin area.

To fix that you then need to go into phpMyAdmin and find the database used for your website.

Then click on wp_users which then shows you the users that have access to your website. It was there I could see my username had been changed.

How to change the username and password from phpMyAdmin

So you click on edit on the username in question and change the username back to yours then you put the new password and you also need to select MD5 s the password format or it won’t work.

Once you click save by pressing Go and confirming the change your username and password should work again.

So all done.

Intro music by : www.bensound.com

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *