WordPress is constantly being updated, but a WordPress site can become infected with malware by bypassing the WordPress security itself. Here are some tips on how we typically disinfect a site.

– Change all ftp user passwords. For a Dreamhost account this is easily done through the Dreamhost control panel (Users -> Manage Users). For other hosting companies there is usually a control panel for controlling the back end users to your site; users that have access to the file system portion of your WordPress site. Make this password complex. One World Labs recommends a 22 character password length using a mix of uppercase, lowercase, numbers and punctuation. I used to think this was ridiculous overkill. Now, after five of my sites were hacked, I do this regularly.

– Change your WordPress database password. For Dreamhost users this is done through Goodies -> MySQL Databases, click on the user that is used to log into your database and change the password.

– Update the wp-config.php file to change permissions on the file. I have found 640 works well (Owner – Read and Write, Group – Read, Others – Nothing).

– Update the wp-config.php file to reflect the new database password.

– Change all WordPress administrator user passwords. This is easily done using the WordPress admin screen by clicking on Users in the left hand menu.

– Backup your WordPress site. We use a plugin called BackWPUp (http://wordpress.org/extend/plugins/backwpup/) which you can install from within the WordPress admin screen (Plugins -> Add New). BackWPUp has the advantage of backing up both the file system and the database and it can also send a copy of the backup off-site. Any plugin that backs up both the file system and the database will do. TIP: When you setup a backup job specify a backup directory where backups will be saved to and then remember to *exclude* backup of that directory.

– Many WordPress sites run on an Apache web server. Apache makes use of a number of different access methods for securing a site, but on a shared host (like Dreamhost, Hostmonster, Gatorhost, Bluehost, Media Temple, etc) you are limited to what you can do with Apache. The key method that you can use is to create an Apache directive file called a .htaccess file. A .htaccess file contains commands for Apache to use on how to manage your site. Check for .htaccess files in your site and look for suspicious entries. An .htaccess file can be used to tell the web server to perform various functions that are bad for your site, including page redirection (the user clicks on a link for a page in your site and the redirection sends the user to an outside site). Since an .htaccess file is a hidden file it may not show up in file system listings. You may have to set your ftp client software to show hidden files, or be certain to include hidden files when searching the file system using a secure shell connection. There may be *multiple* .htaccess files hidden in the WordPress file system, especially in the folders that contain the current WordPress theme files. You are looking for code that points users to URLs outside of your site. When in doubt, you can comment out any entries instead of deleting them, or make a copy of the file first (call it “.htaccess.suspect” or something obvious) before making changes.

On linux WordPress hosts I search for .htaccess files using the command line: find ./ -name “.htaccess” -print

Here is an example of a good .htaccess file to use in the root of your site:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

When you are done editing your .htaccess file(s) and have uploaded them to your site set the file permissions on them to be 740.

Give a plugin called Exploit Scanner a try. Load it through the WordPress Dashboard (Appearances -> Plugins).

– Download all site files and use Textpad or Notepad++ to do a find on “base64” references with long suspicious strings. There are valid uses of the base64 encoding command so do not remove anything that looks like it belongs in the normal flow of php program code. Usually malicious base64 strings are inserted at the very beginning or very end of a page (hackers are typically lazy and it is easy to prepend or append a file). We use programs like Textpad (http://www.textpad.com/) and Notepad++ (http://notepad-plus-plus.org/) because they are free and can perform search and replace through multiple files at a time. My favorite editor for uses like this is a commercial editor called UltraEdit (http://www.ultraedit.com/) because it runs on different platforms (Windows, Mac, Linux). Once the files have been cleaned they can be uploaded back to the site, overwriting the infected files.

– Look for suspicious pages or files. We usually download a copy of the version of WordPress in use and do a directory/folder comparison with what is currently installed on the site. On a Windows computer you can use Winmerge or the Windiff utility that comes on the Windows CD/DVD. Look for extra files (in the root folder of the site especially) that end in “.php” and examine them.

In hacked sites, I often find a large number of files in the uploads folder, especially ones that end in .php. The uploads directory, and sub-directories, are used to contain media such as images, .PDF files, audio files, video files. Typically, unless you are a programmer, you will not have .php files in this area other than an index.php file.

Once your site has been disinfrected consider installing a security plugin such as WebsiteDefender WordPress Security or 6Scan Security to help you with identifying areas that could be made more secure. WebsiteDefender has a free scanning service that you can use for your site that will help to keep your site up to date and safe and 6Scan has a low, one-time fee for weekly scanning.

We will update this page as we find more tools and methods for WordPress disinfection. The best tool is prevention and the best prevention is to use very good passwords.

Disinfecting WordPress
Tagged on: