WordPress Hack Becoming More Common – Symptoms and Solution

Header image featuring the post title with a background that is a server room

We’ve been dealing with an uptick in hacked WordPress websites lately, and they all appear to have the same symptoms. If you’ve seen these symptoms, you have probably been hacked too, unfortunately.

Luckily, we will outline not only how this particular hack works but also the steps you can take to resolve it.

But fair warning: most of these steps should only be taken by somebody who really knows what they are doing. If that’s not you, consider hiring us or another WordPress development company to help you.

WordPress Hack Symptoms

The first thing you might notice is that you can’t log into your website, as if your password has changed. Or perhaps you went to view your website, and there was nothing but a strange field asking for a password, even on the front-end.

If you’ve reached that point, the hack has probably had at least several days to sink its claws in.

I believe this to be an entirely automated hack, and it has 4 stages, more or less. Once access is granted, a few things happen. In the first day or two, stage 1 will be completed.:

  • Admin users will have their passwords changed
  • Two new admins will be added, with usernames “wp-blog” and “wp-user” and email addresses “wp-blog@gmail.com” and “wp-user@gmail.com”. I’m sure these aren’t real email addresses but they indicate that you’ve definitely been hacked.
    Screenshot of the WordPress "Users" screen in the backend, showing some malicious users.
  • A few misc. PHP files will show up in the site root and throughout the 3 primary WordPress directories, wp-admin, wp-includes, and wp-content. These files have names that seem plausible, like “wp-admin.php”.

During this time, the site will be logged-in to from IPs almost exclusively in Europe; mostly Russia, Ukraine, and Bulgaria, in my experience. If you have a security plugin like WordFence, it will log these things for you.

After 3 or 4 days, the hack really starts to take over. This is stage 2. You’ll see the following things:

    • Three new plugins, each with a random hexadecimal name like “6b08217d67c2e1be53a551e7” in the plugins folder, and the name “WordPress Uploader” in the WordPress backendA screenshot of 3 identical plugins named "WordPress Uploader" in the backend. They are all malicious, and claim they were created by ph03n1x69 and are version 1.3.3.7. In the plugins folder, their names are likely 3 random hexadecimal strings.

 

  • Additional, misc. PHP files throughout the site root and three main directories

Stage 3 happens after 4 or 5 days. Note that both the front-end of your site and the backend will still look fine, so you might not notice anything is happening. In stage 3, you’ll see the following:

  • The addition of even more plugins, often including ones named “WP Core Secure,” “Fix,” and “wpcs.” These contain malicious code and will soon greatly ramp up the infection.
  • A large increase in the number of malicious PHP files. You’ll see up to about 10 in the WP root, 5-10 in the wp-content folder, and dozens more throughout the WordPress core files and mixed in to the uploads folder and within plugin files.

One annoying thing about this hack is that it tends to change the “modified” date on its files, so you can’t just sort all the files by newest and delete those. Some may claim they are years old, even on new WordPress installations.

Once stage 3 has completed, it becomes more difficult to remove the hack because it is so deeply ingrained in the website.

Stage 4 is the final stage, or at least the last one I’ve seen. I haven’t left it alone long enough to see if it goes further or to really see what it does. But this stage is obvious, because the entire front-end of your site will be reduced to a simple password field.

If you have a good Uptime Monitor (like the one included with our website hosting), it would alert you to a problem at this point.

More than likely, the purpose of this hack is to gain access to sites and servers and use them as part of a botnet or to spread spam. It’s hard to say.

Regardless, you’ll want to eliminate the hack as quickly as possible and make your site secure.

How did I get hacked?

For this particular hack, in most instances that we’ve seen, the attackers actually obtained an administrator password from somewhere outside the website. So maybe your PC got hacked and you had your passwords saved there, or your browser was compromised and they were saved in the browser.

However, it’s possible and likely that they could also just take advantage of plugin vulnerabilities and do the same thing, which is why it’s so important to run monthly updates, at a minimum.

How to Remove the WordPress Hack

I have personally removed hacks from hundreds of websites over the years, and have also removed this specific hack a couple dozen times already. I have developed a process that is quite effective at removing the hack if followed carefully.

First things first: I strongly recommend you run a full backup of all your site files and the database before attempting this. I also recommend not trying it if you have no idea what you’re doing. Hire a professional if there’s anything you’re not sure about. If you can’t afford to lose your site, don’t mess around with things you don’t understand.

With that being said, let’s begin.

Option 1: Restore from a Backup

If you have some idea when the hack began, you have a backup from before then, and nothing has changed on the site since then that you can’t afford to lose, you should simply restore from a backup.

This is by far the easiest and most complete way to go about things. It’s basically just the one step.

Often times, your host handles backups for you and can run the restore on your behalf. They should at least be able to instruct you on how to do it yourself if they don’t offer to do it for you.

Make sure you restore both the site files and the database.

While this is the best option if you meet the requirements, you will want to make sure you take a couple additional steps to wrap things up after the restore:

  1. Reset all admin passwords
  2. Reset your database password (and update the one in wp-config.php to the new one so your site doesn’t break)
  3. Update all your plugins, themes, and WordPress itself to the newest versions

These things will help prevent you from getting hacked again. Once you’ve done that, it couldn’t hurt to run a new backup just in case something happens again.

Option 2: Manually Remove the Hack

This option is more involved but may be your only choice. Depending on how long the hack has been going on, this could be tricky and you may need to repeat some steps.

But if you do it right, it should do the trick.

Here are the steps you’ll want to follow.

  1. Reset all the admin passwords. If you can’t get in the backend to do this, you’ll have to come back to it. You might be able to follow our guide to creating an admin user via FTP to gain access.
  2. Download a fresh copy of WordPress and upload it to the site root via FTP or an online file manager (instructions here). If you’re savvy, you could download WordPress, extract it locally, remove /wp-content/, zip it up again, and upload that instead. This saves you the trouble of having to delete those pesky Hello Dolly and Akismet plugins, and a potentially unwanted core theme.
  3. Delete the /wp-admin/ and /wp-includes/ folders using an online file manager. You could use FTP for this, too, but it will take a lot longer.
  4. Delete all WordPress files in the root, other than our WordPress zip file, wp-config.php, .htaccess, and robots.txt. Make sure you’ve backed up everything before doing this, since you won’t be able to restore them otherwise. In most cases, all root files will be WordPress files so you can delete everything but those 3, but in your own case you may store other things there as well.
  5. Extract the WordPress zip file, restoring /wp-admin/ and /wp-includes/. This can usually be done with an online file manager at your hosting. Otherwise, you could also use SSH. If you have neither, you’ll have to extract them locally and manually upload them via FTP. But again, it will take probably 100x as long.
  6. Try logging into the website. If you are having problems, make sure you back up the .htaccess file, and then delete the server copy and try again. If it’s still not working and you’re getting PHP errors, you may have to rename your plugins or themes folder to prevent them. This is advanced troubleshooting and not covered here. If you don’t know what you’re doing, consult with an expert.
  7. Once logged-in, install the WordFence plugin and initiate a scan. The default settings should be adequate.
  8. View “Users” and click to view only administrators. Delete the users “wp-blog” and “wp-user”. You may also have a third unknown user with a random-letter name, username, and email address. Delete that, too.
  9. If you weren’t able to perform step #1 until now, go ahead and reset all admin passwords.
  10. Review the list of plugins in both the backend and using FTP. Delete suspicious ones, including the ones mentioned earlier: usually three plugins with random hexadecimal names like “6b08217d67c2e1be53a551e7”, “WP Core Secure”, “WordPress Uploader”, “Fix”, and “wpcs”. You could sort the plugin folders by “newest” in the modified column, however this doesn’t always help. Sometimes the hack alters the “modified” date, or other times you may find that every plugin has been modified today.
  11. Review the WordFence scan results, once completed. More than likely, it will find a dozen or two malicious files. You should delete those, but only if you’ve backed up your site first.
  12. Reset the database password as well as all admin passwords if you still haven’t done that yet.
  13. If you had to delete the .htaccess file, review the original. If there are any important directives in there, make sure to add them back in. If not, you can always just recreate it by going to Settings -> Permalinks and clicking “save”.
  14. Update all plugins, themes, and WordPress to their newest version.
  15. Clear the cache within WordPress, if you happen to have a caching plugin or caching is included with your host.
  16. Run a final WordFence scan. Hopefully this time it will come up clean!

And there you have it! It seems like a lot, but in most cases it can be done within an hour. We got it down to maybe 5-10 minutes for most of our clients.

 

Remember to always keep things up-to-date, use quality hosting, and also utilize a quality security plugin. These things will all help prevent future hacks.

If you’d like someone to simply handle all of these things for you, please use the contact form below to find out more about our ongoing WordPress services.

About Brian Johnson

Brian Johnson is a website developer and designer living in Minneapolis, Minnesota with a passion for code and WordPress. He spends his days building WordPress websites for small businesses, developing new code with the online community, and living life.

Leave a Reply

Your email address will not be published. Required fields are marked *