Follow following steps to restore your WordPress website which has been compromised. These steps will help you to restore your WordPress website without any cost.
- Compress the entire remote site files from cpanel and download to local
- Delete everything in ‘public_html’ folder
- Change FTP, cPanel, email account and MySQL passwords
- Unzip local site and scan for any malicious scripts, it can be easily done with the help of installed AntiVirus program in your computer.
- For searching malicious scripts download software (eg: TextCrawler), search all the local site file contents for terms such as preg_replace(“/.*/e” and base64_decode
Note: there are legitimate uses base64 decoding. What you are looking for are a large number of hex or escape strings i.e. “\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65″
- Check that your .htaccess file hasn’t been compromised and check that there are no other .htaccess files in any other folder (windows search)
- Install latest WordPress in public_html folder
- Copy your wp-config.php from the old site over to the new folder
- Change your DB_PASS and your secret keys
- Login to WordPress and immediately change all user passwords – try to use random password generator like http://www.thebitmill.com/tools/password.html and bump the characters up to 12 or 16
- Install “BulletProof Security” firewall plugins
- Install “Limit Login Attempts” plugin and set to 3 attempts
- Create a new administrator user. Hint: don’t call it Admin, Sys, System, Administrator, Operator, WordPress or anything like that
- Delete the old administrator users making sure the posts/pages are inherited by the new administrator user created in the previous step
- Now you have a working and secured core WP installation
- Reinstall all the plugins from the Admin Dashboard and reactivate them if WP has already had them deactivated. The settings should be already stored in the DB
- Upload / ftp your theme to the live server and re-activate the theme.
- Last to upload / ftp is your wp-content/uploads (and any other non-WP folders in there after checking they are OK and contain only the correct media)
- Install “Anti-Malware” plugin. Update database and full scan
Note: this is a favourite place for hackers to store their .php or .cgi scripts sometimes named “cache”
- Use some backup plugins to backup your WordPress site
- Scan your website online http://sitecheck.sucuri.net/