How to Fix a Hacked Website – Hacked by r00t3xpl0i7
Coming back to one of my WordPress blogs at the weekend I had a nasty surprise. The website was showing the page below indicating that the site had been hacked.
To try and see how this could have happened, I attempted to log into the wordpress admin account by going to the URL: www dot mydomain dot com/wp-admin/. What was really surprising was that I could not log in as admin even though the correct WordPress login page was still visible in the wp-admin subfolder.
Fortunately, I was able to log in to the cPanel for the site through the hosting company’s main website and using the File Manager in cPanel, I began to look for any suspicious files or changes. As I was unable to log in to the WordPress site, I knew I also had to check the passwords in the WordPress MySQL database.
To correct the password, I opened up the WordPress MySQL database using PHPMyAdmin and looked at the admin password and email address in the wp_users table. I found that the email address wasn’t mine – it had been changed. I edited the email address back to mine using PHPMyAdmin and cleared the password field:
I then went back to the WordPress login page on my site (www dot mydomain dot com/wp-admin/) and clicked the Forgot password link and followed the instructions to set a new password. To be on the safe side I set a very strong password. Having done that I could then login OK to the WordPress control panel.
However at this point, the website was still showing the hacked page. Going back to File Manager in cPanel and looking through the PHP files, I found that the index.php of the WordPress theme (in the wp-content/themes/theme name/ folder had a very recent modified date. Opening up the index.php for viewing showed that the file had been overwritten and now contained PHP to show the hacked page. Unhacking the site was then easy – I logged into the WordPress control panel and switched themes – the site was then back fully functioning. To be on the safe side, I deleted the hacked theme in the WordPress control panel. At this point I’m assuming the hack was due to a weakness in the PHP for the WordPress theme as the password was pretty obscure. However, I’ll be monitoring the WordPress blog to see if the site goes down again.