You are here

blog defaced for 40 minutes

Posted at 21:56 on Sun, 14th March 2010 in wordpress.

Some notes on how I recovered from a wordpress defacement.

This wasn't anyone's fault but my own (as I left Wordpress unpatched for a few months), but the other week, I found the blog had been replaced with the messageĀ  'F### the Israeli's' and 'you suck admin'.. etc. etc.

When the defacing occurred, for whatever reason (thankfully) wordpress sent me an email to say the admin user email address has changed. This was about 30-40 minutes before I got into work, so as soon as got to work, I was able to disable the site quickly and add a temporary message.

Anyway, I thought I'd post what I did to recover the blog, without loosing any date. If your doing this yourself, please note that this will definitely not fix all defacements, this is just a log of what I did to get things working again. Also you'll need your ftp username & password, and access to your mysql server (i.e. via phpmyadmin or direct mysql access):

  1. The first thing to do, is disable the site whilst you perform the fixes. So rename your public_html folder to something else (so it can't be accessed from the web to be re-defaced). In this example we'll call it 'public_html_stuffed'.
  2. Next, take a look in your uploads folder (public_html_stuffed/wp-content/uploads/) to see if there's anything that was recently added to the site and looks suspicious. I found something called l_php.jpg which was actually ended up being some very cryptic php code if you open it up in an editor.
  3. Now take a look in your theme folder (public_html_stuffed/wp-content/themes/alexs-blog) to see if there's anything there that has also recently changed. I found the index.php file here which had all the markup you would see when visiting the site. I just purged the whole folder to be on the safe side (we'll fix this later).
  4. Next you want to download a copy of the latest wordpress installation from wordpress.org, unzip the contents and overwrite all the files in your public_html_stuffed folder with the new wordpress. This is to firstly upgrade to a safe version, but also to purge any system files that may have been altered by the crackers.
  5. Now for the database changes: goto the wp_users table and edit user 1 (the admin user). Make sure this users email address is your own, and if its been changed, set it back. Also set the password field to empty (don't worry about this, it won't let anyone log in with an empty password but we'll fix it in a minute anyway).
  6. While we're in the database, we'll want to remove any new posts that look like they relate to the defacement - in my case, there was one post that mentioned the odd filename (l_php.jpg) I found in the uploads folder. So I simply deleted that row.
  7. We should be safe now to move the site back to being web accessible, so rename your public_html_stuffed back to public_html.
  8. Access the site's admin login page and click the recover password link. Follow the instructions for resetting the admin user's password.
  9. When in your admin, reset the theme, or download a new theme and set it to this (if you deleted it entirely). You'll also want to make sure all your plugins are updated too! To be on the safe side I also re-ran the wordpress update via the update section of the admin area.
  10. Clear your browser cache, and then you should be done.

In the process of doing the fix to my blog, I've also changed my theme - did anyone notice? probably not! :)

Just a FYI: the wordpress version I was using when this all happened was 2.8.5 - so it was only 4 versions (6 months) since I updated.