Hacked by hacker

The good news is that I have uploaded wp-admin & wp-includes into my cpanel file manager.

I have also deleted Contact Form 7 plugin to remove one area of potential back door hacking – I spent a lot of time working on this immediately before the hack and will re-install it again later

My next task is to re-install my theme (Sixhours) but once again how to do this is a problem as there seems to be no delete facility unless I substitute a different theme and the re-install it.

Would this work?

Just delete the theme from wp-content/themes and re-upload the new copy.

Done that and the hacked by hacker line in header.php has gone.
However, my website still does not display properly ans still has the white page saying hacked by hacker on it.

Is it likely that HostPapa need to now about the repair?

You replaced the index.php file in the public_html directory as well, correct? Can you see what the last_modified date is on that file?

@secretfocus: You also need to delete all files in the root WordPress folder except your wp-config.php and your .htaccess files and re-upload fresh copes.

Next – download your wp-config.php and make a note of your database access details. Use the wp-config-sample.php file to create anew wp-config.php file and upload this new file to the root WordPress folder.

Examine your .htaccess file for anything unusual. A basic WordPress .htaccess file only contains:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Is it likely that HostPapa need to now about the repair?

From what I have read today, it sounds like their poor server configuration may have been responsible for the spread of the hack across so many sites. In your shoes, I’d be looking for another hosting company.

@mvandemar. The phot version used by HostPapa is Version information: 3.4.11.1, latest stable version: 3.5.3.

I have now replaced index.php in public.html but still no page display. I have contacted HP to inform them of the repair.

By coincidence I had started looking for a new host and HostGator seemed to have what I need. I think this incident will bring that forward!

@esmi. Your post about deleting root files has confused me. Had a long look through cpanel file manager (public.html) and cannot see anything like .htaccess files. In addition, the files etc. that are in there are licenses, read me, sitemap.xml, text/html and what I assume are important php files.

There is another folder for access logs at the same level to public.html but this is completely empty. Can you advise me further on this?

Had a long look through cpanel file manager (public.html) and cannot see anything like .htaccess files.

Don’t worry about it. If you were not using a custom permalink structure, you may not have ever had an .htaccess file.

In addition, the files etc. that are in there are licenses, read me, sitemap.xml, text/html and what I assume are important php files.

Delete the sitemap.xml file. You can re-create this at a later stage. General rule of thumb – if you can manage without a file, delete it after a hack and create a new copy.

The only .html file should be the readme.html file. You can delete and re-upload this. Ditto the license.txt file. All of the .php files can be deleted and re-uploaded except for the wp-config.php file as I mentioned above.

here is another folder for access logs at the same level to public.html but this is completely empty. Can you advise me further on this?

Leave it alone. It’s almost certainly nothing to do with WordPress.

OK – thanks for all the help. I guess I just wait for HostPapa to do their stuff now!

@esmi. Replacing the php files and I see that there are no replacements for some = feed, pass, rdf, register, rss, rss2.

Do I leave the existing files or delete them?

Where are these files? Did you install WordPress a while ago? Generally speaking, if the file is not present in your fresh download of WordPress, it should be deleted,.

They are all December 2010 or 2011 and in public.html

Delete them.

Another place to look is in your current theme directory. there is a header php file that has likely been hacked as well. That’s what happened to me – even after I replaced all the old files with new ones, I still saw the message. Once I replaced the theme header file from a backup, it was restored.

Hit me on a Hostpapa site, too.

As a footnote, for another package and a different attack, one suggestion posted on their forum was to add the following to your php.ini file:

allow_url_fopen=Off
allow_url_include=Off
disable_functions=popen,passthru,escapeshellarg,escapeshellcmd,exec,passthru,proc_close,proc_get_status,proc_nice,proc_open, proc_terminate,shell_exec,system,blob,exec,escapeshellarg,pfsockopen,stream_get_transports,stream_set_blocking

If you could discover the IP of the attacker, you could use the deny command in .htaccess like this (just IP samples):

order allow,deny
deny from 174.143.11.
deny from 91.123.195.
deny from 99.251.104
allow from all

Check your logs for recent visitors – the log should show what files were accessed and the IP. If it happened a few days ago, unless you archive your logs, you won’t see anything more than a day or so old. You can download the logs, then add a .txt extension to open them.