How to Fix a Hacked WordPress Blog with Kdiff3
I normally don't write about technology on my blog, but a lot of WordPress blogs are getting hacked at the moment, so I've made a quick tutorial on how to fix the problem.
Download and install a copy of Kdiff3 for Windows, Linux, or Mac.
Download Your Live Site
Use an FTP program to download your entire WordPress website onto your hard drive.
Get a Clean Copy of WordPress
Login to your WordPress website and look for your WordPress version number on your dashboard. In the image below, the dashboard shows version 3.2.1:
Then, download a clean copy of WordPress that is the exact same version number as your live website. A list of all WordPress versions can be found here.
Extract the clean version of WordPress on your hard drive like this:
Put Your Two WordPress Folders Next to Each Other
Put your two WordPress folders next to each other. One is a clean installation, and one is the hacked site:
When you start the Kdiff program, you should see a box like this:
In the close-up below, "A" and "B" are the two things that you want to compare. You can either compare individual files, or entire directories (a.k.a. "folders"). In this case, we're going to compare two directories: a set of clean WordPress files, and your hacked site:
Click the "Dir.." button next to "A" and choose the folder on your harddrive where the clean WordPress files are:
Then click the "Dir.." button next to "B" and choose the folder on your harddrive where your hacked site is.
Kdiff should look something like this:
When you click "OK", Kdiff will scan all the files in both folders and compare them:
Interpreting the Results
The colored columns show what is different between the clean WordPress installation and the hacked version:
Black means that a file doesn't exist in that version. In the image above, you can see that my files like 123.php and error_log appear in column "B", but not in column "A" (black).
Red means that something is different between the two versions. Expand the directories by clicking on the plus signs next to them:
If you see weird files in your hacked WP site, but not in the core, double-click on the filename to examine the contents of the file. Search Google for the filename, or some of the code that the file contains.
Running Diff on Plugins and Themes
Unfortunately, this diff must be also done for each plugin and theme as well as the WordPress core. It can be time consuming, but it's probably the only way to be sure that you've deleted all the hacked files from the server.
If you have a lot of uploaded content, you may want to run a diff between your current uploads folder and an older, backed-up version of your uploads folder. That way you can find any hidden backdoor files that might have been placed there.
Fixing the Site
First, backup your site and database. :)
Once you have identified the names of the new hacked files, you can delete them on the server. Don't delete essential files, but only ones that don't appear in the clean WordPress folder, your plugins folder, or your themes folder. If you're not sure which files are your own custom files and which are the hacked files, don't delete anything, but have a PHP-savvy person help you out. Or leave a comment below. :)
Then upgrade WordPress so that all the core files are overwritten.
If you have any questions, please leave a comment below.