You are hereBlogs / Josh's blog / How to Fix a Hacked WordPress Blog with Kdiff3

How to Fix a Hacked WordPress Blog with Kdiff3


By - Posted on 24 August 2011

I normally don't write about technology on my blog, but a lot of WordPress blogs are getting hacked at the moment, so I've made a quick tutorial on how to fix the problem.

Get Kdiff3

Download and install a copy of Kdiff3 for Windows, Linux, or Mac.

Download Your Live Site

Use an FTP program to download your entire WordPress website onto your hard drive.

Get a Clean Copy of WordPress

Login to your WordPress website and look for your WordPress version number on your dashboard. In the image below, the dashboard shows version 3.2.1:

WordPress version number

Then, download a clean copy of WordPress that is the exact same version number as your live website. A list of all WordPress versions can be found here.

Extract the clean version of WordPress on your hard drive like this:

New copy of WordPress

Put Your Two WordPress Folders Next to Each Other

Put your two WordPress folders next to each other. One is a clean installation, and one is the hacked site:

two-directories-1.png

Running Kdiff

When you start the Kdiff program, you should see a box like this:

kdiff3 1

In the close-up below, "A" and "B" are the two things that you want to compare. You can either compare individual files, or entire directories (a.k.a. "folders"). In this case, we're going to compare two directories: a set of clean WordPress files, and your hacked site:

kdiff3 2

Click the "Dir.." button next to "A" and choose the folder on your harddrive where the clean WordPress files are:

kdiff3 3

Then click the "Dir.." button next to "B" and choose the folder on your harddrive where your hacked site is.

two-directories.png

Kdiff should look something like this:

folders-a-and-b.png

When you click "OK", Kdiff will scan all the files in both folders and compare them:

diff-summary.png

Interpreting the Results

The colored columns show what is different between the clean WordPress installation and the hacked version:

diff_0.png

Black means that a file doesn't exist in that version. In the image above, you can see that my files like 123.php and error_log appear in column "B", but not in column "A" (black).

Red means that something is different between the two versions. Expand the directories by clicking on the plus signs next to them:

wp-directories.png

If you see weird files in your hacked WP site, but not in the core, double-click on the filename to examine the contents of the file. Search Google for the filename, or some of the code that the file contains.

Running Diff on Plugins and Themes

Unfortunately, this diff must be also done for each plugin and theme as well as the WordPress core. It can be time consuming, but it's probably the only way to be sure that you've deleted all the hacked files from the server.

If you have a lot of uploaded content, you may want to run a diff between your current uploads folder and an older, backed-up version of your uploads folder. That way you can find any hidden backdoor files that might have been placed there.

Fixing the Site

First, backup your site and database. :)

Once you have identified the names of the new hacked files, you can delete them on the server. Don't delete essential files, but only ones that don't appear in the clean WordPress folder, your plugins folder, or your themes folder. If you're not sure which files are your own custom files and which are the hacked files, don't delete anything, but have a PHP-savvy person help you out. Or leave a comment below. :)

Then upgrade WordPress so that all the core files are overwritten.

If you have any questions, please leave a comment below.

HELP!! my wordpress blog got hacked by some idiots. ;'(

Josh's picture

Sorry to hear that. It looks like you might be able to fix it by uploading your original index.php file.

Subscribe

RSS Feeds:
RSS Full All Content
RSS Front Page Featured Content

Twitter Facebook