Hacked Wordpress website /Homepage redirect

I am very sorry about the length of the post, please bear with me as I am going to try and list everything I've done so far.

I am dealing with a hacked WordPress site which had been left without updates for quite a while now and the passwords were weak.. Also, no backups. The website uses Enfold Theme.

So here goes!

  • I've deleted most of the plugins. Among the ones that remain are Fastest cache, which was there, plus a few security plugins which I've installed. There are a few others that are important for the front-end; I deleted them but had things disappearing, so ended up putting them back.
  • Updated all remaining outdated plugins and installed latest WordPress version.
  • Deleted one of the two admins and changed the other admin to subscriber with a 16-digit secure password. I am the only one with admin access right now and no-one has been able to log in apart from me for the past 2 days.
  • Changed salts.
  • Installed Wordfence and scanned the website. Website also had WP Security installed. I also have installed Anti Malware and Exploit scanner.
  • created a backup of the website.
  • Scanned the website with several external scanners. The website seems ok, but there are some spam posts which I'll get to shortly.
  • I uploaded a php file to the web root to check for base64_decode | edoced_46esab | preg_replace | HTTP_REFERER | HTTP_USER_AGENT. All these mostly get false positives. I also checked with the hosting company who performed their own tests and they said the same.

The website has been hacked for quite a while now (about a year!) by more than one person.

They guessed both the admin passwords and they created a lot of spammy posts with fake links. I found some plugins installed, that allowed admin users to access and change the site's files directly and another plugin that allowed anyone to write PHP code directly...I deleted all these plugins of course and most of the spammy posts, at least the ones that are visible through the admin panel.

Now to the problem.

Even though I deleted the spammy posts they keep on appearing in the site's homepage. The real homepage has a permalink of www.mywebsite.com/home.

I checked its root and it gives me /themes/enfold/template-builder.php, whereas the spammy homepage gives me /themes/enfold/index.php.

I have tried to find the Wordpress settings for the static homepage but it is not there..

I've also tried to change this setting from Enfold's settings. The Enfold has a setting to select pages for your homepage, but the website's pages are posts, so Enfold doesn't find anything to show me.

The Wordpress Settings --> Reading doesn't give me any options to choose from. I've also tried to see if there are options in the Customise area and there aren't any either.

So I accessed the database and found all these posts. There are 18 Homepages in there, most of them revisions.

One of them has post_status set to publish and the others are post_status set to inherit. Now the published one links to www.example.com/?page_id=2, its menu_order is 0 and post_parent is 0.

My questions are:

  • What is the safest way of deleting these posts from the database?
  • Can I retrieve some other posts from the database which are not visible in admin panel?
  • Should I set the Homepage I want by setting its link to www.example.com/?page_id=2, its status to publish and menu_order to 0, or maybe should I redirect using PHP and if yes, how?

I failed to mention that .htaccess and wp-config seem fine with no redirects or rewrites (hosting company double-checked).

Also, I am not sure if this metaboxhidden_page has something to do with the redirect

//add_action('avia_backend_theme_activation', 'avia_show_menu_description');
function avia_show_menu_description()
{
    global $current_user;
    get_currentuserinfo();
    $old_meta_data = $meta_data = get_user_meta($current_user-ID, 'metaboxhidden_page', true);

    if(is_array($meta_data)  isset($meta_data[0]))
    {
        $key = array_search('postexcerpt', $meta_data);

        if($key !== false)
        {
            unset($meta_data[$key]);
            update_user_meta( $current_user-ID, 'metaboxhidden_page', $meta_data, $old_meta_data );
        }
    }
    else
    {
            update_user_meta( $current_user-ID, 'metaboxhidden_page', array('postcustom', 'commentstatusdiv', 'commentsdiv', 'slugdiv', 'authordiv', 'revisionsdiv') );
    }
}

Topic hacked mysql php Wordpress

Category Web

1
answered at

It's a waste of time to be working on a WordPress site or any web files that have been compromised.

The proper way to handle a WordPress website is to always make a backup of the database, setup a new install of WP on a fresh new server, migrate the database over and start over.

Professionals like myself don't even bother with trying to clean up a compromised site, why would you?

Also, if you are using a VPS, which you should be unless you are using AWS, you need to hire someone to either do what I am about to share or teach you to do what I am about to share.

You need to learn proper file permissions on a Linux VPS going forward. If you are working in the world of WordPress site development, you should have this by your side: https://wordpress.org/support/article/hardening-wordpress/

  • You need to secure SSH using SSH Key Authentication
  • Setup and configure the server firewall
  • Harden and Optimize Apache web server
  • Optimize MySQL
  • Optimize and Harden PHP
  • Conduct or hire someone for basic server administration
  • Have that person you hired teach you basic WordPress security checklist

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.