You hoped you’d never get here. Your WordPress blog was hacked, and all the easy quick clean up methods didn’t work.
It looks like you have to trash the database and start again. Gulp.
If you have some technical skills, you can get through this without the help of a developer. Here are the steps I take when rebuilding a blog from scratch.
Before I begin, I want to say that this other post is a great resource if you cannot even access your dashboard. It gives instructions for getting into your database through your host provider.
However, if that is the case, you may want to call in the big guns anyway!
It is possible that you have a backup from before the infection that you can use, but with malware it’s difficult to pinpoint exactly where the infection is located. Like cancer, if you miss one line of rogue code, you could end up in the same spot again. That said, if you really don’t want to rebuild, you can try downloading your entire directory onto your computer and run anti-virus software to try to pinpoint the infection. But at that point, you are really doing a web developer’s job, and you need experience to successfully get rid of all the malicious code.
So who is this tutorial for? People with malware infections that can still access their dashboard. This tutorial will save ALL your content, pages, posts, comments, and images, but will require you to rebuild your design (on some level) and create a new database.
You’ll need a few tools. Before you start, download two different programs: Avast Anti-virus software and Filezilla. One is an FTP program that helps you easily and quickly transfer files, and one will scan your files for infections.
1. Log into your WP account. Using a screenshot capture option, take pictures of any style settings, widget options, etc. You’ll have to rebuild all that and it’s easier if you have something to help you remember.
2. Copy any custom html codes and stick them in a text edit file where you can easily grab them again. If you have a lot of css styling, copy the codes and save them in separate text edit files.
3. Go to Tools and Export, and then export all your content.
4. Open your Avast Anti-virus software and run a custom scan on the xml file you just downloaded. Make sure it’s clean.
5. Take some screenshots of the outside of your blog to remember the look.
6. Now open your Filezilla application. You’ll need to connect to your host via FTP to grab your uploads folders. These folders contain all the images and attachments you used for the life of the blog. In order to connect to the FTP, you’ll need to login to your host account and find the proper credentials. If you’ve never set up an FTP account, your host provider can help you. You’ll need a username, password, the domain name or IP address, and a port number (usually 21).
7. Once you have those credentials, connect your filezilla to your host server. You’ll see the files on the left and right. The ones on the right are the files on your server. The ones on the left are the files on your local computer.
8. To find the uploads folder on your server, you want to look in Wp-content/uploads. There will be a file folder for each year of your blog. Right click on each YEAR folder and choose download (that way, all the subfolders will automatically come along with it). These files will download onto your hard drive (and it could take quite a while if you have a lot of images). Make sure you choose where on your hard drive you want it. You select this by highlighting the correct folder on the left.
9. Once they are on your computer, run those folders through an Avast scan to make sure they are clean and not infected with malware.
By this step, you should have codes copied, screenshots, your exported content, and your uploads folders all on your hard drive.
Now it’s time to do the dirty deed– deleting your site.
10. Login to your host provider and locate the file manager. Go to your Application installs and find your WordPress database. Find the option that says uninstall application. Close your eyes, take a swig of whiskey, and hit uninstall.
11. Once it’s done, go into your file manager and get rid of any excess files that were left behind (and there are usually a fair amount). If you are afraid to delete them, just create a new folder and stick them all in there.
12. Now you are at square one again. You have your domain name and hosting package, but nothing else.
14. When you are satisfied with the look and feel of your blog, go to tools and import, and grab the xml file you downloaded in step 3. When it asks you what user to attribute it to, just use the admin one you created during the WordPress install.
15. Do not click download and install image imports (since it won’t work).
16. By this point, your blog should be back up and running, with the exception of the images. All your pages, posts, and comments should be back with big broken link boxes where the images should be.
17. Open your Filezilla again and log into your server. You’ll want to go to the WP-Content, Uploads folder again (on the right). You’ll see files with the years listed on them. Rename or delete those files (since you will be uploading your own).
18. On the left side of the filezilla screen, find the uploads folders (2012, 2013, etc.). Click and drag them into the uploads folder on the server. Now wait (maybe for a while).
19. Once the files have finished transferring, go to the outside of your blog. You should see that all the broken image links are back! If they aren’t, it could be because you installed it into the wrong directory. With WordPress, images are stored by year. Here’s the path wp-content/uploads/2013/02/img. There are folders for each year, and then subfolders for each month, and then the images are tucked inside. Double check you have them in the right spot.
20. Open a new tab and go to Sucuri.net. Type in your URL and run a scan. It should come back verified clean. Just remember, if you’d used that scan during the infection, Sucuri might pull up a cached result page showing your site is still infected (when it isn’t). Just to be sure, hit the re-scan button at the bottom and it will pull a fresh page.
Phew. You did it! You rebuilt your site from scratch after a malware attack. Now to make sure this doesn’t happen again, you’ll need to remember several things about WordPress vulnerabilities.
1. Make a STRONG password.
2. Do not install plugins that aren’t absolutely necessary for the functionality of your site.
3. Keep everything up to date as quickly as possible.
4. Use a site monitoring service to keep watch over your website/s.
Sometimes malware doesn’t require a full do-over. In many cases, getting rid of plugins or a theme, plus reinstalling the WordPress software through the dashboard is enough. Consult with a website developer to determine if you really need to start over. There are also sites (like Sucuri) which will clean out infections that are simple to find. However, you will have to pay for these services. Sometimes, infections are so bad, starting over is the only (and best) option.