Site-Recovery

There is life after destruction of your hard work.

If you arrived here directly, you would have missed the two MUST DO’s at the top of the list of “to-do’s”

  1. Run a full system scan on your machine using a competent AV.  You need to start with a clean “board”. The system recommended here is Bitdefender Total Security
  2. Then, run a malware detector on your machine. Suggestion is malwarebytes free scanner
    These will ensure your machine is clean

OK, next is to review any backups, but don’t rush in just yet. Make a note of the dates of your more recent backups.

A note to your ISP explaining your site is hacked will most likely get an offer of assistance, but at the very least will alert the Hosting that there is a potential threat on their server.

Now take a look at your wp-admin – if you are locked out, don’t worry, there is a fix – see CPANEL, below

In your WP dashboard, first check whether you need to update the wordpress installation – if so, just do it NOW.
Then take a look at your posts listing.  Most likely the rat has changed your first post to display their message of  how immature they are. Delete this. Do a search of the list of posts for “hacked” or similar – if there, to the fire it goes.
Check also the “Settings/General” and change back the blog title and tagline.  Also, check “Settings/reading” and make sure the Front Page displays are as you want – ie either post of static page such as home page (if you have such)

Now the messy stuff.

Open Plugins and update all your plugins.  Chances are there are plugins that have vulnerabilities, also, so take a few minutes and check out the article by Wordfence – it can be a gamechanger.

It is OK to remove plugins you don’t currently use. The fewer plugins just sitting, the better, IMHO.

Check your Themes – bet there are a few you don’t use – we suggest your remove unused, and update all others needing such treatment.

Now, assuming you have control of your web dashboard, check into Plugins and hit “install new”. On the WP plugins listing type wordfence in the search box, read the description and if you are happy with that, click the “install” button.  All going well, you will then see the” install” button change to “activate” – click it!

A word about Wordfence – you can either get the folks at Wordfence to repair your site for a fee including a year subscription to their Premier wordfence, or do the hard stuff yourself. As a multiple site owner, the financial math came down to DIY, and hence this article.  Support for DIY (Community) is very good via the wordpress.org forum.

Now check the wordfence name on the LHS column of your dashboard,  and click on the wordfence dashboard. At the top there will be a message to do the settings for installation, click and follow through. Along this path you will confirm the system your website is on (if not sure, check with your ISP, but the auto-detect has worked well for me), BUT before you confirm that, copy and paste to notepad the short bit of code in the box just below the system set-up info box.  You will need that code if the setup does not manage to write to your cpanel. The code would go in .user.ini on the root of your site.

Assuming all is installed and no warnings, click the wordfence firewall link and activate.

options selected include

Now back to wordfence directory and click Options.  Take a look at the list (we suggest you don’t select the “High Sensitivity scan”).  You will build this as your experience grows. Scanning for plugins and themes will warn you if there are issues here.

OK, time for a Scan – wordfence/scan, and check the result. List at bottom for your attention.  When all repaired/removed, run the scan again, to be sure.

Hackers often try to access via comments, inserting code within your site. Best defense for this is
WP-Spamshield.  Go to “install plugin” and use the search box to find WP-Spamshield.  Install and activate, as we did for wordfence.  Open WP-Spamshield and check the settings.

Given you have access to your website dashboard, following these suggestions will help a lot to protect your hard work, but there is more to be done. Now we really get “down and dirty” – cpanel!

 

CPANEL

The first time I went into cpanel the words “abandon hope all ye that enter here” sprang to mind, but fortunately, Dantes Inferno did not happen.

If you could not access your blog dashboard, then begin here!

If you do not have your codes to enter cpanel, ask your ISP – remember how we let him/her know we had a problem.  Now the courtesy will be repaid with (hopefully) a prompt response and perhaps an offer of assistance. You will need the cpanel user name and password to open cpanel.

OK, we are inside the website system:  Take a run over the site root folder and file listings but change nothing!  Only exception is if you find a file “xxx.htm” or such, note the date of it and its size (often 4.75mb), then delete it to destruction!  If it exists, then it will be elsewhere in your files, so now click on Public_html and see your website files.
First, look at your files/folders and see if there is either an expected range of dates and file sizes, or, for a first look, files all the same size

Common file size the hackers use is often around 4.75k.  If you have it, then check through all your files and it will have replaced the lot – now about that backup …..

At this point, prayer is not enough if the only backup you have is dated after the date of the hacked files.  If you have a backup date prior to this invasion, then either ask your ISP to clear the site and install the backup, or clear it yourself – all affected folders and files. Delete to destruction – do not keep in trash “just in case”.

Only exception will be an unaffected .htaccess file and wp-config.php (but my guess would be they have wrecked them also).

If .htaccess and wp-config.php are damaged, delete. Templates for rebuilding can be found here, or use the copies you did download as part of maintenance and protection – you did, didn’t you?
In the meantime use notepad and make a temporary .htaccess file containing just this: (copy and paste)

<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>

Notepad will only accept a file name of htaccess, so once you have uploaded the file to cpanel (use the cpanel upload link) change the name to .htaccess .
This will prevent the latest exploit of capturing websites when most vulnerable – at the beginning of installation.

Now, either have your ISP restore  or install (as the case may warrant) your WP site or use an ftp program such as Filezilla  (Filezilla Client) to upload the unzipped wordpress.

OK, so we now have all your wordpress files back, on-site – well, almost all.

Remember the .htaccess and wp-config.php files?  If you have them as backup copies, great, filezilla them to your site.
Let filezilla replace that abbreviated .htaccess file with your good one.
You should be good to go, then.  Remember to save your htaccess file in a safe place

If you need to rebuild your .htaccess and wp-config.php files, follow these steps.

  1. .htaccess file – copy the file content from the templates and paste into notepad, add the extra lines to preface the general content, to force https.
    – Remember to change “www.example.com” to your domain name.
  2. Save your new file on your machine as htaccess – notepad does not like a new file name of .htaccess.
  3. Now upload to your site under public_html, or the directory where you are replacing the damaged site.
  4. At the work site, change the name of the existing .htaccess to xhtaccess (or such), then rename your new file to .htaccess – done!  Delete your old file.

wp-config.php will require a bit more work, so let’s start.
Going to your unzipped wordpress folder, open wp-config-sample.php  into notepad. you will get this:

<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don’t have to use the web site, you can
* copy this file to “wp-config.php” and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/

// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘database_name_here’);

/** MySQL database username */
define(‘DB_USER’, ‘username_here’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘password_here’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);

/** Database Charset to use in creating database tables. */
define(‘DB_CHARSET’, ‘utf8’);

/** The Database Collate type. Don’t change this if in doubt. */
define(‘DB_COLLATE’, ”);

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

/**#@-*/

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘wp_’;

/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define(‘WP_DEBUG’, false);

/* That’s all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . ‘wp-settings.php’);

Yep, for first-timers – time to panic! No, truly, all we need do is be methodical and follow instructions, here – a backup copy really is a good idea, huh!
We will be using processes within cpanel, so just follow the directions, and all will be well.
If you have your webhost on-side, then host can provide you the fill-in values, or might even do it for you.  For the rest of us, it’s off to the coal-face.

Section: 1
// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘database_name_here’);

Go to cpanel >phpmyadmin and look at the databases listed in the left column.
Only one – great. Make a note of the name and enter into wp-config, between the ‘ ‘ marks.
More than one? If you don’t know what’s what, open a database listing – drop-drown menu appears.
Select a listing such as ‘options’ or ‘site’ and see if it refers to your site – got it – enter the database name into your wp-config.php file in notepad.

Section: 2
/** MySQL database username */
define(‘DB_USER’, ‘username_here’);

If you know the username used, put it between the ‘ ‘

No idea? Back to cpanel, open a fresh tab for Mysqldatabases (right click, open new tab), then look at the top end of the page.

The first column has listing of databases. You would have identified your database in section 1, above.
2 columns across, you have “privileged users”. Click on that user associated with your database.  You now have the permissions page.  Make sure the “all privileges” box is ticked.
Click the “make changes” box at the bottom” , then back arrow to the database page again.
Scroll down to the bottom of the database page where you will find your user name. Click the “change password key” and use a computer-generated password code.
Important – copy and paste this code to a secure location, the click the “use password” box.
At this point you will be signed out of wordpress, if you had it running, but now all we need do is insert our new password into “section 2” of our wp-config.php file.

The next section we need work at is 

Section: 3

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘wp_’;

/**

Go back to phpmyadmin and look at the left-hand column index of tables for your database.

The common garden variety of prefix is wp_ but can be anything that was  created at first install, so make a note of what it is,
then copy it into “$table_prefix =” if you need to.

Section:4

Above the line “define(‘WP_DEBUG’, false);” insert the following:

define(‘WP_HOME’,’https://example.com’);
define(‘WP_SITEURL’,’https://example.com’);

Change example.com to your domain.  This will prevent hackers from redirecting your site, should they manage to crash your party again.

Then insert the following line to compliment the https instruction in .htaccess

define(‘FORCE_SSL_ADMIN’, true);

Save your new wp-config.php in the folder you have for your website on your machine.  Save as wp-config.php
This will be your backup copy so you don’t need to do this work again.

Using filezilla, upload to your site location where you have installed wordpress.

Last things (or first, as you wish).

  • Check the users table in phpmyadmin
    We suggest you change the password, especially if you have to change the “user” back to your name
    Use a pass-phrase you are able to remember (write it down), then when all is finished, click on “user_pass”, scroll down to MD5, and select.
    Now hit the GO button, bottom right. This will encrypt your password.  You can change the password in wordpress, once you are up and running.
  • * Authentication Unique Keys and Salts. You will have seen this section.  You can replace the “define” sections here with new keys.
    https://api.wordpress.org/secret-key/1.1/salt/

 

Well done, but don’t sit back, just yet.

You have a raw new site and we need to apply security plugins – see next post – securing your site.

Previous Post

securing your website

Next Post

computer-recovery

Comments

  1. Pingback: securing your website – computermaintenance

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Anti-Spam by WP-SpamShield