Wordpress index files hacked - how to remove hackers message

[rosetrees]

I just answered a thread about this - but it's disappeared. I'm not sure why, so if this is also inappropriate I'll understand if it gets deleted.

The poster was asking how to replace corrupt index.php files in Wordpress.

This is (approximately cos I'm writing it again) the answer I'd just posted before the thread disappeared.

If your Wordpress site is hacked and replaced by a hackers message, it is likely that it is the index.php files that have been changed.

This is what I did when it happened to me.

1) Do a fresh installation of Wordpress in a new directory. This will contain a set of working index.php files (and at one level an index-extra.php file)

2) Use your ftp software to connect to this new installation and download the fresh index.php files to your computer. Rename them as you go so you know where they came from.

3) Now use your ftp software to connect to the hacked site. You will need to do a bit of exploring in both step 2) and this step to find all the files.

4) You should be able to tell which index files have been hacked from their dates.

5) Use your ftp software to upload the appropriate, fresh index file from your computer. Delete the hacked file and then rename the one you uploaded back to index.php

That should, I hope (!!!) cure the problem. If you still see a hacking message, it is likely that you missed an index file somewhere.

Hope this helps someone.

Carol

[markshields]

I certainly hope it does not happen to my blog

[Istvan Horvath]

I don't really see the need for a second installation.

When you download and unzip the WP package on your computer - you have all the files, including the index files, in unaltered, clean version. Use those to replace the corrupted files.

In most of the cases the hacked file is the root index which is in your public_html (or whatever the root is on your server: www, htdocs etc.).

If that's all what the hackers did, i.e. modifying your root index file - you were lucky!
Usually, it is more than that: a malicious script in the uploads directory, a MySQL injection, a new "admin" among the users... depending on what kind of security whole did the hackers use.

[rosetrees]

@ pension guy. I install via fantastico - I don't have the original, unzipped version of WP on my computer

[Istvan Horvath]

Quote:

Originally Posted by rosetrees

@ pension guy. I install via fantastico - I don't have the original, unzipped version of WP on my computer

Ah, since I never do that (use Fantastico) I alwasy forget about that "option". I like to be in control.
Still, if you are going to download/upload the files via FTP... wouldn't be simpler to get the WP package on your machine and upload the clean files?
Just wondering why to have an overloaded database with ten WP installs just to change some files? (Because even if you delete the subdirectory where you installed WP, the database tables are still there.)

[rosetrees]

I'm sure you're right - but when my sites were attacked I probably wasn't thinking long term. I was trying not to panic and find a simple, short term fix! This was the answer I came up with in the heat of the moment - and hey, it worked and saved me a fortune as I might have had to turn to drink to drown my sorrows if it had failed.

I don't think I was panicking that much that I installed 10 times. Just once - but I take your point about leaving a redundant database on my server.