My Wordpress site has been HACKED-should I start from scratch?

It might be the quickest way. Start by exporting the database - so you have the content. Uninstall WP - use your ftp software to ensure there is nothing left. Reinstall and import your database. See if that fixes it.

Yes, it might be the quickest way. Just make sure you restore a backup you made before your trouble started if possible - or if the blog is new, maybe cut and save your posts and reinstall a fresh copy.

Thanks for your time.

"restore a backup you made"

As far as I'm aware, I don't have a back up.

I think the only way to do it is to delete everything and start again. (I have the articles but that's it.)

Should I delete EVERYTHING using my ftp program? (just checking)

Well it took me ages to get this far...but I think I can get it back within a couple of days.


Oh..unless my host (httpme-advised by coach) can restore my site?

I have cpanel if that would help the situation in any way?

Thank you

Steve

Sorry to hear that - that's a real bummer.

Certainly deleting and re-installing will fix the problem and if you have all your posts on your PC you can re-publish those. Sometimes hackers get into the database so if you don't know when it was hacked re-publishing your posts would be safer.

Remember to ask Google to re-crawl and re-index your site once you're all set up. Depending on their crawl schedule they may have crawled your hacked site and scrubbed it from their indexes. You can do that through Google Webmaster's Tools.

Also, once you're up and running again this article may help to prevent a repetition:

http://www.wealthydragon.com/blog/20...ten-left-open/

Cheers,

Martin.

Do as the above suggest and once you done get your blog secured... 100,000's of blogs are hacked each and every year because people do not take the time to secure them. Wordpress is not going to secure it for you, you must secure your own future and business...

James

My host restored my site from the 23 October, all was fine and my affiliate ID was on the clcikbank order page. I went to sleep, woke up and checked. Mysite has been hacked again!!!

I added a picture last night, is it possible that someone used the picture somehow?

I changed my wordpress dashboard password but didn't have time to make any other changes to secure the site.

It seems strange that it was fine last night (restored from Oct 23) yet this morning it has been hacked again.

Can someone please enlighten me?

Thank you

Steve

send me the ftp details and i will fix it for you it doesnt have much to do with the wodpress password. i would actually change the ftp password, and restore the site, i can do this manually for you (free as i have been doing a few of these lately at work. but yeh definately, change password, correct 'hacked' files (it is usually a one liner ... something like base64_encode, change password again ... also some viruses can actually store themselves within the database, and execute that way ... so they are hard to clean ...

I had something similar with one of my blogs. Something was injecting "eval(lotsofgobbledygookhere)" into my .php files.

Turns out, it was an exploit known as the "gifimg" exploit.
I hired a guy on elance to clear everything up for 50 bucks.

Once you have everything back up and running, make sure you use the BackupDB plugin and WP backup to regularly backup all your relevant files.

Before you do ANYTHING you need to diagnose the problem. When you say hacked, what exactly are the symptoms/error messages???

Again, unless you correctly diagnose the problem youre only guessing -- in which case youre wasting your time.

Correctly diagnose the problem THEN fix it.

You'd better clean up your local machine. If there is a sniffer, anything you do will be pointless because ftp isn't encrypted. They'll get your password as soon as you change it.

I'm curious about the Clickbank problem. How did you find out? Was there a different affiliate ID on the order form?

Thanks to everyone offering their time.

I have no idea how to isolate the problem.

I have tried clamxav (free) to check for computer (mac) viruses but found nothing (I can't afford to buy one)
I have had my host restore my site from a restore point on the 23 October. But it's infected again.

I noticed the problem when I cleared my cookies and clicked on 'buy now' on my affiliate sales page...at the bottom I saw another affiliate id. It's still there despite 3 emails to clickbank.

I have used exploit (for wordpress) which located the 'hacking code.'

I have accepted mattkau offer for help, (above post) but haven't heard anything from him since his post. I hav given him my ftp details.:confused:


Since I restored my account, the only thing I have done is added a .jpg picture to my site. (just saying incase it matters)


Heres is where I first found the problem Why is SOMEONE ELSE'S affiliate id on my clickbank page?!!!

I don't know what to do...

As already pointed out, infact its been covered numerous times in various threads, if you are FTP'ing to the host, then its highly likely that your local machine is infected. But again you need to be more specific as to what error messages or symptoms you are experiencing.

Exactly what do you mean by "hacking code" ???

If its an IFRAME injection you need to read this...

http://www.warriorforum.com/main-int...tml#post999335

Without spending too much time investigating this I would firstly check your index files and over write those - thats if you are infact FTP'ing to the site. I dont think you've answered yet regarding this? Are you?

Secondly, again without knowing more about your actual problem and based on what you have provided here, Id consider the *possible* chance of your local machine being infected, BUT...

before you do anything, maybe have a read of this. The code you have provided above appears to be similiar.

WordPress › Support I think my wordpress blog has been hacked-What can I do?

As a side note - ALWAYS be sure to be running the latest copy of WP - ALWAYS!! Your site will be a sitting duck otherwise. Upgrading WP is a piece of cake.

Lastly, post your issue and ask for assistance over at the WP support forum. Youll be much more likely to get a better answer over there.

I wouldnt suggest blowing anything away until you correctly diagnose the issue. Blowing your site away could result in you losing SERP positioning and god know what else - inbound links to specific pages, bookmarks etc etc ....

Blowing the site away should only be considered as an absolute LAST option.

I'll start with the obvious question:
What version of Wordpress are you using? (i.e. the version number - not 'the latest version')

There will be one, or a combination of the following, causing your issues:
- an insecure script (either Wordpress or a third party script or plugin),
- a file / directory permission security issue on your web hosting,

This exploited script / file permission / whatever that's sat on your web host is allowing somebody to exploit your web site, and write / amend files on there (i.e. parts of your Wordpress web site) over and over again. They don't need your FTP / cPanel passwords etc (although it's good security practice to change these); an insecure script will allow a hacker the potential to exploit your web site through issuing a specific URL command, or running a script on their own web server.

This issue isn't because of your Mac:
- you've virus scanned your Mac, and nothing's been found.
- your host has restored the site to a previous backup, yet the problem still occurs (you mention having this done, going to bed and the next day finding the problem on your web site again - no mention of you uploading via FTP meantime).

To fix this problem, you'll need to:
- take a backup of your database and Wordpress assets (images etc you've uploaded in posts, pages and so on),
- ensure your Wordpress version is up to date - I appreciate you say you use the updated version, but what version is that?
- ensure any other scripts are up to date
- ensure the folders on your web site have the correct permissions (commonly known as CHMOD).

If you don't know how to do the above, get somebody to do it over at the Warriors for Hire forum.

And c'mon guys - a thread with 27 replies, and nobody's thought of the above, or asked about the OP's Wordpress version. I think we can do a bit better than that...!