Detecting and Removing WordPress Hacks

If you use an old version of WordPress without updating it, it might be possible for "hackers" to take advantage of security bugs to modify your site.

This page explains how to detect and fix some common security "exploits" or "hacks". It's mainly useful for Tiger Technologies staff and advanced users who are comfortable with the Unix shell; other users who suspect that their copy of WordPress has been hacked should contact us for assistance.

On this page:

Removing an extra WordPress username

One widespread WordPress exploit adds an extra unauthorized user named "WordPress" to the database. This can be detected using the mysql command line with:

select * from wp_users where user_registered = '0000-00-00 00:00:00';

If you find such a user, it can be deleted like this, after making a backup of the database:

delete from wp_users where user_registered = '0000-00-00 00:00:00';

Finding files that shouldn't be there

Another common exploit adds files with unusual names, such as names ending in ".php.jpgg".

This shell command, run from the top level of your HTML directory, will identify suspicious names:

find -regextype posix-egrep -regex '.*(wp-info.txt|_new.php|_old.php|php.pngg|php.jpgg|php.giff)'

If that finds any files, examine them to see if they contain suspicious PHP code, particularly code that begins with:

<?php if(md5($_COOKIE....

Such files should be deleted (after making a backup).

Finding files that have been modified

Some WordPress exploits can add new PHP code to certain files that come with WordPress. This shell command, run from the top level of your HTML directory, will identify suspicious code:

egrep -r '(COOKIE.+base64_decode|YW55cmVzdWx0cy5uZXQ|k1b0rg|keymachine.de)' .

Note that this may also find legitimate files. If it shows any matches, examine the matching lines of those files to see if they're legitimate. If they contain malicious code, restore the files from an original unmodified copy.

Removing plugins that shouldn't exist

Another exploit activates fake, malicious WordPress plugins. This can be detected using the mysql command line with:

select * from wp_options where option_name = 'active_plugins' and
    (option_value like '%../%' or option_value like '%/tmp%');

If you find any matches, the plugin that contains "../" or "/tmp" as part of the path is probably malicious. Examine the plugin code. If the plugin is malicious, first delete the malicious file from the disk. Then make WordPress forget about the plugin, by disabling all your plugins with this mysql command (after making a database backup):

delete from wp_options where option_name = 'active_plugins';

Finally, use the WordPress interface to re-enable the legitimate plugins you use.