How to Find and Remove Hacked WordPress Files

I have had my fair share of WordPress sites get hacked. Most of these happened several years ago during a time when I was preoccupied with other projects. I had several sites just sitting & collecting dust, which meant that I was neglecting to update them when new versions of WordPress were released.
You have been Hacked! art

Here's a new video demonstrating how to do this tutorial: How to Find and Remove Hacked WordPress Files

I've said it several times before on this site, and I'll say it again right now: Keeping WordPress up to date is THE most important thing to do if you manage a site. I'm about 99% sure that my sites would have been fine if I had kept them updated. Hindsight is 20/20 though, right?

All in all though, it could have been a lot worse. In my experiences, Hackers had access to my whole site (and several other sites on my hosting accounts). They had the ability to do pretty much whatever they wanted to. They could have done something really sneaky and evil, like quietly put some advertising code in that I would have never noticed. They could have installed some kind of malware to infect my visitors. Fortunately for me, all they ever did was to replace my index.php (home page) file with their own horrible looking page (yes, they were always ridiculous looking) that announced to the world (or at least my visitors) that they had just hacked my site.

My First Hacked WordPress Site(s)

The first time one of my sites was hacked (SEOlogs.com), I found out within a few hours. Thankfully, someone emailed me to let me know what was going on. Since I knew the approximate time the site was hacked, I could just go through the logs and look for any unusual requests. After a little bit of digging, I was able to find the compromised file.

I used the same method to restore other sites of mine that were hacked, and I always thought it was pretty effective — until a few months ago, when I decided to update SEOlogs.com. It was in dire need of an update and a little TLC. So I moved it to a new better host and gave it a fresh new mobile friendly theme. I even wrote a new post. It was looking pretty good. And then … a few days later … it was hacked.

This was a site running the latest version of WordPress. It had all new FTP and Databse usernames and passwords, so it should have been secure.

As soon as I found the compromised file/ backdoor, I immediately went to look at the original server, and sure enough, that same file was there. It had been there for several years, and I had no idea.

Finding and Removing Hacked WordPress Files

After doing lots of research and testing, I have come up with (I think) a much better method for finding hacked files on WordPress. When I used it on SEOlogs, I was able to find an unbelievable 6 more compromised files that had been there for several years.

The process is a little on the advanced side, so instead of making a long and complicated tutorial, I decided to just convert the new process into a shell script that anyone can copy and use (see below). I'd still consider this an advanced tutorial, but hopefully it will help others out there.

Essentially, what we are doing is carefully going through all of our files, looking for any code that looks suspicious. To do this, we have a list of (mostly) PHP functions that are typically used by hackers, including: “chmod“, “eval“, and “exec“. If you're not familiar with PHP, these are very powerful functions that can be used to access and manipulate files on a server.

Command Line Method (Advanced)

Disclaimer: I am only providing this script as an example. I have tested this script on 3 hosts so far (Dreamhost, Bluehost, and MediaTemple) with no problems, but it is your responsibility to make sure that it works in your own environment.

If you aren't sure, or don't know how to use the command line, skip to the FTP Only Method below.


For this tutorial, you will need to be able to use a command line terminal and login to your server using an SSH (Secure shell) client. If you're using a mac, that's just the “Terminal App”. For windows, you can download a tool like “Putty”.

I have created a pretty basic shell script that you can just copy, modify if you like, and run on your own server.

This script will scan the files starting at whatever directory it is placed in, and add anything that fits our definition of “Suspicious” to a list. Keep in mind: this list will definitely contain false positives! Many of these “Suspicious” functions are used for a number of legitimate reasons, so just because they exist on your site – doesn't mean that a hacker put them there.

You are going to need to go over the list of potentially suspicious files and identify the files that are actually compromised. Don't worry, they should be pretty obvious. You can also see some examples of what to look for below (in the last section on identifying malicious code)

  1. To begin, copy the script from below, save it to a file, and upload it directly to your server.

    It's best to place it inside your web root. Mine looked something like this: /home/user2121/seologs.com/

    Alternatively, you can copy the script to your clipboard and skip to step 2 and 3 where we log in via SSH

  2. Copy the Script Here:

    #!/bin/bash
    
    #Made by Badi Jones ( HowToStartaBlog.org )
    
    #initialize Filename variables
    phpfiles='mal_check_phpfiles.txt'
    suspicious_files='mal_check_suspicious_files.txt'
    slash='/'
    #start in current the directory
    start_directory='.'
    
    
    echo "resetting files ..."
    #Delete contents of all files on re-run
    cp /dev/null $start_directory$slash$phpfiles
    cp /dev/null $start_directory$slash$suspicious_files
    
    # Here, we are making a list of every file that contains PHP script
    echo "Finding all PHP scripts ..."
    find "$start_directory" -type f -not -iname '$phpfiles' -print0 | xargs -0 egrep -H -l "(<\?php|<\?=|<\? *(?!(xml)))" >> $start_directory$slash$phpfiles
    
    
    # Here, we are searching through the list of php files - looking for any that contain potentially harmful functions
    echo "Finding suspicious files ..."
    while read php_file
    do
        egrep -H -i "(\\x[A-Z0-9]{2}\\x[A-Z0-9]{2}\\x[A-Z0-9]{2}\\|mail|eval|base64_decode|str_rot13|chmod|fwrite|exec|passthru|system|proc_open|popen|show_source|fsockopen|pfsockopen|stream_socket_client) *\(" "$php_file" >> $start_directory$slash$suspicious_files
    done < $start_directory$slash$phpfiles
    
    
    echo "Done!\n\nCheck the results here: -> $start_directory$slash$suspicious_files"
    
    
  3. Next, you'll need to login to your server via SSH Note:Most hosting services allow login via SSH. Just search your hosting company help section to find out how. If you aren't comfortable doing this, you'll need to find someone who is to help you out. This really isn't difficult, but a few wrong key strokes can do bad things.
  4. If you uploaded the scrip using FTP in step 1, you'll need to login with SSH and navigate to the directory you placed it in and skip to step 4.

    If the script is still in your clipboard, just create a new file in the directory you want to scan using whatever tool you like. I prefer vi.

    So if I wanted to name my new script “hack_scanner”, it would look like this:
    cd /home/user2121/seologs.com/
    vi hack_scanner

    You should be in vi now, looking at an empty file. Press “i” for insert mode, and paste the contents of the script into this new file. Press “esc” to leave insert mode. Type “:wq” (without quotes – this stands for “Write + Quit”) and press enter to save.

  5. Before you can run this file, you'll need to make it executable using the following comand:
    chmod 755 hack_scanner

    Finaly we can run it like this:
    ./hack_scanner

    This should take a little while to run, and there's a good chance you'll see some notices that maybe some directories or files are not accessible because of permissions. If you want to be thorough, you can go through and make them readable. Just make sure to change them back when you're done.

FTP only Method (Easier, but takes longer)

If you don't feel comfortable using the command line method above, it is possible to do the same thing using only an FTP client and a good text editor. The downside is that it takes a lot longer, but you should be able to achieve the same result.

First, you'll need to connect to your site using FTP, and download the entire directory of your site that you want to check. This is probably going to need to be everything inside your web root. This could take quite a while, depending on how many files and folders you have.

Once the download is complete, you'll need to use a text editor. For Mac, I suggest textWrangler (It's free and extremely robust) or BBedit. For Windows, I've only tested Notepad++.

For textWrangler or BBEdit, you're going to use “Search”>”Multi-File-Search” from the file menu. On the right, click the “Other” button and browse to your downloaded site. Under the “Matching” options, make sure “Grep” is checked.

For Notepad++, use “Search”>”Find in files” from the file menu. Use the “Directory” picker to browse to your downloaded site. For “Search Mode” click “Regular Expression”.

Now just use the same regular repression search pattern from above to look for any suspicious code. Copy and paste this into the “Search” field and click “Find All”.

(\\x[A-Z0-9]{2}\\x[A-Z0-9]{2}\\x[A-Z0-9]{2}\\|mail|eval|base64_decode|str_rot13|chmod|fwrite|exec|passthru|system|proc_open|popen|show_source|fsockopen|pfsockopen|stream_socket_client)

This should result in a list of potential problem files to check.

Identifying Compromised and Malicious Code in WordPress

I've seen several of these compromised backdoor control panel scripts, and they are usually not too hard to identify. Most of them are a lot larger in file size than your regular WP files. This is because they have packed lots of evil code into it. Check out a couple of code examples below.
hack-example1

hack-example2

While cleaning SEOLogs, I actually tested out each of the backdoor scripts before removing them. I was shocked by how much access they had. You could execute shell commands, browse and edit files, access databases, and a lot more. (see the photo of an actual hacker control panel below)
hack-terminal

Once you've got your site clean, make sure to remove the script and generated reports. Also, don't forget to keep WordPress current! For more info about securing WordPress, check out their official guide. If you have any improvements or suggestions, please post in the comments.

Share This:

Related Posts

2 thoughts on “How to Find and Remove Hacked WordPress Files

  1. Tony Reply

    Hi Badi, I want to first thank you for this post. My blog was just hacked and finding your video and post gave me some hope of maybe saving my site. A lot of helpful information. I do have a few questions that you may be able to help me with. How do I do the actual set up of Puttty to perform the file search? What file extension will I need to use for the hack search script upload. Also how do I get the script to run after it’s uploaded? Last but not least, how do I set up the output folder for the search results? Can you help?

    • Badi Jones Post authorReply

      Hi Tony,
      Sorry for the delay in replying. 2 new babies (twins) arrived at our home at the end of December, so I’ve had a shortage of time :)

      It’s a lot for someone who doesn’t have any server admin experience (and can be kind of dangerous to tinker). So I’d recommend you get a tool like “WordFence”. Search for “WordPress Security” in the WordPress Plugin directory.

      It has it’s own scan, and I’ve actually started installing it in all of my blogs. Mainly because it makes it really difficult for anyone to get into your site.

      I haven’t had any problems since I’ve been using it (and I had lots before). Check it out, and feel free to contact me via email if you need any help.

Leave a Reply

Your email address will not be published. Required fields are marked *