Recently one of my close friend’s WordPress site got attacked and he approached for a possible solution. After some basic assessment I found that the attacker had accessed the database and deleted the entries from wp_users table. So after restoring the values, the site started working smoothly. This experience led to the inspiration for writing this article. Before we start, let’s find the reasons for a possible attack:
- Site Hosted on a Vulnerable Server: Most of the times a WordPress site gets attacked just because of a vulnerable server since WordPress is highly secured from various attacks. So running after cheap web hosts isn’t a good decision.
- Badly Configured WordPress Installation: Most of the times the site isn’t properly configured in terms of security which leads to many exploits.
Now let’s consider a attack scenario to understand the topic in a better way:
An attacker first of all attacks the most vulnerable site hosted on a server. After that he simply uploads a script known as shell and tries to traverse the whole server, which results in access to many websites. Most of the times a SymLink Attack is done to get access to all the domains hosted on that particular server. This results to access the wp-config.php file of any site using WordPress. Now the attacker gets access to the database and simply adds a new user to the database or modifies the password of the present user. Finally he logs into the admin panel and modifies any theme or plugin with the shell and thus gains full access.
Now we have sufficient information to repair a WordPress Installation. Let’s divide the cases:
Case 1: The homepage is showing something inappropriate and we can’t log into the admin panel
Step1: Access PHPMyAdmin and check the wp_users table. If no values are present then move to Step 2 else move to Step 3
Step 2: Execute the following queries:
</p> INSERT INTO `databasename`.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('1', 'myblog', MD5('password'), 'John Doe', 'info@johndoe.com', 'http://www.johndoe.com/', '2012-06-07 21:03:00', '', '0', 'John Doe'); INSERT INTO `databasename`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '1', 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}'); INSERT INTO `databasename`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '1', 'wp_user_level', '10'); <p style="text-align: justify;">Step 3: If the table wp_users and wp_usermeta has values then the delete all the records and then move to Step 2.
Step 4: Remove all other index.html or index.php files and create a index.php in the root with the following code:
</p> <?php define('WP_USE_THEMES', true); require('./wp-blog-header.php'); <p style="text-align: justify;">Step 5: Your installation should work fine, if still you find some error then check another case.
Case 2: We can’t log in to the Admin Panel and the site working fine
Step 1: This means that someone has simply deleted the username or changed the password.
Step 2: Access PHPMyAdmin and access the wp_users table, if the user is available and all the other values like email, etc. are correct then execute the following query:
</p> <p style="text-align: justify;">UPDATE `database`.`wp_users` SET `user_pass` = MD5( 'password' ) WHERE `wp_users`.`ID` =<your user id>;</p> <p style="text-align: justify;">Step 3: After successfully logging into Admin Panel, kindly change your password once again since WordPress has a flaw, i.e., it stores salted passwords but work with simple MD5 Hashed password.
There can be many other cases but mainly the above two solves the issue unless someone hadn’t deleted the whole database. Finally here’s a list of things to do for future protection:
- Delete all the files of WordPress installation except the wp-content folder
- Upload the wp-admin, wp-includes and root files from latest WordPress archive
- Upload the Emposha’s PHP Shell Detector and scan for any shell script
- Finally run the installation and follow the steps mentioned in this article
This brings us to the end of this article and I guess that next time when someone’s WordPress installation is attacked then he/she should be able to repair on its own. Now if you’ve any types of questions then please proceed. Even I can assist you as well.