WordPress hacked – admin passwords reset

  • Just in case anyone has come accross this – one of my wordpress installations has been hacked. There was a hacker message on the front page.
    The index.php file had been modified, also the wp-login.php file and there was an extra file called “fake.php“. I’ve removed all these and replaced them with backups. All appeared to be good.

    BUT!!!

    ALL the admin passwords had been changed. I logged into phpMy admin and changed them all. I changed my DB user, password, FTP access and the wp-config file, upgraded to the latest version of WP, but the admin passwords STILL get changed every time one of the admins logs in successfully. But ONLY the user logging in has their password changed.

    I think I am going to need to do a ground-up re-install unless anyone else has a clue?

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    You don’t need to ground up, but you DO need to scrub your files.

    Delete all files and folders EXCEPT for these:

    /.htaccess
    /wp-config.php
    /wp-content/uploads
    /wp-content/blogs.dir (ONLY if you’re using Multisite)

    Then reupload WP core, all your plugins and all your themes.

    If the hacker is using a shell then it won’t matter if you change your passwords, they can still gain access to your server via the shell. Run a scan on your server for the shell file. When the results come back clean, overwrite all files with a fresh install – except the wp-content folder.

    Thread Starter oxygencreative

    (@oxygencreative)

    Thanks very much for your help and advice. I’ll do as you suggest and post back here when everything is done.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress hacked – admin passwords reset’ is closed to new replies.