In the last few months, I’ve been called upon several times to recover web sites from hacker damage. Two were WordPress sites , and one was a Joomla site that was repeatedly hacked. Some hacks are pretty funny — some teenager strutting his testosterone by replacing your front page with some piece of insulting ascii art (think pirate logos and elf backsides). Others forward your visitors to Chinese movie sites and sites unknown around the world. The most malicious hacks attempt to download viruses and trojans to your computer through your browser.
The common theme seems to be that somebody had come in and used the self-registration feature, or had found a backdoor (because the site was running an old version of its CMS code) to register themselves by force. Then they could tamper with the plugins’ code from the inside, or with the CMS code itself.
But really, the fix is pretty much the same. I’ve found the quickest most straightforward way to recover your site is to bulk-replace all the CMS code (WordPress, Joomla, Drupal, Mambo, something proprietary) with a fresh copy of the most recent version, and then check your .htaccess file. I prefer to do it from the outside, that is, using FTP to just overwrite it all, because if a site has been hacked, I don’t trust that the internal update links from within the CMS itself will completely wipe out the problem. Once you know you have clean CMS code, go through and install all clean code for all your plugins / extensions. Just deactivate and delete them, then reinstall and reactivate them, one after the other. Finally, check all your registered users. If you’re supposed to be the only one, you can shout “Bang you’re dead!” as you hit that delete button. If you have to sift through multiple legitimate users, you’ll have to use your judgment as to who belongs there and who doesn’t. Particularly suspicious to me are people from far flung countries you never expected would care a whit about the subject matter of your site. But alas, I run a legitimate Russian music site, so that Russian subscribers/members from Russia is not that much of a surprise to me.
With this fresh replacement of all your code, including your .htaccess text file, and the weeding out of your users, the odds are pretty good you’ve taken care of the problem. The only possibility left would be your mysql database. Yes, that could be corrupt, but judging from my own experience, less likely. The only way to be sure is to plan ahead of time. There are plugins and extensions available you can install in your site which you can use to schedule regular backups of your database. If you post often, you probably want a daily backup. If you post less frequent updates, you could get by with weekly backups. But as long as you have that running on autopilot, you can be sure of having a clean copy of your database to restore, and thus stand to lose a minimum of work.
Hope this helps!
