In this tutorial we will be reinstalling WordPress after it’s been compromised or “hacked.” The tutorial assumes three things: 1) The MySQL database your WordPress site was using wasn’t compromised, 2) The WordPress files were the only thing modified, and, 3) You have no other web applications installed in your site’s root directory.
These instructions are specifically for WordPress installations running on IIS, but you can use the same basic steps to reinstall WordPress on any platform.
Quick overview of the steps we’re about to take
- Creating a two different directories locally on your computer.
- One containing your hacked WordPress site.
- The other containing your clean WordPress site.
- Before changing anything we will be making a backup of your current WordPress site by downloading it via FTP. Yes, the current compromised WordPress site.
- Downloading a clean copy of WordPress
- Re-downloading your themes folder
- Re-downloading your plugins folder
- Copying your web.config and wp-config.php files from the old WordPress site to the root directory of your clean WordPress site
- Restoring your images/upload files
Step 1 – Create two different directories on your computer
Create two different empty directories on your local computer.
Step 2 – Create a backup of your hacked WordPress Site
First you will need to establish an FTP connection to your site. Instructions on how to connect to your site via FTP can be found in this knowledge base article.
Once the FTP connection has been made, navigate to your local directory within FileZilla where you wish to place your backup.
Highlight all of the files and directories within your WordPress site and right click on Download to copy them to your local environment.
Important: We’re putting the files here for safe keeping, don’t open any of the files unless specified in this article.
Step 3 – Download a clean copy of WordPress
Go to WordPress Downloads and download the zip file.
Next you want to extract the clean files to the clean folder directory on your local computer.
Step 4 – Re-Download your theme files
Everyone uses a different theme for their WordPress site, so everyone’s case is going to be unique. If you remember where you downloaded your theme then go ahead and download it from the source and and skip to section Step 4 B.
If you are unsure which theme you were using, navigate your \wp-content\themes directory in the hacked backup WordPress files.
WARNING: Don’t use the theme from the hacked WordPress site, it’s important to download a new copy from the source.
Within the \wp-content\themes\ directory you will see different directories. You will most likely see some of the default themes that come with WordPress:
But the other themes that are located in the \wp-content\themes\ directory will be the themes you downloaded for your WordPress site before it was compromised.
In my case I forgot the name of the theme I was using. From the list I see in the \wp-content\themes\ directory I can see that I was using the “rendition” theme.
My next step was to Google “rendition wordpress theme,” and I was able to locate the source of the theme.
Download and extract the clean theme files into the clean WordPress directory locally on your computer.
Once you have downloaded the zip copy of your theme locally on your computer, extract it to a location where you can simply copy and paste the clean theme into the \wp-content\themes\ directory within the clean copy of your WordPress file structure.
Step 5 Re-download your plugins
The plugins folder will be in the \wp-content\plugins directory.
If you don’t recall which plugins you had installed, you can always go into the hacked WordPress file structure to see which plugins were installed.
Make a list of the plugins you need to download and download them manually from the WordPress plugins site.
Extract the clean plugins you just downloaded into an empty file on your computer.
Copy and paste them into the clean copy of the WordPress site’s \wp-content\plugins directory.
Step 6 Copy web.config & wp-config.php file
We have to copy and paste the old web.config and wp-config.php file into the clean copy of the WordPress site’s root directory.
The web.config file contains the URL Rewrite rules for your WordPress permalinks links to work correctly on the IIS server.
The wp-config.php file contains the settings needed to reestablish a MySQL database connection to the original MySQL database.
Go to the hacked WordPress site root directory where your wp-config.php file is located and open it in a text editor like Notepad. You want to check for malicious code that you don’t recognize. Basically, you just want to make sure your old wp-config.php file is clean. You can compare it against the sample wp-config.php file. If you’re not sure what it’s supposed to look like. You can always check the clean version by checking the Github sample page of the wp-config file.
Once you have confirmed it’s clean, you’re going to want to change the password for your MySQL database.
Log into Control Panel and change the password for your MySQL database within the MySQL Manage section:
Click Manage next to the MySQL database.
Click Update Password.
Next you’re going to need to update the following line in your wp-config file with the new password.
Replace it with:
Save the wp-config.php file and place it into the root directory of your clean copy of WordPress.
Next you want to simply copy and paste your old web.config file from the compromised WordPress site to the root of the clean WordPress site. web.config is not a file targeted in the typical WordPress compromise, so it’s usually safe to use the old version. You may want to take a look at it in any case, just to make sure it hasn’t been altered.
Step 7 – Delete your old WordPress files and upload the clean WordPress site
Connect to your site via FTP and delete everything from the root of the site.
You want to make sure you have an empty root since you will be uploading a clean copy of your WordPress site.
Once your root directory is clean go ahead and upload the clean copy of the WordPress site located on your local computer to the root of the site.
Your site should work now. Visit the site to verify that you did everything correctly.
Step 8 – Restore your old image and upload files
The last step is restoring your image files from your old installation of WordPress to your clean WordPress site.
First, browse your site to make sure you don’t have any missing images. If you do find that some images aren’t displaying correctly, you can use Google Chrome’s Developer tools to troubleshoot. By using the network tab you can see which images are missing and which directory they need to be uploaded to.
Once you find the image that is missing in the copy of your hacked WordPress backup, you can upload each image one by one.
In the image above we can see where our missing image file will need to go into our file directory structure. Simply locate the missing file from your compromised site backup and upload it via FTP to your clean site.
An important next step is to make sure you update any outdated plugins and themes from within your WordPress admin section. You should also update the password for your WordPress admin user.
Well, aside from the fact that it’s already 10 years old, Microsoft will stop releasing security patches for Windows 2003 soon. This will make the Windows 2003 O/S vulnerable. We don’t like that and I’m sure you wouldn’t want to host your site on a vulnerable operating system. So we decided it would be a good time to let you know about some of the benefits of moving to a Windows 2008/IIS 7 or Windows 2012/IIS 8 servers.
Okay, so what are the benefits of moving my site to Windows 2008 or Windows 2012?
More control, more memory, tighter security.
With Windows 2008/IIS 7 or Windows 2012/IIS 8 you will have more control over the hosting environment. You will be able to connect to your site using IIS Manager and it will provide you with a lot more options. For instructions on how to connect to your site using IIS Manager please read this Knowledge Base article (you can only connect to your site using IIS Manager if you’re on a Windows 2008/IIS 7 or Windows 2012/IIS 8 server).
When you are connected with IIS Manager you will have access to the following:
- .NET Error Pages
- Error Pages
- Handler Mappings
- HTTP Redirect
- IP Address and Domain Restrictions.
- MIME Types
- Request Filtering
- URL Rewrite
Also, if you migrate to Windows 2008/IIS 7 or Windows 2012/IIS 8 your site will have more RAM memory for the application pool. On our Windows 2008 IIS 7 server we provide the application pool with 200MB of RAM memory. On the Windows 2012 IIS 8 server we provide your application pool with 300MB of RAM memory.
Yeah! More memory! What else?
You’ll also have more control over your FTP settings. We provide you with a ability to block IP addresses and only allow your IP to access the site via FTP. This will prevent other people from accessing the site via FTP even if they get your FTP credentials!
Well have you ever heard of web deploy? We also give you the ability to web deploy from your Visual Studio 2010 & Visual Studio 2012 application to your site on our web servers. This allows you to build your site locally and web deploy to our servers.
What about WebMatrix?
Yes, you can even use WebMatrix to web deploy the applications to our web servers.
Are there any differences between IIS 6, IIS 7 and IIS 8 hosting accounts?
- Yes, on the IIS 6 servers we allow you to deny the Anonymous user read and write access to any directory you don’t want them to have access to. On our IIS 7 & IIS 8 servers we don’t allow you to change the permissions for this user. So, if you need to protect a directory we provide you with steps on how to password protect a directory on IIS 7 & IIS 8.
- We also stopped supporting Front Page extensions on both our IIS 7 & IIS 8 servers.
- If you’re using an ODBC DSN connection, that is not supported on our IIS 7 and IIS 8 servers. It’s recommended that you move it to a OLEDB connection.
- The ASP.NET framework 1.1 is no longer supported. But, the ASP.NET framework 2.0 should be backwards compatible with ASP.NET 1.1. So in this case you can use the ASP.NET framework 2.0 for your web site if it requires 1.1.
If any of this sounds good to you, contact support to get the migration ball rolling. Migration is voluntary at this time, but eventually we will have to migrate everyone off of Windows 2003/IIS 6. You’ll have the benefit of time to test and iron out potential problems if you do it now, before migration is mandatory.
If you have any questions about migration, just let us know.
We still get the email message in our helpdesk queue and we still provide you with the same support you need. However, emailing support@ isn’t the best way to contact us for assistance.
Well, when you email us directly we might not have any idea who you are, depending on the address you email us from and what you state in the email. It may take longer to resolve your issue because our next reply to you is often, “What is the domain name associated with your hosting account? Can you also please authenticate this support ticket…” (we have to authenticate because we don’t want to provide potentially sensitive account information to anyone who isn’t supposed to have it).
But all you want to do is to resolve your issue as soon as possible, and I don’t blame you.
So how can you resolve my issue more quickly, and what’s the “correct” way to contact support?
Well, you’ve gotta open the ticket through the Support Portal 😉
The login form is in the upper right corner of the page. Use your Control Panel username and password to login to the support portal.
Once you’re logged in, opening a ticket is easy. Just click Submit a Ticket, choose the department (options are Support, Sales and Billing) and type your question.
You can also log in to the Support Portal to see our replies. Or if you get our reply via email, simply reply to the email message and your original message to us will be automatically attached by our ticketing system.
This helps us keep a good historical record of what type of tickets you’re opening and what type of trouble you have been having with your account.
Also, when you open a ticket through the support portal your account information will be automatically available to us and we’ll be able to look up your account through our system.
That’s great Martin… But what should I include in my ticket?
That all depends on the type of problem you have, but it is really important to provide us with as much information as possible.
You’re getting an error on your site? Provide us with exact steps to recreate the error on our end. Add information on what lead to this error.
You have an email problem? Oh man! Email is a big area to cover, but it’s always a good idea to tell us which email user is having the problem. Which email user is sending the message? What settings you’re using to receive mail if you’re using an email client (screen shots are always a good idea). If you’re getting bounced email messages, please provide us with the full headers of the bounced email message.
Put yourself in the shoes of the support agent that’s about to help you. Ask yourself, “What this person who’s about to help me going to need in order to resolve my problem?”
Then send off the ticket and we’ll reply to it as quickly as possible. You might be surprised by how fast we reply 😉
What if I didn’t get a reply in my email inbox!?
It’s all good! Make sure you check your ticket history by clicking View Tickets in the Support Portal when you log in.
By checking out your ticket history you will have the ability to see our responses and reply to us directly. You also have the ability to close the ticket yourself if you have resolved your own problem.
Some Good Things to Remember:
- Don’t open multiple tickets about the same problem. This can cause confusion or duplicated effort on our end, which could lead to us providing inaccurate or untimely information. Which can only lead to frustration on your end.
- If the original problem has been resolved and you have a new issue or question, open a new support ticket for the new question. We generally read the tickets from the oldest message to the newest in order to fully grasp the issue (and take previous replies into account). So if you tag a new issue onto an old ticket, you are going to slow down our response time, since we may spend time diagnosing a problem that’s already been solved.
- Does it seem like it’s taking too long for us to reply? As long as the ticket is Active in the Support Portal we are most likely working on your issue. We normally reply to a ticket in under one hour. If it takes longer than one hour you can rest assured that we’re working on the ticket. If the ticket is set to Waiting, that means we’re waiting to hear back from you.
- Was the ticket you opened Closed but the issue is still not resolved? You can always reopen the ticket and provide any additional information you have related to the problem. If you want to start fresh you can open a new ticket, but be sure to provide the ticket number of the ticket that was closed. That way our support staff can refer back to the ticket if necessary.
- Does your issue involve coding or development related problems? Please post any coding or development related problems in our Support Forum to get peer to peer (and support staff) assistance. It’s not a blow off. Really. We still love you.
We asked, What was the percentage of your web site traffic coming from mobile (smartphones and tablets) in 2012?
This is how our users answered:
Well, for those of you who don’t know how much of your traffic is coming from Mobile clients, we have SmarterStats to help you find out.
If you haven’t enabled SmarterStats for your hosting account, here’s how to do it:
Log in to Control Panel and go to Stats / Raw Logs.
Click the Enable button next to SmarterStats (Free) (Yup, that’s right! We provide this to you for free. )
Alright Martin I have enabled SmarterStats what do I do now?
Well now all you have to do is relax for about an hour and let SmarterStats process the HTTP logs for your site. SmarterStats processes our HTTP server logs for your site to provide you a nice interface.
After the hour has passed, login to your SmarterStats account. You can find the login information in the Stats / Raw Logs section of Control Panel.
When you log in, expand the Report Items folder and expand the Browsers folder too.
Now click on Mobile Phones.
Cool Martin! Now how do I save this report and change the date range at the same time?
Well… if you like the report you see and you would also like to change the date range, all you have to do is click on the Add Favorite icon in the report you just clicked on.
This will then open the Following Window:
Click on the drop down menu next to Default Date Range and choose the date range you wish to use. Then go ahead and choose any of the other settings you wish to use and click on the OK button.
This report will be placed in the Favorites section in SmarterStats.
Another cool thing you can do to stay in the loop is to set up a Custom Report. That way you can have the report emailed to you daily, weekly, or monthly.
Expand the Custom Reports folder. Now click on the New Custom Reports.
The following web page will appear:
Go ahead and enter a name for your report in the name field, choose the Default Date Range, and click on the Report Items tab.
Click Add Item.
Click the drop down menu next to Report Item and select the favorite report you just created.
Now click Save.
This report will now be in your Custom Reports folder.
Click on the Scheduled Email Reports icon.
Click on the Add Email Report icon.
From the Reports drop down menu select the report you just created.
In the Frequency field select how often you wish to receive this report.
In the To field enter the email address you wish to send to.
Now click on Optional tab to add more email address to send to.
You might also want to place a check next to Enable graphical charts (HTML only) that way you get a nice graphical chart to refer to in your email message.
Click Save when finished.
Well, with all that said and done, I hope this helped some of you stay up to date with what type of traffic your web site is receiving.
In this tutorial we will be showing you how to use Request Filtering in IIS to Prevent SQL Injections. We previously did a tutorial called, “How to block bots and spiders with Request Filtering,” and we will touch on a lot of the same concepts here.
Please note that these instructions only apply to our Windows 2008 IIS 7 & Windows 2012 IIS 8 Servers.
First, you will need to make a connection to your site using IIS Manager. Please read our knowledge base article on How to connect to the server using the Microsoft IIS Manager.
Double click the Request Filtering module in IIS Manager.
Now click the URL icon in the Request Filtering module.
Next click Deny Sequence… in the “Actions” section.
In this example we’ll be blocking the common SQL Injection term “varchar” so enter this in the Deny Sequence box and click OK.
So now when someone tries to enter “varchar” into your site’s URL, they will receive the follow error message from the server:
There are a number of other terms that you can also use. Here are some terms you may wish to add to the Deny Sequence rules for your site account as well:
So now when anyone tries to enter any of the above terms into your URL Sequence, they will receive the HTTP Error 404.5 – Not Found error message from the server.
Be Warned! If your site currently uses any of the terms that you deny, you will receive the HTTP Error 404.5 message too. So choose your terms wisely to prevent any issues with your site.
<requestFiltering> <filteringRules> <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true"> <appliesTo> <clear /> <add fileExtension=".asp" /> <add fileExtension=".aspx" /> <add fileExtension=".php" /> </appliesTo> <denyStrings> <clear /> <add string="--" /> <add string=";" /> <add string="/*" /> <add string="@" /> <add string="char" /> <add string="alter" /> <add string="begin" /> <add string="cast" /> <add string="create" /> <add string="cursor" /> <add string="declare" /> <add string="delete" /> <add string="drop" /> <add string="end" /> <add string="exec" /> <add string="fetch" /> <add string="insert" /> <add string="kill" /> <add string="open" /> <add string="select" /> <add string="sys" /> <add string="table" /> <add string="update" /> </denyStrings> <scanHeaders> <clear /> </scanHeaders> </filteringRule> </filteringRules> </requestFiltering>
Let’s get started!
In order to complete this task, please make sure you have enabled raw logs for your hosting account by reading our knowledge base article: How do I access the raw log files?
If the SQL Injection happens before enabling the raw log files, then you wont be able to find the SQL Injection since the HTTP logs won’t be provided until the next day, and the past HTTP logs for your site account won’t be available. You may need to Contact Support and ask them if they can provide you with the HTTP logs in order to investigate an SQL Injection.
Please be sure to provide them with the dates of the HTTP logs you wish to access. Also, remember that support won’t have any HTTP logs that are more than 30 days old. If the Injection happened more than 30 days previous, no record HTTP logs will be available for your hosting account.
We’re going to need a special tool to help investigate
To help you search out the SQL Injection from your HTTP Logs, you’re going to need to use a tool called BareGrep. This tool can be downloaded here. Make sure you click on the “Free Version” link (if you like it and think you will put it to good use, consider purchasing the software). It’s a cool little tool because it’s not required to be installed on the computer and just runs off the .exe file.
Time to get down and dirty!
The awesome part about BareGrep it allows you to drag and drop multiple text files into it. This means if you’re not exactly sure of the exact date the injection happened, you can search multiple text files all in one shot.
Open BareGrep and select the text files that you wish to search. Now drag and drop the files into BareGrep’s grey area.
Let’s find those nasty SQL Injections!
We’re going to use a keyword search to find is the line in the HTTP logs where the SQL Injection occurred.
These are the keywords I like to use in BareGrep (feel free to add some of your own):
- – – (that’s two dashes)
Now it’s time to enter each of the keywords one at a time into BareGrep’s text field.
Hey! Hey! Hey! We found something!
Now let’s select the lines in BareGrep and see what we can find. Once selected, copy and paste the lines into an empty Notepad document.
You should get a few lines like the following HTTP line below. I know it looks nasty but let me try to explain what certain things are.
ex121209.log 414 2012-12-09 13:17:34 W3SVC100000 WEB151 18.104.22.168 GET /search.aspx home=177&id=1%27%20or%201=@@version-- 80 - 22.214.171.124 HTTP/1.0 Mozilla/4.0+(compatible;+Synapse) - - www.yourhosteddomainname.com 500 0 0 7639 354 531
This part of the line is stating the date and time (PacificTime) the SQL Injection happened.
The other part is the web server and IP address.
The following is interesting because it tells you exactly what page it was that was vulnerable to the SQL Injection. This will also give you a clue on what you will need to patch up on your site to prevent it from happening again.
The other part is what they entered in their web browser when trying to check if a SQL Injection vulnerability is possible. If there is vulnerability this code displays an error message along with the SQL database version. This means that the SQL database is answering to the hacker and it’s a dead giveaway that the web application is vulnerable to a SQL Injection.
Here comes the best part of the HTTP log, the hacker’s IP address! The example here belongs to Google’s DNS, but this is where the hacker’s IP address will be located in the HTTP logs. Please remember that most people will hide their real IP address and it doesn’t mean that the IP really belongs to the hacker. The evil person could have been using a network that doesn’t belong to them. Most likely a proxy service they like using to hide behind.
Cool thing about this is that if you’re on an IIS 8 or IIS 7 account, you have the ability to block IP addresses using IIS Manager. Please read our knowledge base article on How to connect to the server using the Microsoft IIS Manager.
If you’re on a IIS 6 server you will need to contact our support department. Ask them to block an IP address for you and provide them with the IP you wish to block.
Okay, so you know how they checked for the vulnerability in your application. Where can you find the injection that changed all of your table fields?
For this you will need to keep looking in the HTTP logs. What I like to do next is enter the hacker’s IP address into BareGrep and see all the Injections the hacker used. It will also show you the other parts of your site that the person visited.
What you will need to look for is the following in the HTTP log. This piece of code in the log will be followed by a bunch of numbers and charters. This friends, is where the tables got inserted with the malicious URLs/text to one of your tables on the SQL database. This also means that the page “/search.aspx” is vulnerable to the SQL Injection.
Okay, so now you’re ready to prevent the SQL injections from happening on your site.
I have referred people to the following articles in order to prevent a SQL injection from happening again. I really hope this helps you guys and we can see an end to these stinky SQL Injections.
Let me introduce the Master Control Panel for DiscountASP.NET. The Master Control Panel has been around for quite some time now. Basically it was created to make managing multiple hosting accounts much easier for our users.
Simply click on this link to get started: Master Control Panel
Click on the “Create a New Master Account” link.
You will be brought to the page shown below. Enter an email address and password that you would like to use as the Master Control Panel login.
A verification email message will be sent to the email address you have just entered.
You will then receive the verification code that you will need to copy and paste into master verification box (below).
You will then be prompted to reenter the email address and password that you choose previously.
Click on “Bind A Hosting Account” tab.
Enter your Hosting Account credentials as you originally set them up.
Go back to the “Bind A Hosting Account” tab to add more hosting accounts.
Once completed you can simply login with your Master Control Panel email address and password.