I was shocked to find this afternoon that this blog was hacked! The home page was displaying the following lines with rock music playing in the background:
HacKeD By RAMZI NULL
Im Not Afraid , Because I’am Tunisian HaCKeR
Facebook ID : www.facebook.com/Ramzi.Pascal
Greetz to : Mohamed 0wNeR & All TuNiSiEN
Hotmail ID : firstname.lastname@example.org
I spent a few hours trying to get it restored and I am reporting here what the hacker did to my blog and how I fixed the problem – hope it helps you restore your blog to normal too.
As soon as I found about this problem, I tried to change my admin login password but only to find that I could not do that! I did use the blog’s built-in feature to send me a link so that I could click and reset the password. For this I received all the emails I requested but whenever I tried to enter a new password to reset it, the blog gave me a “page not found” error. So basically I could not login as admin by resetting the password.
Then I downloaded a copy of wp-config.php to my computer via FTP and then changed the Authentication Unique Keys in it using the WordPress.com secret-key service located here – I learned from Googling that this will disable the cache and cookie on the hacker’s side immediately. This is the first thing that I should have done in the first place.
Having done that, I logged into my site’s cPanel and checked a few things around. What I found using phpMyAdmin in the MySQL database was that the hacker had added himself (ramzi) as a admin and changed me, the real admin, to a status that had a value of 0 for “user_status”!
I immediately removed this user from phpMyAdmin. After searching for user’s post by “ramzi”, I found none which means the hacker did not add any posts to the blog. Nevertheless, removing the hacker admin account did not solve the problem – the homepage still displayed his hacker page!
Then I suspected that the hacker must have done something to the theme files. So I removed the themes folder completely and then downloaded the theme file fresh and uploaded to the server – that fixed the hacked homepage!
By then only one problem remained – I could not log in as admin at all! Changing the value for “user_status” from 0 to 1 via phpMyAdmin did not help at all.
Initially I thought the hacker had tampered with files in the wp-admin folder. So I removed the wp-admin folder completely and then uploaded fresh content for that folder out of the newly downloaded WordPress zip file – no, that did not solve the problem and I still could not login.
Then I searched and found this page that really helped me to reset my admin login password using phpMyAdmin – please click the link and read the detailed instructions there.
Is your WordPress hacked in a similar fashion? Hope that you can get it fixed and I would like to hear from you how you did it.