Background
My site got infected by malware yesterday. My hosting company put the site under quarantine and blocked all accesses to it. I used procedure outlined in this blog to reinstall WordPress and pointing to the existing database. All plugins also need to be reinstalled.
Environment
* Word Press: 4.4.5
* Apache: 2.2.31
* PHP: 5.6.27
* MySQL: 5.6.32
* Perl: 5.10.1
Backup and Remove Old Site
* Login cPanel > File Manager
* Zip up the folder containing the infected site
* Download the zip file to your local computer for archiving and forensic analysis
* Remove the zip file after downloading it
* Remove all the files in the infected folder including all hidden files
Reinstall Word Press
* Download wordpress-4.4.5.tar from Word Press Release Archive
* Go to Login cPanel > File Manager
* Upload and extract wordpress-4.4.5.tar into the root directory of your existing site, e.g. public_html
Configure wp-config.php
* Go to Login cPanel > File Manager
* Rename wp-config-sample.php to wp-config.php
* Change permission to 440
* Modify following sections of wp-config.php:
– Update MySQL connection parameters:
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wp_db'); /** MySQL database username */ define('DB_USER', 'wp_user'); /** MySQL database password */ define('DB_PASSWORD', 'dp_secret');
– Update auth key salt vlaues using WordPress online salt generator
Copy Theme Folder
* Manually download and install the old theme to your newly installed site
* Alternatively, clean (e.g. search for ‘\x’) and copy theme folder from old site to the new site, e.g. wp-content\themes\twentyten folder.
Copy Uploads Folder
* uploads folder contains uploaded images
* Clean (e.g. search for ‘\x’) and copy uploads folder from original site to the new site, e.g. wp-content\uploads
Re-Install Plugins
* Once the site is up and running, log into admin page and reinstall all plugins, e.g.
– CodeHighlighter
– WP-TOC
– Awesome Ads
– Google Analytics Dashboard for WP
– Google Doc Embedder
– SI CAPTCHA Anti-Spam
– WP QuickLaTeX
– Do NOT install WP-Syntax, it broke my site
Add Redirect Page
* My WordPress is installed in a subfolder named wp
* Add a redirect page index.php to redirect to wp subfolder:
<html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <META HTTP-EQUIV="Refresh" CONTENT="0; URL=wp"> </head>
Clean up .htaccess Files
* Make sure you use cPanel to open File Manager so that you can see hidden files
* Remove any malware mod_rewrite codes from all .htaccess files, e.g.
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} google [OR] RewriteCond %{HTTP_REFERER} google RewriteCond %{REQUEST_URI} !(\.js|\.css|\.png|\.jpg|\.jpeg|\.gif|\.svg|\.ttf|\.woff|\.eot) RewriteRule ^.*$ cae1c4.php [L] </IfModule>
Reactive the Site
* Call your hosting company to verify the cleaning and reactive the site for you