Monthly Archives: June 2013

Checking your WordPress blog for hacked files

WordPress is a very empowering software, but also can be easily exploited because of how it was created. WordPress was designed to make it easy for users to customize their blog without having to login to the server, but this opens up possibilities for holes. I’ve had a couple of my WordPress sites hacked and I wanted to share a few tips to help identify files that have been hacked.

Scan your site for free – sucuri.net provides a free security scanner that you can point at your WordPress site and have it check for spam links or possible security issues. It won’t catch all of the issues, but it is a great place to start.

What if sucuri finds spam links? How will you get rid of them? I’ve created a very simple bash script that allows you to check multiple WordPress sites for offending text. The script can also be run from the command line of the server that your wordpress is installed on.

  1. Create a file on your wordpress server and call it secure.sh and then paste the text below in it, replacing example.com/ with the directory of your wordpress install
#! /bin/bash
grep -r "netstat" example.com/

In this case netstat is a networking command line call that I found in some of my hacked files that allow the hackers to gain server access. You can replace the “netstat” with any text and it will scan through all of the files and list out files with it.  If sucuri finds spam links, put some of the text in quotes and run the command. Note that you can run

grep -r "netstat" example.com/

from just the command line as well and get the same results. When you are running the command or bash script, it may show that it is unable to access certain directories in your wordpress installation. These are most likely hacked directories. Check the permissions of the directories and change them so that you can get access to them. In my case, the directory’s name was log. I changed the permissions of the directory using:

chmod -R 700 example.com/somedir/log

where example.com/somedir/log would be replaced with the directory that wasn’t able to be read.

Once you change the permissions then you can delete the directory. Check to make sure there isn’t any critical files in the directory first.

I’m in no way a security expert but the steps above helped me identify and clean up hacked code.