Checking your WordPress blog for hacked files

WordPress is a very empowering software, but also can be easily exploited because of how it was created. WordPress was designed to make it easy for users to customize their blog without having to login to the server, but this opens up possibilities for holes. I’ve had a couple of my WordPress sites hacked and I wanted to share a few tips to help identify files that have been hacked. provides a free security scanner that you can point at your WordPress site and have it check for spam links or possible security issues. It won’t catch all of the issues, but it is a great place to start.

What if sucuri finds spam links? How will you get rid of them? I’ve created a very simple bash script that allows you to check multiple WordPress sites for offending text. The script can also be run from the command line of the server that your wordpress is installed on.

  1. Create a file on your wordpress server and call it and then paste the text below in it, replacing with the directory of your wordpress install
#! /bin/bash
grep -r "netstat"

In this case netstat is a networking command line call that I found in some of my hacked files that allow the hackers to gain server access. You can replace the “netstat” with any text and it will scan through all of the files and list out files with it.  If sucuri finds spam links, put some of the text in quotes and run the command. Note that you can run

grep -r "netstat"

from just the command line as well and get the same results. When you are running the command or bash script, it may show that it is unable to access certain directories in your wordpress installation. These are most likely hacked directories. Check the permissions of the directories and change them so that you can get access to them. In my case, the directory’s name was log. I changed the permissions of the directory using:

chmod -R 700

where would be replaced with the directory that wasn’t able to be read.

Once you change the permissions then you can delete the directory. Check to make sure there isn’t any critical files in the directory first.

I’m in no way a security expert but the steps above helped me identify and clean up hacked code.

Securely Access your Gmail

I’m playing catchup on my RSS feeds this weekend and ran into a great tip on CNET for Gmail that allows you to enable https by default.  This is definitely a good preventative meassure to take especially if you are using Gmail for your work.

Who is on your network?

I’ve been paranoid lately as someone hacked into my network a couple of months ago.  Because of this I’ve taken certain security measues with my network.  One thing I do is check my router active DHCP list to see if there is anyone accessing my network that shouldn’t be.  I found a site that looks up MAC addresses to give you an idea of what it belongs to.  This is helpful as I occasionaly have renegade MAC addresses.  I was able to determine that they are associated with my Virtual Machines that I run on my computer.  Here is the readout from the MAC address lookup site:

   MAC Address
   Prefix         Vendor
   000C29       VMware, Inc.

This definitely helps reassure that no one is breaking my network.