dhananjaygbhardwaj · November 17, 2022 07:28
diff --git a/Cleaning-Hacked-WP.txt b/Cleaning-Hacked-WP.txt
 Cleaning a (typical) Hacked Site
 - Create backup of site
 - Deactivate any unnecessary plugins. Delete any plugins and themes that are not in use.
 - Update all plugins and WordPress through WP admin. We'll replace everything later, but this allows any database updates to happen.
 - Download wordpress.org/latest.zip. 
 - Download fresh copies of every plugin.
 - If ACF 4.x installed, upload ACF 5.x and go through database updates (if multi-site, have to go through each site as of now). Then delete ACF 4.x and add-on plugins.
 - Review wp-config.php to make sure there is no malicious code. If not confident, install fresh copy of wp-config.php with correct database information.
 - Deactivate site by commenting out database info in wp-config.php
 - Delete all files and folders in root directory except wp-config.php and wp-content/, and possibly any non-WP folders such as emails.
 - Manually look through wp-content/uploads/ for malicious files. Sometimes they are obvious PHP files and can be deleted. 
 - Connect to site via SSH and navigate to wp-content/uploads/
 - Execute search for PHP files in uploads: find . -name *.php
 - Delete any malicious files that are found.
 - Repeat previous 2 steps for blogs.dir on multisite.
 - Begin re-uploading WP core files and folders (do not overwrite wp-content)
 - Delete plugin folders and begin re-uploading fresh plugin copies to wp-content/plugins/.
 - Download active theme (or use backup copy).  Run a search on files for "base64" and "eval." If found in JS files, likely ok, if found in theme PHP files, likely malicious. I have not perfected a way to inspect our custom themes, but they are also not really a target. 
 - Reset database password and update wp-config.php
 - Reset SFTP password
 - Re-enable site in wp-config.php
 - Login to admin and navigate to BPS. Regenerate default and secure htaccess files. Reactivate htaccess and wp-admin htaccess.
 - Re-adjust file permissions to secure file permissions.
 - Delete unnecessary users. Reset all user passwords including your own.
 - Enable high sensitivity WP scan, scan images as binary files, and do a WP scan.
 - Adjust options back to regular WP scan after finished.
	Cleaning a (typical) Hacked Site
	- Create backup of site
	- Deactivate any unnecessary plugins. Delete any plugins and themes that are not in use.
	- Update all plugins and WordPress through WP admin. We'll replace everything later, but this allows any database updates to happen.
	- Download wordpress.org/latest.zip.
	- Download fresh copies of every plugin.
	- If ACF 4.x installed, upload ACF 5.x and go through database updates (if multi-site, have to go through each site as of now). Then delete ACF 4.x and add-on plugins.
	- Review wp-config.php to make sure there is no malicious code. If not confident, install fresh copy of wp-config.php with correct database information.
	- Deactivate site by commenting out database info in wp-config.php
	- Delete all files and folders in root directory except wp-config.php and wp-content/, and possibly any non-WP folders such as emails.
	- Manually look through wp-content/uploads/ for malicious files. Sometimes they are obvious PHP files and can be deleted.
	- Connect to site via SSH and navigate to wp-content/uploads/
	- Execute search for PHP files in uploads: find . -name *.php
	- Delete any malicious files that are found.
	- Repeat previous 2 steps for blogs.dir on multisite.
	- Begin re-uploading WP core files and folders (do not overwrite wp-content)
	- Delete plugin folders and begin re-uploading fresh plugin copies to wp-content/plugins/.
	- Download active theme (or use backup copy). Run a search on files for "base64" and "eval." If found in JS files, likely ok, if found in theme PHP files, likely malicious. I have not perfected a way to inspect our custom themes, but they are also not really a target.
	- Reset database password and update wp-config.php
	- Reset SFTP password
	- Re-enable site in wp-config.php
	- Login to admin and navigate to BPS. Regenerate default and secure htaccess files. Reactivate htaccess and wp-admin htaccess.
	- Re-adjust file permissions to secure file permissions.
	- Delete unnecessary users. Reset all user passwords including your own.
	- Enable high sensitivity WP scan, scan images as binary files, and do a WP scan.
	- Adjust options back to regular WP scan after finished.