A client of mine’s WordPress installation got hacked the other day – lots of hidden iframe tags pointing to various hacker domain names got inserted into various index.php files inside wp-content and wp-admin as well as inside the main index.php file.

This was the first of this kind of hijack that I have seen and to be honest I was thrown back.

After a few hours of downloading and scanning all files – luckily avira antivirus catches the little buggers – I managed to clean up the installation and put up a stronger front in order to avoid future attacks.

Here is what I did to make sure all is clean on my client’s server:

1. Make a copy of the wp-content directory (downloaded to my pc and scanned to make sure it’s not infected )
2. Disable all plugins via wordpress admin.
3. Delete everything from inside the wordpress directory.
4. Download latest version of WordPress from wordpress.org.
5. Upload latest version to server to same location as the old files.
6. Upload the backed up wp-content directory to correct location.
7. Run the following sql script against wp database to make sure nothing is embedded inside the db.
SELECT * FROM wp_posts WHERE post_content LIKE '%iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
(Thanks to Smackdown)
8. Download and install Secure plugin and Security scan plugin from wordpress.org.

That seems to have done the trick for my clients website.