Stay Calm! Don’t start deleting things and installing all kinds of crap that promises to clean your installation up. You don’t know who wrote it and whether or not it’s simply adding more malicious crap to your blog. Take a deep breath, lookup this blog post, and slowly and deliberately go down the checklist.
Take down the blog. Immediately. The easiest way to do this with WordPress is to rename your index.php file in your root directory. It’s not enough to just put up an index.html page… you need to halt all traffic to any page of your blog. In placement of your index.php page, upload a text file that says you’re offline for maintenance and will be back soon. The reason you need to take down the blog is because most of these hacks aren’t done by hand, they’re done through malicious scripts that attach themselves to every writeable file in your installation. Someone visiting an internal page of your blog can reinfect the files you’re working to repair.
Backup your blog. Don’t just backup your files, also backup your database. Store it somewhere special in the event you need to refer to some of the files or information.
Remove all themes. Themes are an easy means for a hacker to script and insert code into your blog. Most themes are also written poorly by designers that don’t understand the nuances of securing your pages, your code, or your database.
Remove all plugins. Plugins are the easiest means for a hacker to script and insert code into your blog. Most plugins are written poorly by hack developers that don’t understand the nuances of securing your pages, your code, or your database. Once a hacker finds a file with a gateway, they simply deploy crawlers that search other sites for those files.
Reinstall WordPress. When I say reinstall WordPress, I mean it – including your theme. Don’t forget wp-config.php, a file that’s not overwritten when you copy over WordPress. In this blog, I found the malicious script was written in Base 64 so it just looked like a blob of text and it was inserted in the header of every single page, including wp-config.php.
Review your Database. You’ll want to review your options table and your posts table especially – looking for any strange external references or content. If you’ve never looked at your database before, be prepared to find PHPMyAdmin or another database query manager within your host’s management panel. It’s not fun – but it’s a must.
Startup WordPress with a default theme and no plugins installed. If your content appears and you don’t see any automated redirects to malicious sites, you’re probably okay. If you get a redirect to a malicious site, you’ll probably want to clear your cache to ensure you’re working from the latest copy of the page. You may need to go through your database record by record to try to locate whatever content might be there that’s paving the way into your blog. Chances are your database is clean… but you never know!
Install Your Theme. If the malicious code replicated, you’re probably going to have an infected theme. You may need to go line by line through your theme to ensure there’s no malicious code. You may be better off just starting out fresh. Open the blog up to a post and see if you’re still infected.
Install Your Plugins. You may want to use a plugin, first, such as Clean Options first, to remove any additional options from plugins you’re no longer using or wanting. Don’t go crazy though, this plugin is not the best… it often displays and allows you to delete settings you want to hang on to. Download all your plugins from WordPress. Run your blog again!
If you see the issue come back, chances are that you’ve reinstalled a plugin or theme that’s vulnerable. If the issue never leaves, you’ve probably tried to take a couple shortcuts in troubleshooting these issues. Don’t take a shortcut.
These hackers are nasty folks! Not understanding every plugin and theme file puts us all at risk, so be vigilant. Install plugins that have great ratings, plenty of installations, and a great record of downloads. Read the comments folks have associated with them.