More help for self-hosted WordPress blog hijackings

Odd files

1. Now that the files are updated take a look in Smart FTP for anything unusual. Sort the files by date modified. You will most likely find a strange file or two. Compare the file list to the new versions you just uploaded. You could find odd files like “index.main.php” and other strangely worded index and cat pages.
2. Double check that the “odd” files they are not part of the WordPress download and then delete them.
3. Take a look at your .htaccess file in your root. It should only have this unless you are using some plugins like wp-cache that would re-write it. Even so, those plugins should clearly identify themselves. The code should be:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

You will more than likely find that your .htaccess has been changed. Edit using the above code, reupload and then change file permissions to 644.

Install plugins

1. Install and activate these three plugins:

• WP Security Scan
• WP Firewall Plugin from SEOegghead.com
• WordPress Exploit Scanner

Run plugins

1. Run Exploit Scanner. You will find it under the dashboard link. It probably won’t find anything but do it anyway.
2. Run Security. This will found at the very bottom on your left column. It will probably give you a list of things in red that they find. You are going to fix those next.
3. Run Security-Scanner. Here are all your file permissions that are out of whack. You need to fix these in Smart FTP.

Fix the database

1. Click back to Security-Security. These are the things you are going to fix. (WARNING! You NEED to know your way around your database for this. Don’t attempt if you are not completely comfortable. You have to do this to make the WordPress blog as secure as possible so you may need to get some help if you are unsure what you are doing.)
2. Login to your cpanel and go to “Mysql Databases.” Under current databases delete the user that is there. There should only be one. Go back. Add a new user with a very strong password. Give that user permission to access that database. That person should have all permissions.
3. Now go back to cpanel-home. Navigate to ‘phpmyadmin’. Back up your database. Here’s how.
4. Follow the steps here to change your wp_ prefix.
5. Go to SmartFTP. Edit wp-config in your root (public-html unless you have your blog in a folder) with the new password and the new db prefix. Use the WP link provided to change your secret keys too. Save and reupload.
6. Remove your newly loaded wp-config to one level up. This means if it is in public_html you are going to drag it all the way to the IP folder up top and drop it in those IP numbers. If the blog is in a folder than don’t do this.
7. Just double check that everything is OK. If you are prompted to re-install wp you did something wrong . Don’t panic. Just repeat steps 16, 17, 18.
8. Now back to the database. Click on Structure. Click on _users, browse. Edit admin. Change admin to your new user name. You will change it in 2 or 3 spots depending on how you had it set up to begin with. You will login to WP with that name now instead of the default “admin.”
9. Go to the WordPress admin panel. You will be prompted to re-login in with your new user name.
10. Click on Security-Security again. The last thing in red you should see is a prompt about putting .htaccess in the wp-admin folder. If the blog owner consistently access the panel from one or two computers with a static IP then this is a GREAT security step. However they use a dynamic IP and/or access their WordPress panel from other computers, don’t do this. If they  share this blog with someone else, you will need to put their IPs in as well. Here’s how.

Final steps

1. Install the WP-DB-Backup plugin. Have a copy emailed to you and the blog owner depending on the frequency they post. (Note: I had to manually create the file on smartftp on each blog I installed it on. Make sure after you create the folder and the plugin installs correctly to change the permissions back to 777. Have it emailed to you so that it does not stay on the server with a 777 permission code.)
2. Change the wp-admin password and cpanel password to something strong. Write these down!
3. Last but not least, re-run both Security and Exploit plugins. Then login and out. Check everything. You should be good to go and way more secure than ever.

More help with WordPress security

• WordPress Security: Remove Wordpress Generator Meta Tag from How-to-Blog.tv
• WordPress Security Recap from How-to-Blog.tv
• SecurePress WordPress Plugin from How-to-Blog.tv

Anne-Marie Nichols is the Managing Editor of Mom Central Blogger University. You can also find her blogging up some healthy recipes at This Mama Cooks!