2. Check website's wordpress version :-
cd /home/siteuser/public_html/
more readme.html
.....
<h1 id="logo">
<a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/imag
es/wordpress-logo.png" /></a>
<br /> Version 4.5.2 <--------------------- take note of Wordpress version
</h1>
.....
3. Download exact same wordpress version into a temporary directory inside server (or your PC, if you downloaded the wordpress files). Download from https://wordpress.org/download/ (if latest) or https://wordpress.org/download/release-archive/ (if older version).
mkdir ~/src
cd ~/src
wget -t 0 -c "https://wordpress.org/wordpress-4.5.2.tar.gz"
--2016-05-11 10:22:43-- https://wordpress.org/wordpress-4.5.2.tar.gz
Resolving wordpress.org... 66.155.40.250, 66.155.40.249
Connecting to wordpress.org|66.155.40.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7770470 (7.4M) [application/octet-stream]
Saving to: “wordpress-4.5.2.tar.gz”
100%[======================================>] 7,770,470 560K/s in 14s
2016-05-11 10:22:58 (529 KB/s) - “wordpress-4.5.2.tar.gz” saved [7770470/7770470]
4. Extract latest wordpress in temporary directory
cd ~/src
tar xzvpf wordpress-4.5.2.tar.gz
5. Perform full directory diff between freshly extracted wordpress and current website (if both on your PC, use a Windows diff GUI software, for example http://winmerge.org/ :-
diff -rc ~/src/wordpress /home/siteuser/public_html > ~/DIFFS
6. Review the diff results, and ignore missing files for now (prefixed by "Only in..."):-
vim ~/DIFFS
- Make sure no differences.
- If exist differences, take note of it, and which files were different.
7. If got differences, and suspect malware / unknown code, backup current website and replace all wordpress files in there with the freshly downloaded version:-
cd /home/siteuser
cp -ai public_html public_html.HACKED
rsync -av ~/src/wordpress/ public_html/
8. Re-run the diff command in #5 and review the diff results, this time focusing on missing files, which only exist in current website (prefixed by "Only in /home/siteuser/public_html...")
vim ~/DIFFS
- Ignore directories for now, especially those in plugins and themes directories.
- For each file prefixed by "Only in /home/siteuser/public_html", vim the file and check if it's legitimate or contain malware/unknown code. If so, move it elsewhere:-
mkdir /home/siteuser/MALWARE
mv -vi /home/siteuser/public_html/some-random-malware-file.php /home/siteuser/MALWARE/
- After complete, re-run the diff and review it again, until confirmed all files are clean.
9. Log in to the site wordpress admin, and upgrade all wordpress, plugins, and themes.
- Make sure all upgraded successfully, and no more items which require upgrade.
- Review each plugins and if disabled and unused, delete the plugin via the admin GUI.
- Review each theme and if disabled and unused, delete the theme via the admin GUI.
10. In wordpress admin, go through each plugin, and download fresh plugin files manually into a temporary directory in server ( or PC ). For example:-
- Wordpress Admin --> Plugins -> Plugin --> View Details --> Wordpress.org Plugin Page --> Right click on Download link, and copy link/URL to clipboard
- Download the plugin to temporary directory in server ( or PC )
cd ~/src
wget -t 0 -c "https://downloads.wordpress.org/plugin/plugin.version-x.x.x.zip"
- Extract into plugins folder inside the extracted wordpress folder earlier:-
cd ~/src/wordpress/wp-content/plugins
unzip ~src/plugin.version-x.x.x.zip
- Repeat this process with all plugins, until you get all plugins used by the site extracted in its pristine original form inside the temporary wordpress folder.
- Re-run the full diff between temporary wordpress folder and current website, and review the diff results again (this time includes plugin files comparison):-
diff -rc ~/src/wordpress /home/siteuser/public_html > ~/DIFFS
vim ~/DIFFS
- Repeat the process in #8, this time include plugins files in your analysis.
11. In wordpress admin, go through each theme, and download fresh theme files manually into a temporary directory in server ( or PC ). For example:-
- Wordpress Admin --> Appearance --> Themes --> Theme name
- If the theme source URL is listed, go there and download fresh version of the theme manually. If not found, google it.
- Download the plugin to temporary directory in server ( or PC )
cd ~/src
wget -t 0 -c "http://some-theme-site.com/some-theme-files.version-x.x.x.zip"
- Extract into themes folder inside the extracted wordpress folder earlier:-
cd ~/src/wordpress/wp-content/themes
unzip ~src/some-theme-files.version-x.x.x.zip
- Repeat this process with all themes, until you get all theme files used by the site extracted in its pristine original form inside the temporary wordpress folder.
- Re-run the full diff between temporary wordpress folder and current website, and review the diff results again (this time includes theme files comparison):-
diff -rc ~/src/wordpress /home/siteuser/public_html > ~/DIFFS
vim ~/DIFFS
- Repeat the process in #8, this time include theme files in your analysis.
12. Run another full diff and review it, this time focusing on directories which only exist in current website:-
diff -rc ~/src/wordpress /home/siteuser/public_html > ~/DIFFS
vim ~/DIFFS
- Focus on directories prefixed by 'Only in /home/siteuser/public_html/...', for example "/home/siteuser/public_html/wp-content: uploads"
- For each of these directories, run a find command to look for any injected php files within. These directories should not have any .php files at all.
cd /home/siteuser/public_html/wp-content/uploads
find . -iname "*.php"
- If found, move them to MALWARE directory
mv -vi /home/siteuser/public_html/wp-content/uploads/some-malware-file.php /home/siteuser/MALWARE/
- Repeat with other folders eg 'upgrade'.
12. RECOMMENDED (especially for abandoned / not maintained site): Once done, your site is cleaned. Harden it by making the whole directory readonly, leaving only uploads directory for updating (if site still needs updating at all):-
cd /home/siteuser
chmod -R a-w public_html
chattr +i public_html
chmod -R u+w public_html/wp-content/uploads
DONE.
