WordPress Website Hacked, Users Unable to Login

WordPress Website Hacked, Users Unable to Login

A WordPress website hacked and getting compromised is very common. It happens due to several reasons. What is important though is, as a website owner you know how to fix them.

Just earlier today, we encountered Login issues on some of our websites. We were clueless about what exactly happened, but got several observations:

  • other websites looked fine in the front-end, like the homepage, but other pages were broken;
  • the administrator is unable to login, username changed to “admin” and access is denied;
  • it appears there is a problem in the backend, with Plugins not working;
  • we bet it was a malware attack guised on a certain plugin called “Three Column Screen Layout

If you encountered the same problem and need help, read on… We specifically published this blog to help you in recovering your website.

Logging in to your WordPress Website:

The malware changed the Administrator username to “admin”, and you won’t be able to log in. The original Administrator password is assumed to have been changed as well.

  1. For you to be able to login to the WordPress dashboard, you will need to change the user and login info in phpMyAdmin.cPanel phpMyAdminIn your web hosting dashboard or cPanel, find the link to phpMyAdmin.
  2. Select your website database (it’s the only database if you only have 1 website), and look for the Users table (it appears like wp_users).cPanel phpMyAdmin Database Users TablesYou may Edit to change User Login details here. Then try logging in to your WordPress site.Once you are logged in to WordPress, you will notice that it’s almost empty.WordPress Dashboard Empty After Hacked

If you see something like that, don’t worry. That’s simply because almost all of your plugins have been deactivated by the malware.

What can you do to fix this?

Clearly, there’s an infection in your WordPress website and as a good practice, best to clean it up first with an anti-malware scanner like Wordfence before reactivating all Plugins. But you cannot use Wordfence at this point without removing the malware that caused the problem first.

We’ll go back to Wordfence later on. Do the following steps instead:

  1. As I dug into this issue, I noticed there’s a new Plugin added to my site. The Plugin is called “Three Column Screen Layout”. I never installed that plugin, so I simply Deleted it.Three Column Screen Layout Plugin Backdoor Virus
    If you see that plugin on your website as well, just DELETE it.
  2. It looks like the “Three Column Screen Layout” plugin was intentionally used by the hacker as a backdoor to inject the malware infection. To fix this further, go to your Host’s File Manager like cPanel.cPanel File Manager
    In your cPanel File Manager (or other File Manager provided by your Web Hosting provider), go to the site’s Plugin directory (public_html/wp-content/plugins).cPanel File Manager PluginsInspect the folders and check for any Plugin folder that looks suspicious.

    In my case, there was this plugin named with random characters like “dkezkti”. Obviously, that’s not a real plugin, so if you see something like that just DELETE it.

    No need for you to open that suspicious folder. But out of curiosity, I did and it has these files inside.

    Three Column Screen Layout Plugin Folder Files
    As you can see there are that data.php and three-column-screen-layout.php files that contain the malicious code/scripts.

    Going back to the main public_html/wp-content/plugins directory, you may need to Show Hidden Files to see more suspicious files. When you see it, just DELETE them as well.

    cPanel File Manager Show Hidden FIles

    Review the Plugins folder and if you feel everything looks good, go to Step 3.

  3. Go back to your WordPress dashboard, and go to the Plugins section. DO NOT reactivate the deactivated Plugins yet. We’ll continue with the cleanup first. If you have Wordfence there already, Reactivate it. Otherwise, Install and Activate Wordfence.WordFence for Hacked WordPress SiteRun a Wordfence Scan.Expect to see a lot of malicious files. Check each item in the results found and delete those which are suspicious or appear to be malicious files.

    From my scan, I deleted these files.

    ccode Malicious script
    ccode.php
    Filename: wp-content/plugins/ccode.php
    
    File Type: Not a core, theme, or plugin file from wordpress.org.
    
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php\x0a/**\x0a * Plugin Name: Custom Code\x0a * Description: show cusom ad codes with many options .\x0a * Author: Alberto Uozumi\x0a * Version: 1.0\x0a */\x0aerror_reporting(0);\x0aini_set('display_errors', 0);\x0a$plugin_ke...
    
    The issue type is: Backdoor:PHP/register.hideadmin.8724
    
    Description: Code used to hide admin users. Often used in malicious plugins and scripts

    Other files found from the scan are the following:

    theia post slider Malicious script
    theia post slider main.php
    admin_ips.txt Malicious script
    admin_ips.txt


    NOTE
    : Be careful not to remove real WordPress or Plugin files from the Scan.

    Wordfence Vulnerability Scan

    Wordfence usually includes these files in the Results as part of its Vulnerability Scan. This will be resolved as you update the Plugins later on.

  4. Reactivate Plugins. Go back to the Plugins section and reactivate all plugins. Do it one at a time.Reactivating WordPress Plugins
  5. Update Plugins and Themes. Navigate to the Updates section and update all Themes and Plugins that need to be updated.Updating WordPress Plugins and Themes
  6. Clean-up WordPress Comments.
    We noticed that as the site got compromised, the exploit allowed so many Spam comments to get in. I suggest to clean this up so other malicious links as part of the Comments will be removed from your site database.WordPress Spam Comments
    Deleting WordPress Spam Comments
    Be careful not to remove comments you Approved before.
  7. Run another Wordfence Scan.
    This can be your last scan. Make sure you get All Checks from Wordfence.Wordfence Clean Scan
    At this point, your site must have been recovered already and secured again.

Does this tutorial help resolve your website’s issue?

For any questions, do let us know in the comments below.

Need help from TekWorx? Don’t hesitate to contact us.

Bert Padilla

Brainchild and ninja of TekWorx, a Digital Agency based off Cebu City, Philippines. An eCommerce technopreneur, and Certified eCommerce Trainer, Bert also co-founded AdWorx, an Outsourced #AdOps agency for Media companies and Publishers. His solid working experience in eCommerce and Digital Marketing equipped him to help foreign businesses, local MSMEs, and entrepreneurs transform their online goals to reality. Offline, he's a dedicated family man, a loving husband, and father of 3.

Leave a Reply

×

FREE Consultation Here.

Request your 30-minute consultation with us. And yes, it's FREE.

We keep your information confidential, and not for sale. Read our Privacy Policy here.