We may earn money or products from the companies mentioned or linked to in this post, including Amazon Affiliate links.

*I don’t know what is up with this formatting! It is spaced and bulleted correctly on my end but it is a mess published. GRRRR. I will look into it after more coffee*

I wrote this a bit ago and was just going to pass it on to friends who need to increase their blog security but I have seen so many hacked wordpress blogs lately that I hope by posting it I am able to help someone else remove a blog virus and protect themselves from going through this in the first place.

These steps apply to self hosted wordpress blogs. If you have been attacked then you should ideally get go through each step systematically. If you have not, it is still in your best interest to take action on as many of the preventative measures as possible.

BACK UP USING THE EXPORT FUNCTION OF YOUR WP ADMIN BEFORE STARTING. IT IS ALSO A GOOD IDEA TO USE FTP TO BACKUP YOUR CUSTOM THEME FILES!!!

1. Make sure you have the most current ftp download version on your computer. I like and trust Smart FTP. As of writing this the most current version is 4.0. It is a paid program. It initially costs around $60. It is worth it.
2. Login to cpanel (at the host level) and change the password.  Make it easy you are going to change it again.
3. Login to wp-admin and change the password. Make it easy you are going to change it again.
4. While changing your password in the wp-admin check for any strange admins that may have registered. There should only be you and whoever else you gave priveledges to. I had at least one weird one on each infected blog. One was named MYSQL and the other was Feedburner. They are fake users.  You may also find that you have one or two ‘hidden’. You need to follow these steps to get rid of them:  http://bit.ly/ap1bHP
5. Next make sure that you are using the most current version of wordpress and all your plugins. Update any as necessary through you smartftp.
6. If you are all update to date congrats but you are still going to overwrite all your files with a fresh download of wp and all plugins. Do this in smartftp and make sure you OVERWRITE the files.
7. Now that the files are updated take a look in smartftp for anything unusual. Sort the files by date modified. You will most likely find a strange file or two. Compare the file list to the new versions you just uploaded. See anything that doesn’t belong? I found index.main.php and lots of other strangely worded index and cat pages. Double check that they are not part of the wp download and then delete them.
8. Take a look at your .htaccess file in your root. It should only have this unless you are using some plugins like wp-cache that would re-write it. Even so, those plugins should clearly identify themselves.  Code should be:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

You will more than likely find that your .htaccess has been changed. Edit to the above code, reupload and then change file permissions to 644 (see 12 if you don’t know how to do that)

1. Install these three plugins: http://bit.ly/IFH60, http://www.seoegghead.com/software/wordpress-firewall.seo, and http://ocaoimh.ie/exploit-scanner/ and activate them all
2. Run exploit scanner. You will find it under the dashboard link. It probably won’t find anything but do it anyway.
3. Run Security. This will likely be down at the very bottom on your left column. It will probably give you a list of things in red that they find. We are going to fix those next.
4. Run Security-Scanner. Here are all your file permissions that are out of whack. You need to fix these in smartftp. You click on the file, then right click, then hit properties, view the permissions tab and change it to whatever they tell you.
5. Now click back to Security-security. These are the things we are going to fix. WARNING! You NEED to know your way around your database for this. Don’t attempt if you are not completely comfortable. You have to do this to make your wp as secure as possible so you may need to get some help if you are unsure what you are doing.
6. Login to your cpanel and go to “Mysql Databases”. Under current databases delete the user that is there. There should only be one.  Go back. Add a new user with a very strong password. Give that user permission to access that database. It should have all permissions.
7. Now go back to cpanel-home. Navigate to ‘phpmyadmin’. Back up your database. If you need a reminder read:  http://codex.wordpress.org/Backing_Up_Your_Database
8. Follow the steps here to change your wp_ prefix: http://semperfiwebdesign.com/documentation/wp-security-scan/change-wordpress-database-table-name-prefix/
9. Go to SmartFTP. Edit wp-config in your root (public-html unless you have your blog in a folder) with the new password and the new db prefix. Use the wp link provided to change your secret keys too.  Save and reupload.
10. Remove your newly loaded wp-config to one level up. This means if it is in public_html you are going to drag it all the way to the ip folder up top and drop it in those ip numbers. If your blog is in a folder than don’t do this.
11. Just double check that everything is OK. If you are prompted to re-install wp you did something wrong .Don’t panic. Just repeat steps 16, 17, 18
12. Now back to the database. Click on Structure. Click on _users, browse. Edit admin. Change admin to your new user name. You will change it in 2 or 3 spots depending on how you had it set up to begin with. You will login to wp with that name now instead of the default “admin”.
13. Go to wordpress admin panel. You will be prompted to re-login in with your new user name.
14. Clicking on Security-Security again the last thing in red you should see is a prompt about putting .htaccess in the wp-admin folder. If you consistently access your panel from one or two computers with a static IP then this is a GREAT security step. However if you use a dynamic IP and/or access your wp panel from other computers don’t do this. If you share this blog with someone else you need to put there ips in as well. Follow this article: http://www.wpbeginner.com/wp-tutorials/protect-your-admin-folder-in-wordpress-by-limiting-access-in-htaccess/
15. Install a database back up plugin: http://wordpress.org/extend/plugins/wp-db-backup/ Have a copy emailed to yourself depending on the frequency you post. Note on this: I had to manually create the file on smartftp on each blog I installed it on.  Make sure after you create the folder and the plugin installs correctly to change the permissions back to 777. Have it emailed to you so that it does not stay on the server with a 777 permission code
16. Change your wp-admin password and cpanel password to something strong.  Write these down!
17. Last but not least: re-run both Security and Exploit plugins. Re login and out. Check everything. You should be good to go and way more secure than ever.