How I Recovered a Hacked WordPress Site in 2 hours

Joseph E. Ikhalia, PhD.
Nov 3 · 4 min read

When malicious hackers take over a website it is not a pretty picture and may cause a tremendous psychological, reputational and financial burden for the victim. In the early hours of Sunday, November 3 2019, I successfully recovered a hacked wordpress website from a criminal seeking quick advertising profits. Luckily, the site was only compromised at the application level, which gave me the chance to launch a recovery by accessing the server resources via SSH. For privacy purposes, I have intentionally concealed the name of the site and other confidential data; so relax and enjoy this deep dive into the specifics of the recovery process.

Step 1: Problem Discovery

The main problem was that when the victim tried to visit the home and administrative login pages of the site, they were redirected to the malicious hacker’s page — https://destinywall.org/redirect?type=11 (PLEASE DO NOT VISIT THE PAGE). Malicious hackers normally get a victim’s WordPress website to redirect By injecting malicious code into WordPress files and database and by changing the home URL and site URL in the database.

Security takes three dimensions, confidentiality, integrity and availability, in this particular case, the integrity and availability of the victim’s wordpress site were compromised, unfortunately.

Step 2: Vulnerability Scan

Due to experience, I initially suspected that the home URL and site URL of the database was injected with malicious code, but I needed to be sure. I used Nikto to execute a vulnerability scan of the hacked site’s server (a virtual private cloud server) and then my suspicions were confirmed with one of the following scan results below;

One of Nikto Scan Results

Although I found out a lot of vulnerabilities (which I would discuss some other day); my main focus was to get rid of the injected URL from the database.

Step 3: Logging in to the Database Server

WordPress sites use MySQL or MariaDB as the database management system which I had no problem navigating to locate the specific database name, database table and database rows containing the home and site URLs respectively. The wp_options table in a WordPress database contains all sorts of data for your WordPress site such as Site URL, home URL, admin email, default category, posts per page, time format, etc Settings for plugins, themes, widgets Temporarily cached data.

I executed an SQL query to access the WordPress options (wp_options) table in the victim’s database as seen below;

> describe wp_options;

MySQL describe query result for wp_options table

Then I executed the following SQL SELECT query to show all data in the wp_options table;

> SELECT * from wp_options;

Results showing the malicious URL in the wp_options table

As seen in the image above, the malicious hacker successfully replaced the victim’s home and site URL with the bogus URL https://destinywall.org/redirect?type=11& (PLEASE DO NOT VISIT THE PAGE), so it was time to clean and up and restore the site of the victim.

I executed the following SQL UPDATE commands to update the home and site URL rows with the victim’s correct site URL and also checked to confirm the changes were successful.

> update wp_options set option_value = ‘correct_site_url_of_the_victim.com’ where option_id = 877;

I restarted the MariaDB service to avoid any cache issues and tried to access the hacked WordPress site and hurray! Everything was restored to normal.

I hope this article has provided an easy explanation to help you understand one of the processes of a WordPress website recovery from malicious hackers. I promise there would be a continuation of this article where I describe the other vulnerabilities I found on the victim’s site and some of my post-recovery security controls to ensure the incident is not repeated.

Please leave your comments and feedback below and don’t forget to share this article, who knows. the next potential WordPress site hack victim may be on your timeline.

For questions and enquiries

Email — drjosephikhalia@gmail.com

Instagram — https://www.instagram.com/josephikhalia/

LinkedIn — https://www.linkedin.com/in/jeikhalia/

Twitter — https://twitter.com/@ikhaliajoseph

Website — http://www.josephikhalia.com/

Joseph E. Ikhalia, PhD.

Written by

IT Security Manager — Quanta Group

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade