Sometimes this past weekend I had the joy to find my wordpress instances dead with a Server error 500. All of them. At once.
I first suspected an issue with the database, or maybe a server patch impacting PHP or WordPress, but a quick and helpful call to the helpdesk of my host confirmed that was not the case. The reality of the issue was more disturbing.
Somehow, a malware had found its way into the server I am using to host the sites. It had installed new files, emptied by robots.txt file and added a base64 encoded block of text to about 1000 PHP files across the whole server.
Cleaning up malware-infected WordPress sites
The basics of a malware infected WordPress server are described in these resources:
* FAQ My Site was Hacked (WordPress.com)
* Cleaning up malware infected sites (stopthehacker.com)
I found more details on this blog: Aw Snap, including a handy script to track down base64 encoded blocks.
1. First step to clean up this mess was to copy server files locally using Goodsync (MacOs).
2. Next step was to search for and remove this regular expression from all files (the search and replace using regular expressions in Coda was very useful).
[code]\[/code]3. Looked for .htaccess files with rewrite rules (even though my ISP is using IIS)
4. Tracked down and Delete suspect files (two suspect files were added to the root of the server and obfuscated with base64 encoding).
5. Tracked down vulnerable instances of timthumb and fixed them
6. Got rid of old version of movable type. A Vulnerability was recently announced for old versions – that coincidence was too suspect to ignore.
7. Downloaded clean wordpress install files and replaced them in all wordpress instances
8. Upload and synchronize clean files with Goodsync again
9. Reinstall some themes and plugins if necessary. Some plugins required to save their configuration again as some files were lost with a fresh install of wordpress files.
10. Fixed rewrite mappings for Buddypress and WordPress multi sites. In most cases it was enough to republish permalink structure to recreate webconfig files.
Watch out for cached pages in browser that still appeared broken long after there were fixed!
11. Reset wordpress passwords, along with database and FTP passwords for good measure.
If anything, this painful experience gave me an occasion for a much needed cleanup of old files on the server and a renewed obsession for backing up my files more often.