WordPress installations are prime targets for symlink attacks due to their popularity and predictable file structure. When a WordPress site falls victim to a symlink attack, cleaning up can be particularly challenging because the platform's complexity offers attackers numerous places to hide malicious code and establish persistence mechanisms.
This guide will walk you through how to clean up symlink attacks on WordPress sites effectively and prevent reinfection. The process requires attention to WordPress-specific files, database tables, and configurations that might be overlooked in a general server cleanup.
Identifying a Symlink Attack on WordPress
Before cleaning up, confirm that your WordPress site is indeed suffering from a symlink attack. Here are WordPress-specific signs to look for:
Common Symptoms
- Unauthorized admin users appearing in your WordPress dashboard
- Posts or pages containing spam links or content you didn't create
- Website redirecting visitors to suspicious sites
- Search engines flagging your site as containing malware
- Strange code appearing at the top or bottom of your theme files
- Unexplained changes to your .htaccess file
- WordPress keeps getting hacked after cleaning
WordPress-Specific Files to Check
Customize Commands for Your Server
Enter your WordPress installation path to automatically update all commands in this article:
/home/username/public_html/wordpress or /var/www/html/mysiteExamine these WordPress locations for signs of compromise:
# Look for recently modified files in WordPress core directories
find /path/to/wordpress/wp-admin -type f -mtime -7
find /path/to/wordpress/wp-includes -type f -mtime -7
# Check for PHP files in the uploads directory (typically not allowed)
find /path/to/wordpress/wp-content/uploads -name "*.php"
# Look for hidden files in WordPress directories
find /path/to/wordpress -name ".*php" -type f
Initial Response and Containment
Once you've confirmed a symlink attack on your WordPress site, take these immediate steps:
1. Temporarily Disable Your Site
Create or modify your .htaccess file to prevent public access while you clean up:
# Add to .htaccess in WordPress root directory
<IfModule mod_authz_core.c>
Require all denied
Require ip YOUR_IP_ADDRESS
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
Allow from YOUR_IP_ADDRESS
</IfModule>
Replace YOUR_IP_ADDRESS with your actual IP address to maintain your own access.
2. Create a Backup
Even though the site is compromised, create a backup for forensic analysis and in case you need to refer to something during cleanup:
# Backup WordPress files
tar -czf wordpress-infected-backup.tar.gz /path/to/wordpress
# Backup WordPress database
mysqldump -u username -p database_name > wordpress-infected-db.sql
3. Change All Passwords
Immediately change passwords for:
- WordPress admin accounts
- FTP/SFTP accounts
- Database users
- Control panel accounts (cPanel, Plesk, etc.)
- SSH accounts if applicable
Cleaning Up WordPress Core Files
WordPress core files are often modified during a symlink attack. Here's how to clean them up:
Verifying Core File Integrity
If you have WP-CLI installed, check core file integrity:
# Navigate to WordPress root directory
cd /path/to/wordpress
# Verify core files
wp core verify-checksums
If you don't have WP-CLI, follow these steps:
- Download a fresh copy of your WordPress version from wordpress.org/download/releases/
- Extract the ZIP file to a temporary location
- Replace these directories and files (but NOT wp-config.php):
- /wp-admin/
- /wp-includes/
- All root PHP files (index.php, wp-login.php, etc.)
Securing wp-config.php
The wp-config.php file is a primary target in symlink attacks. Check for unauthorized modifications:
# Look for suspicious code in wp-config.php
grep -i "eval|base64|gzinflate|str_rot13|include" wp-config.php
Check for unauthorized include statements or database definitions. If wp-config.php is compromised, create a fresh copy with your legitimate database credentials and WordPress salts.
WordPress Themes and Plugins Cleanup
Themes and plugins are common hiding places for malicious code in WordPress symlink attacks:
Checking Themes
# Find recently modified PHP files in themes directory
find /path/to/wp-content/themes -name "*.php" -type f -mtime -14
# Search for suspicious code patterns
find /path/to/wp-content/themes -name "*.php" -type f -exec grep -l "eval|base64_decode|gzinflate" {} ;
Pay special attention to:
- Theme header files (header.php)
- Theme functions files (functions.php)
- Footer files (footer.php)
- Index files (index.php)
Examining Plugins
# Find suspicious plugins
find /path/to/wp-content/plugins -name "*.php" -type f -exec grep -l "eval|create_function|passthru|system|shell_exec" {} ;
Look for:
- Plugins that don't appear in your WordPress dashboard
- Plugins with strange names or misspellings of popular plugins
- Deactivated plugins that still contain malicious code
Checking Upload Directory
Attackers often hide backdoors in the uploads directory:
# Find PHP files in uploads directory (these shouldn't normally exist)
find /path/to/wp-content/uploads -name "*.php" -type f
# Check for files disguised as images but containing PHP code
find /path/to/to/wp-content/uploads -name "*.jpg" -o -name "*.png" -o -name "*.gif" | xargs grep -l " <?php
WordPress Database Cleanup
The WordPress database is often compromised during symlink attacks. Here's how to clean it up:
Removing Unauthorized Users
Check for and remove unauthorized admin users:
# SQL query to identify recently added users
SELECT ID, user_login, user_email, user_registered FROM wp_users WHERE user_registered > '2023-01-01' ORDER BY user_registered DESC;
# SQL query to remove an unauthorized user (replace USER_ID with actual ID)
DELETE FROM wp_users WHERE ID = USER_ID;
DELETE FROM wp_usermeta WHERE user_id = USER_ID;
Checking for Injected Code
Attackers often inject malicious code into the WordPress database:
# Check options table for malicious code
SELECT option_id, option_name, option_value FROM wp_options WHERE option_value LIKE '%eval%' OR option_value LIKE '%base64%' OR option_value LIKE '%javascript:void%';
# Check posts for injected content
SELECT ID, post_title, post_date FROM wp_posts WHERE post_content LIKE '%<script%' OR post_content LIKE '%eval(%' OR post_content LIKE '%base64_decode%';
# Check for suspicious postmeta entries
SELECT * FROM wp_postmeta WHERE meta_value LIKE '%eval(%' OR meta_value LIKE '%base64_decode%';
Cleaning WordPress Cron
Check for malicious scheduled tasks:
# SQL query to view the WordPress cron jobs
SELECT option_value FROM wp_options WHERE option_name = 'cron';
This returns a serialized array. Look for suspicious URLs or function calls in the cron data. If found, you can clear all cron jobs and let WordPress rebuild legitimate ones:
UPDATE wp_options SET option_value = 'a:0:{}' WHERE option_name = 'cron';
Why WordPress Sites Keep Getting Hacked After Cleaning
If your WordPress site keeps getting hacked after cleaning, it's likely due to one or more persistence mechanisms the attacker has established. WordPress offers several unique ways for attackers to maintain access:
Common Persistence Mechanisms in WordPress
- WordPress Cron Jobs - Attackers can register malicious functions to run periodically using WordPress's built-in scheduling system.
- Database Triggers - Sophisticated attackers might set up MySQL triggers that recreate malicious content when certain conditions are met.
- Plugin Auto-Update Hooks - Compromised plugins can inject code during WordPress's update process.
- Theme header/footer injections - Code that loads external scripts from command and control servers.
- User meta with malicious capabilities - Hidden user capabilities that grant ongoing access.
- Backdoored core functions - Modifications to WordPress core functions that execute malicious code.
To break the cycle of reinfection, you must identify and remove all persistence mechanisms. The checklist below addresses these hiding spots.
WordPress Symlink Attack Cleanup Checklist
- Initial Containment: Temporarily disable the site using .htaccess
- Reset User Credentials: Change WordPress admin passwords, database passwords, and FTP credentials
- Core File Verification: Verify integrity of wp-admin and wp-includes directories
- wp-config.php Review: Check for unauthorized database connections or include statements
- Theme Inspection: Check for modified files in all active and inactive themes
- Plugin Verification: Remove suspicious plugins and verify legitimate plugins
- Database Cleanup: Remove unauthorized users and check for injected code in options, posts, and metadata tables
- Media Library Scan: Look for PHP files disguised as images in uploads directory
- Verify .htaccess: Replace with clean version and set proper permissions
- Check WordPress Cron: Remove any suspicious scheduled tasks
- Process Check: Look for running processes spawned by compromised files
- Update Everything: Update WordPress core, themes, and plugins to latest versions
- Implement Prevention: Install security plugins and set proper file permissions
- Verification Testing: Check site functionality after cleanup
Dealing with Persistent .htaccess Corruption
WordPress sites frequently suffer from persistent .htaccess corruption during symlink attacks. This happens because attackers establish mechanisms to continuously regenerate malicious .htaccess rules.
Finding the Source of .htaccess Corruption
# Find files that may be modifying .htaccess
grep -r ".htaccess" --include="*.php" /path/to/wordpress
# Look for suspicious functions that might write to files
grep -r "file_put_contents|fwrite|fopen" --include="*.php" /path/to/wordpress
These persistent processes are a common reason websites keep getting hacked after cleaning, as they reactivate malicious code even after files are removed.
Securing .htaccess
- Create a clean .htaccess file with legitimate WordPress rules:
# WordPress clean .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule> - Set proper permissions to prevent modification:
chmod 444 /path/to/wordpress/.htaccess
Prevention and Hardening After Cleanup
After you clean up the symlink attack on your WordPress site, take these steps to prevent future attacks:
WordPress Security Plugins
Install one or more reputable security plugins:
- Wordfence - Comprehensive security including firewall and malware scanning
- Sucuri Security - File integrity monitoring and security hardening
- iThemes Security - Multiple security features including brute force protection
- Shield Security - Lightweight security plugin with good customization options
File Permissions Hardening
Set proper file permissions for WordPress:
# Directories
find /path/to/wordpress -type d -exec chmod 755 {} ;
# Filesfind /path/to/wordpress -type f -exec chmod 644 {} ;
# wp-config.php (more restrictive)
chmod 600 /path/to/wordpress/wp-config.php
WordPress Configuration Hardening
Add these security measures to your wp-config.php file:
//Disable file editing from WordPress admin
define('DISALLOW_FILE_EDIT', true); // Disable plugin and theme installation
define('DISALLOW_FILE_MODS', true); // Force SSL for admin
define('FORCE_SSL_ADMIN', true); // Limit post revisions
define('WP_POST_REVISIONS', 3);
Implement Server-Level Protections
Ask your host to implement server-level protections as described in our complete guide to symlink attack prevention, including:
- PHP open_basedir restrictions
- Disabling symlink following in Apache
- Implementing ModSecurity rules
Verifying Your Cleanup
After cleaning up a symlink attack, verify your WordPress site is truly secure:
Monitoring for Reinfection
Set up ongoing monitoring to quickly detect any reinfection:
- Configure file change detection in your security plugin
- Set up Google Search Console to alert you to security issues
- Implement server-level file integrity monitoring
- Regularly check for unauthorized admin users
Final Check Before Going Live
Before removing your temporary access restriction, perform these final checks:
- Scan the site with multiple security plugins
- Check for any remaining suspicious files or database entries
- Verify all legitimate WordPress functionality works properly
- Ensure all passwords have been changed
- Verify all themes and plugins are up to date
Conclusion
Cleaning up a symlink attack on a WordPress site requires a methodical approach that addresses all the WordPress-specific components that may harbor malicious code. By following this guide, you can effectively eliminate the infection and its persistence mechanisms.
Remember that the key to successful recovery is thoroughness - attackers rely on website owners missing at least one backdoor or persistence mechanism. This is why WordPress sites often keep getting hacked after cleaning if the cleanup isn't comprehensive.
For a broader understanding of symlink attacks, including how they affect different types of hosting environments and server-level prevention techniques, refer to our comprehensive guide on symlink attack identification and cleanup.