911 Hack Removal

How to fix WordPress admin dashboard (wp-admin) hack

Updated on: May 4, 2020

How to fix WordPress admin dashboard (wp-admin) hack

One of the worst feelings you can experience as a website owner is finding out that your website has been hacked. If proactive security measures are not taken – a hacker may be able to launch Pharma attacks, Phishing pages, Japanese SEO spam, Redirection Malware etc. through WordPress Admin panel hack.

Related Blog –  Comprehensive Guide to Fix Hacked WordPress Site

A new type of wp-admin hack has surfaced which adds an unauthorized WordPress admin user and infects the site with a pharma hack. The typical consequences of such a hack include complete website takeover, data theft, compromise of database and SEO hijacking. The WordPress admin is the most crucial part of your website. Getting locked out of the admin would mean losing access to your website.

What are the symptoms of the wp-admin hack?

Typical symptoms of WordPress admin panel hack are:

  1. Admin users have been created in WordPress which you are not aware of
  2. WordPress Pharma hacked pages being indexed in Google.
  3. New web pages added to your website with Japanese text (Japanese SEO spam pages).
  4. The suspicious-looking base64 encoded code in the theme/core files.
  5. Core WordPress files have been modified.
    WordPress Admin panel Hacked? Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my WordPress website now.
  6. Unknown files like admin.php, adminer.php are found in the /public_html folder or /public_html/wp-admin folder.
  7. Hacked wp-admin loads different UI.
  8. When you visit the wp-admin page, instead of the login page you see a black/grey screen with a list of files on the server.
  9. After logging in to WordPress admin area, you see a grey screen with a list of files on the server.
  10. PHP internal 500 error on visiting wp-admin or, after logging in.
  11.  ‘Anyone can register’ option has been enabled from the Settings » General page section in the WordPress admin area.
  12. Hundreds of spam WordPress users have been created.
  13. You are unable to add/delete plugins.
  14. WordPress Security plugins automatically get disabled.
  15. Blank page when you visit the admin area.
  16. WordPress website becomes very slow.
  17. Your Hosting provider suspends your account.
  18. A web shell is uploaded.
  19. A file Manager named ‘B Ge Team File Manager’ is uploaded.
B G Team file manager WordPress hack
File manager uploaded by the Hacker

How to remove the WP-ADMIN malware code from my website?

1. Check index.php, wp-admin/index.php to see if they have been modified. Usually, the following line of code is added to the top of the index.php file:

Malicious code included - wp-admin hack

The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.

WordPress admin dashboard hacked? Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my WordPress website now.

Delete the @require code from the file after comparing it with the contents of the core WP files from its GitHub repository.

A screenshot of the malicious file can be seen below:

Malicious File contents

2. Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some files that you may find are:

  1. Marvins.php
  2. db_.php
  3. 8c18ee
  4. 83965
  5. admin.php
  6. buddy.zip
  7. dm.php

If you find any of the above suspicious files, take a backup and delete them. A standard WordPress installation generally has the following files in the root of the server:

WordPress files in the root of server

3. Perform a Google search to see the list of pages indexed for your domain:

site: <enter your domain name>

Japanese SEO Spam in Google Search Results

If the search results for your website are similar to the screenshot above, please refer to the Japanese SEO spam removal guide.

4. Delete unknown WordPress administrator accounts from the users page

Visit the users page (wp-admin/users.php?role=administrator) in your WordPress website to see if any new administrator users have been added. Immediately delete the accounts you do not recognize.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware and hackers using Astra before it is too late.

5. Run a malware scan on all files on your server

In your web-hosting dashboard or cPanel, you should have an option called ‘Virus Scanner’. Run it to identify any malicious files which may be residing on the server. Verify and delete any files that it flags.

If you are an Astra customer, please login to your dashboard and initiate a malware scan from the top menu.

6. Delete PHP files that are found in the ‘uploads‘ directory.

Due to security vulnerabilities in WordPress plugins or in the core itself, a hacker may be able to upload malicious PHP files to the web server. If you find any executable files with the .php, .php3, .php4, .php5, .py, .asp, .aspx file extension anywhere in the /uploads directory, immediately delete them.

You can also prevent PHP execution in this directory by placing an .htaccess at the root of /uploads using:

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all
</Files>

7. Find backdoor script which adds an admin user to your WordPress website

Once the WordPress backdoor is executed, the hacker is able to insert a new WordPress user with Administrator role. Further, this can be used to regain access to the WordPress installation at any time the hacker wants.

WP Admin Backdoor Script

Steps to prevent a re-infection & Identify cause

1. Install a web application firewall which would detect security threats and block them

While WordPress is built with security in mind, it’s plugins are often subjected to all kinds of security threats. And hence, it is important to proactively secure your WordPress website from the 100s of new threats lurking out there. Security suite’s such as Astra, ensure that you are safe from such targeted attacks.

Don’t take our words for it. See it for yourself!

Peek inside Astra

2. Regularly update the WordPress core, plugins and themes

The security landscape changes everyday making it critical to update your WordPress core, plugins and themes immediately to ensure that all patches are successfully installed. Hackers and cyber-criminals often build tools to exploit known vulnerabilities in plugins. This is the easiest way to get hacked!

3. Monitor administrator accounts being created in WordPress

In a typical store compromise, hackers create admin users for themselves to be able to access the WordPress backend/admin area at a later stage. Be proactive with this step and follow the Principle of the least privilege.

4. Take regular backups of WordPress files & Database

Configure automatic backups which archive all the files on the server and also the database. These backups should be stored on an external server so that in the event of a hack, the backups can still be retrieved.

5. Update file & folder permissions on the server

The default permission scheme should be:

  • Folders – 755
  • Files – 644
Wordpress File/Folder Permissions

You can change the file permissions recursively via command line:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Get the ultimate WordPress security checklist with 300+ test parameters

6. Disable File Editing
It is recommended to disable file editing within the WordPress dashboard. Append the following two lines to the end of your wp-config.php file to disable file editing via the WordPress dashboard:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Here’s a complete video that you need to follow step by step to secure your WordPress site.

About Astra Security Suite

Astra is the essential web security suite that fights hackers, internet threats & bots for you. We provide proactive security for your websites running popular CMSs like WordPress, OpenCart, Magento etc. Our professional malware removal team is available 24×7 throughout the year to help you regain your hacked website and quickly get back to business.

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Tags: , , , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jose.mcdonald@turbineblades.co.uk
Jose.mcdonald@turbineblades.co.uk
2 years ago

Great article!

Naman Rastogi
Admin
4 months ago

Thanks, Jose

Dobkin
Dobkin
1 year ago

I’m impressed, I have to say. Really not often do I encounter a blog that’s both educative and entertaining, and let me let you know, you’ve gotten hit the nail on the head. Your concept is outstanding; the problem is something that not sufficient persons are speaking intelligently about.

Naman Rastogi
Admin
4 months ago
Reply to  Dobkin

Than you so much Dobkin for your kind words. I will pass it to the team

franklin
franklin
1 year ago

Thankyou for your great article. My site got hacked like what you described in this article. In my case, I found them in wp-config.php file.

Naman Rastogi
Admin
4 months ago
Reply to  franklin

You’re welcome, Franklin

You can check our comprehensive WordPress Hack & Malware Removal Guide here – https://www.getastra.com/blog/911/wordpress-site-hacked-malware-backdoor/

cartoon hd
cartoon hd
9 months ago

you’re in reality a excellent webmaster. The site loading speed is amazing.
It sort of feels that you are doing any unique trick.
In addition, The contents are masterwork. you have done a wonderful task on the topic

Naman Rastogi
Admin
4 months ago
Reply to  cartoon hd

Thanks 🙂

Mike Sallor
Mike Sallor
4 months ago

That’s really great blog post on WordPress Admin hack. My Admin panel is defaced & a shell is uploaded.
Can you please suggest your WordPress Hack removal guide that I can follow? I have cPanel access to my site.

Thanks in advance.

Naman Rastogi
Admin
4 months ago
Reply to  Mike Sallor

Thanks, Mike. You can check our comprehensive WordPress Hack & Malware Removal Guide here – https://www.getastra.com/blog/911/wordpress-site-hacked-malware-backdoor/

Also, once your site is clean you can follow our WordPress Security Guide to Harden your site’s security – https://www.getastra.com/blog/cms/wordpress-security/wordpress-security-guide/

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany