9th
September
2015
How to fix “hacked by Moroccanwolf” WordPress site
A client of mine had their wordpress hacked and when you would load the site, it would simply display a message that said “hacked by Moroccanwolf”. I did some digging and luckily it wasn’t a major hack and they didn’t mess with the posts or other settings as a lot of the hacks do.
Quick Fix
- To fix it, you’ll need to connect to your database using an editor of some sort, such as PHPmyadmin.
- Once logged in, expand your database on the left.
- Click on ‘wp_options’.
- On the top right, click the ‘Browse’ tab.
- Look for ‘widget_text’ in the option_name field. (For my client, it was at row 90). You should see something similar to this:
<script>document.documentElement.innerHTML = unescape(''%48%61%63%6b%65%64%20%62%79%20%4d%6f%72%6f%63%63%61%6e%77%6f%6c%66%20%26%26%20%61%62%64%65%6c%6c%61%68%20%45%6c%6d%61%67%68%72%69%62%69'');</script>
Delete the entire tag and this should restore your website. Now remember to change your logins and update wordpress.
How I Figured it Out
Most of the hacks I’ve seen are done through injecting javascript into the database somewhere which either force a redirect or something along those lines. Here’s the steps I followed to find it:
- To fix it, you’ll need to connect to your database using an editor of some sort, such as PHPmyadmin.
- Once logged in, click on your database on the left. Ensure you’re on the database and not a table.
- Click Export.
- Leave it to quick and click go.
- You should now see a textbox with a mess of SQL commands.
- Copy and paste into your favorite editor,
- Search for <script> and you should find something that doesn’t belong. In this instance, that was the only thing I found of note.
- You’ll want to scan the rest of the database for things that don’t belong. Additionally, you’ll want to replace all the wordpress files and confirm no .htaccess files were created that give hackers write access.