OMG was I hacked or is the hard disk just full


Think we were hacked on Tongfamily at 5AM this morning. Found that we were stuck at the home page going to the WP install page. There are many "notes": about this, but it can happen because of a weak password on your FTP or your WordPress admin accounts. I have both and have changed all of them. More sadly, if your hosting provider has a compromised password, then someone can get in and attack everything.

My hack looks like I just get to "Click here to install WordPress page": but of course, no one is really sure if it was hacked or not, since at that point, you are really vulnerable. In looking at the mysql databases, I discovered that the wp_options table was corrupted and gone. Sad to say, I didn't do a backup, even though makes it easy to do! I actually did it and then lost the hard disk of the MacBook. So I"m doubly stupid.

net, net for everyone else:

1. Make a backup of everything. On "bluehost":, this is a just a click on backup wizard
2. Export all your wordpress entries so you have a text file you can pour back into a clean installation.

The scary thing of course is with megabytes and megabytes on the server, I don't know what else is on here. Probably should do a clean install of WordPress just to make sure.

So how do you recover. Well, without a valid options, you have a big problem. I actually created a new wordpress installation and then copied out the wp_options directory. Actually, it was tougher than that. I had an install that had no default prefix, so it was just options. It turns out that for some bizarre reason, some of the options change, in fact there is a field called user_roles that actually changes depending on the prefix, so it was wp_user_roles in one install and just user_roles in another. Arggh.

I then made another mistake because when I logged on, I got a "unable to access page" when I tried to to to the wp_admin page. This was because of the wierd wp_options name change. So I copied in a new wp_user table, but since I copied from a random place, I also copied in the wp_metadata table. this table like the wp_options has something two fields that actually change names depending on the prefix (the default is wp_), so you have to change those too.

Final issue is that I noticed that my Bluehost hard drive is 98% full. You can actually see your disk status in cpanel which is cool. Maybe why the wp_options got wiped out, so maybe it wasn't a hack?

Related Posts