My site has been hacked, what can I do now?

“I was using an outdated version of MailPoet (older than 2.6.8), hackers found a way in and messed up my site…
What should I do to get my site back to the way it was?”

There was a security issue in all the versions of MailPoet lower to 2.6.8, this security issue was making your site highly vulnerable (blog post).

If a hacker found a way in through that backdoor, chances are high that your whole site is infected.

This is safe to assume that you’ll need to restore a backup prior to the 1st of July, when the issue has been made public.

How do I know if my site has been hacked?

To find out, simply look for any PHP files in the folder wp-content/uploads/wysija on your site’s server and all of its subfolders.

Steps tofollow in order to recover your site

  1. Get in touch with your hosting company and ask them if they are already taking steps to recover your site, this might make it easier for you.
  2. If that’s not the case then you’ll need to do it on your own.
  3. Copy all of the current files of your site onto your local computer and export your DataBase in its current state, it could come in handy later if you want to assess clean it manually or restore portions of your data.
  4. Get a backup of the database and files of your web site from a date prior to the 1st of July, when the first hacks started to happen. You need one to restore your site back to normal.
  5. Change the database credentials*
  6. Change your FTP credentials. *
  7. Change your SSH credentials*
  8. Check for new suspicious FTP accounts and SSH users, and remove them. Ask for your hosting company’s help. *
  9. Restore the backup files.
  10. Change your secret keys. Visit the WordPress key generator to obtain a new random set of keys, then overwrite the values in your wp-config.php file with the new ones.
  11. Restore your DataBase backup.
  12. Reset your Administrator Password from the login page of your WordPress site.
  13. Login Safely, and change all of your Administrator passwords on your site.
  14. That’s it everything should be back to normal!

* your hosting company can help you doing that through their administration panel or through their support area.

Additionally, read the WordPress.org FAQ on having your site hacked.

Note that all previous versions of MailPoet have also been fixed.

Three important steps to keep your site safe

  1. Always keep your WordPress and plugins updated to the latest version. Check your plugins regularly for updates.
  2. Have a backup of your site’s files and database made on a regular basis.
  3. Subscribe to our newsletter or follow @mail_poet on Twitter to get important updates.

We’re deeply sorry about that whole situation, the last thing in the world we wish to our users is to get their sites hacked.

As WordPress’ hardcore users we’ve been there in the past, and we know what a painful experience that can be.

We’re very sorry but that’s as much as we could do with the tools we have in hands. We can’t promise we won’t have other security issues in the future, all we can do is strive for perfection and get you the best and safest newsletter plugin we can.

1