Hacked WordPress Site: FTP & MMprobe Removal

TL;DR

Your Bluehost WordPress site has been hacked, likely through FTP access and the MMprobe tool. This guide walks you through cleaning up your files, securing your account, and preventing future attacks.

1. Immediate Actions & Backup

1. Change All Passwords: Immediately change passwords for your Bluehost account, WordPress admin user(s), database user, FTP accounts, and any email accounts associated with the site. Use strong, unique passwords (at least 12 characters, mixed case, numbers, symbols).
2. Take a Full Backup: Even though compromised, back up everything – files and database. This is crucial for recovery if something goes wrong during cleanup. Bluehost provides backup tools in their control panel.
3. Enable Staging Environment (Optional): If available on your Bluehost plan, create a staging environment to work on the hacked site without affecting the live version.

2. Identify and Remove Malicious Files

The MMprobe tool leaves identifiable files. FTP access allows attackers to upload various malicious scripts.

1. Access Your Site via FTP/File Manager: Use an FTP client (like FileZilla) or Bluehost’s File Manager.
2. Scan for MMprobe Files: Look for files named mmprobe.php, mmp.php, and any similarly named files in your root directory (/public_html) and all subdirectories. Delete these immediately.
3. Look for Unusual PHP Files: Sort files by modification date to identify recently added PHP files you don’t recognize. Be cautious – legitimate plugins also use PHP. Check the file contents if unsure. Look for obfuscated code (unreadable strings of characters).
4. Check wp-config.php: This critical file contains database credentials. Open it and look for any unexpected lines of code, especially those related to base64 encoding or unusual function calls.
5. Review Theme Files: Malicious code can be injected into theme files (e.g., functions.php, header.php, footer.php). Look for suspicious code within your active theme’s directory (/wp-content/themes/[your-theme]/).
6. Check Plugin Files: Examine plugin directories (/wp-content/plugins/) for modified files or new plugins you didn’t install.

3. Secure Your WordPress Installation

Strengthen your WordPress security to prevent future attacks.

1. Update WordPress Core, Themes & Plugins: Ensure everything is running the latest version. Outdated software has known vulnerabilities.
2. Limit Login Attempts: Install a plugin like Limit Login Attempts Reload or Wordfence Security to block brute-force login attacks.
3. Change Database Table Prefix: The default prefix (wp_) is easily guessed. Change it using a plugin like WP-DBManager or manually through phpMyAdmin (advanced users only). Back up your database before making changes!
4. Disable File Editing in Admin Panel: Add the following line to your wp-config.php file:

   define( 'DISALLOW_FILE_EDIT', true );

5. Enable Two-Factor Authentication (2FA): Use a plugin like Google Authenticator or Authy for added security on admin accounts.
6. Install a Security Plugin: Wordfence Security, Sucuri Security, and iThemes Security are popular options that offer malware scanning, firewall protection, and other security features. Configure the plugin settings carefully.

4. FTP Account Security

FTP access is a common entry point for hackers.

1. Disable Anonymous FTP: Ensure anonymous FTP login is disabled in your Bluehost control panel.
2. Create Dedicated FTP Accounts: Avoid using the main account for all tasks. Create separate accounts with limited permissions for each user.
3. Use SFTP Instead of FTP: SFTP (Secure File Transfer Protocol) encrypts data transmission, making it much more secure than traditional FTP. Configure your FTP client to use SFTP.

5. Scan and Monitor

Regularly scan for malware and monitor your site’s activity.

1. Run a Malware Scan: Use your security plugin or an online scanner like Sucuri SiteCheck to check for remaining malicious code.
   Sucuri SiteCheck
2. Monitor File Integrity: Some security plugins offer file integrity monitoring, which alerts you to any unauthorized changes to your files.
3. Regular Backups: Continue taking regular backups of your site (files and database).