3.8: WordPress Defacement Page Removal
What is a Defacement Page?
A defacement page is an an attack on a website that changes the visual appearance or content of one or more pages on a web site for the purpose of political messages, vandalism, or to show off a hacker’s skills. Defacements can often be done along with more malicious intent, and can affect one or many pages, and can affect both the file system as well as the database.
Determining if your site is infected
Defacement pages make it painfully obvious that you have been infected. As most defacement pages are done with some level of braggadocio, they are meant to be noticed. You will see “hacked by” messages associated with imagery or even audio that may be offensive.
Finding and Removing Defacement Page
Removal of defacement pages requires an analysis of the site’s files and database contents. Sometimes, removal of a defacement page can be done simply by deleting the offending files or posts. Other times, defacement pages overwrite important files or content. If you do not have a backup from which to restore your defaced site, here are some hints for removal of defacement pages.
Removing Defacements from Site Files
If a file is is extraneous and not overwriting important content, you can simply delete it. If an important file is overwritten from your content management core files, plugin files, or theme files, then you will need to restore those files from originals. Often, attackers will overwrite index.php pages, which are some of the more common pages within a site.
Removing Defacements from Database Posts and Pages
If the defacement is an added page to the site, it can easily be deleted. If you do not have a backup from which to replace a defacement that overwrote site content in your database, you may have an autodraft saved within your database posts that can assist in replacing the defacement with your intended content. Finding the autodraft of the post can be done most easily by searching using a database tool such as PhpMyAdmin.
Looking Beyond the Defacement Page
Defacement pages are placed on the site through exploitation of some vulnerability on the site, either through backdoors, unpatched site code, or compromised administrative, FTP, or other accounts.
If you find defacement pages on your site, it is important to determine how the site was compromised. There may be other types of malware or security vulnerabilities on your site that allowed an attacker to gain access. A review of the entire site is important.
If after reading this guide, you are unsure of how to remove defacement pages, if you are looking for more answers as to how the defacement pages were placed on your site, get help.