DrewDouglass/steps.txt

## steps.txt
Cleaning a (typical) Hacked Site
- Create backup of site
- Deactivate any unnecessary plugins. Delete any plugins and themes that are not in use.
- Update all plugins and WordPress through WP admin. We'll replace everything later, but this allows any database updates to happen.
- Download wordpress.org/latest.zip.
- Download fresh copies of every plugin.
- If ACF 4.x installed, upload ACF 5.x and go through database updates (if multi-site, have to go through each site as of now). Then delete ACF 4.x and add-on plugins.
- Review wp-config.php to make sure there is no malicious code. If not confident, install fresh copy of wp-config.php with correct database information.
- Deactivate site by commenting out database info in wp-config.php
- Delete all files and folders in root directory except wp-config.php and wp-content/, and possibly any non-WP folders such as emails.
- Manually look through wp-content/uploads/ for malicious files. Sometimes they are obvious PHP files and can be deleted.
- Connect to site via SSH and navigate to wp-content/uploads/
- Execute search for PHP files in uploads: find . -name *.php
- Delete any malicious files that are found.
- Repeat previous 2 steps for blogs.dir on multisite.
- Begin re-uploading WP core files and folders (do not overwrite wp-content)
- Delete plugin folders and begin re-uploading fresh plugin copies to wp-content/plugins/.
- Download active theme (or use backup copy).  Run a search on files for "base64" and "eval." If found in JS files, likely ok, if found in theme PHP files, likely malicious. I have not perfected a way to inspect our custom themes, but they are also not really a target.
- Reset database password and update wp-config.php
- Reset SFTP password
- Re-enable site in wp-config.php
- Login to admin and navigate to BPS. Regenerate default and secure htaccess files. Reactivate htaccess and wp-admin htaccess.
- Re-adjust file permissions to secure file permissions.
- Delete unnecessary users. Reset all user passwords including your own.
- Enable high sensitivity WP scan, scan images as binary files, and do a WP scan.
- Adjust options back to regular WP scan after finished.
	Cleaning a (typical) Hacked Site
	- Create backup of site
	- Deactivate any unnecessary plugins. Delete any plugins and themes that are not in use.
	- Update all plugins and WordPress through WP admin. We'll replace everything later, but this allows any database updates to happen.
	- Download wordpress.org/latest.zip.
	- Download fresh copies of every plugin.
	- If ACF 4.x installed, upload ACF 5.x and go through database updates (if multi-site, have to go through each site as of now). Then delete ACF 4.x and add-on plugins.
	- Review wp-config.php to make sure there is no malicious code. If not confident, install fresh copy of wp-config.php with correct database information.
	- Deactivate site by commenting out database info in wp-config.php
	- Delete all files and folders in root directory except wp-config.php and wp-content/, and possibly any non-WP folders such as emails.
	- Manually look through wp-content/uploads/ for malicious files. Sometimes they are obvious PHP files and can be deleted.
	- Connect to site via SSH and navigate to wp-content/uploads/
	- Execute search for PHP files in uploads: find . -name *.php
	- Delete any malicious files that are found.
	- Repeat previous 2 steps for blogs.dir on multisite.
	- Begin re-uploading WP core files and folders (do not overwrite wp-content)
	- Delete plugin folders and begin re-uploading fresh plugin copies to wp-content/plugins/.
	- Download active theme (or use backup copy). Run a search on files for "base64" and "eval." If found in JS files, likely ok, if found in theme PHP files, likely malicious. I have not perfected a way to inspect our custom themes, but they are also not really a target.
	- Reset database password and update wp-config.php
	- Reset SFTP password
	- Re-enable site in wp-config.php
	- Login to admin and navigate to BPS. Regenerate default and secure htaccess files. Reactivate htaccess and wp-admin htaccess.
	- Re-adjust file permissions to secure file permissions.
	- Delete unnecessary users. Reset all user passwords including your own.
	- Enable high sensitivity WP scan, scan images as binary files, and do a WP scan.
	- Adjust options back to regular WP scan after finished.