Yes, this kind of attacks has now accelerated on WordPress powered websites. The hacker targeting WordPress sites mostly via vulnerable plugins or themes. Because current WordPress versions come with auto upgrade feature, on general upgrade or while new serious vulnerability detected. As WordPress (WP) is free and major websites on the internet are powered by WP. So, naturally most hackers active in compromising WP sites using vulnerability /zero-day bug.
Let's come to the point. Follow below step to clean website,
- Login to your cPanel or FTP client (i.e.FileZilla)
- Navigate to public_html or www folder
- Locate if index.html is there. If yes backup it and delete it.
- Same way locate index.jpg and delete it
- Now see your homepage showing correct content or not.
- If not, check index.php file. Compare it with an original version from WordPress repository.
- Check .htaccess is present and contents is genuine and not malicious one.
The vulnerability used to comprise the WordPress site
In this type of attack, the hacker used the zero-day vulnerability in Twenty-Twelve theme. This theme itself an official theme of WordPress. So, no doubt most of the WordPress websites have this theme in its backend. Moreover, a hacker can exploit this theme even when it is not an active theme . To detect and remove this vulnerability, we recommend to scan your backend with Wordfence plugin.
- Login to your WordPress admin panel
- Install and activate Wordfence plugin (if not installed earlier) via Admin panel > Plugins > Add new
- Go to Admin panel > Wordfence > Scan > Start a Wordfence scan
- Click check box in front of Select for bulk repair
- Now click Bulk Operation link just above the first scan result
- Click Repair files button
- When you clean malicious objects completely. Wordfence will show the successful message "Congratulations! No security problems were detected by Wordfence."
It's not all. You should delete twenty-twelve theme if it's not a default theme.
- WordPress admin panel > Appearance > Theme
- Select Twenty-Twelve theme
- Click on Delete link (can be found the lower right side corner)
Alternatively, you can delete extra / unused themes manually in bulk via FTP client like FileZilla.
How to protect WordPress powered website from future attacks
Generally, precaution is better than cure. So, you need to install security plugins like Wordfence to filter malicious request/activity from genuine one. Now these it's essential to install a firewall, virus scanner and file change detection tool on websites for better security.
Sometimes, the name of the malicious file may be vary. You should check it with care. You can see following video for further detail.
Hope it will safely pull out you from this malicious attack. All the best.