homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

Restoring Wordpress files, but keeping database

 2:30 pm on Jul 7, 2011 (gmt 0)

Is it possible to overwrite your Worpress and Theme install directories with a clean version from 2 months prior, keeping the current database? I have possible malware on the install, and the last clean backup is from 2 months ago, but the databases are backed up weekly. I would prefer not to go back to a database 2 months ago, as too much was changed/added.

The WP version of the April backup was 3.0.1

Is it possible to copy the April files, update wordpress and the plugins, upload any missing images to the gallery and be back in business with the current database?

Where are the counters for the posts and images stored? Each image has a number that is consecutive and so are posts, tags, etc. Are tags and categories stored in the database or file on the server?

Trying to see what must be changed on the server files.



 10:34 pm on Jul 7, 2011 (gmt 0)

Sorry but not and expect the new install to be clean.

How many pages/posts are we talking about?


 3:47 am on Jul 8, 2011 (gmt 0)

Database has about 300 posts, 30 pages, and many tags, etc. Lots of customized menus. Other option I guess is a clean install of WP with current database. Then hopefully can copy theme in manually, since that was customized. Or have someone help me clean out the infestation.


 3:31 pm on Jul 8, 2011 (gmt 0)

Do you know for sure what the malicious code is? Can sniff it out? If not, then yes, you're only option to be safe is to do a fresh install in a separate location and then copy and paste rendered page text into new posts/pages. If you have the original source code on a local machine (and you haven't downloaded anything from the server) then you might be able to rebuild the framework and have a new site up and running within a few days.


 12:25 pm on Jul 9, 2011 (gmt 0)

Cleaning the malware would seem to be the easiest solution, though you could always try to revert to the two-month version and re-add the new content (if you have a db backup from that time, too).

I've tracked down WP malware with a little searching on symptoms, etc. Sometimes, deleting bogus files is enough. In other cases, the db itself contains the malware. Be sure to check for any admin/author users that aren't you.

On a site like vWorker you could probably find a Wordpress expert to clean up the current install for a very low price. All the usual advice about choosing a contractor applies, but in particular chooose someone who has a long history of sterling ratings on diverse Wordpress projects, including database work. Set a short completion date - a good worker will jump on this immediately and have it cleared up within hours. (I'd guess the actual work will take much less than an hour for someone who knows what they are doing.) Create new FTP and WP admin usernames for this worker and remove them after the project.


 1:33 pm on Jul 9, 2011 (gmt 0)

I'd also recommend to clean your current installation instead of going back to a backup., this should be much more efficient than trying to piece the old files and the recent database together.


 10:08 pm on Jul 10, 2011 (gmt 0)

I have decided to use the backup from two months ago. I am saving text files of the code in each post along with all the tags, and other info that it has. I will then copy and paste these in the old install. Its a lot of work (estimate 20 hours of work), but it should assure a clean install. I did find that I should be able dump all the new images in their month folders without reuploading thru wordpress. That will save time. (I did an experiment on my current install to confirm this). Then I will do a weekly backup of everything, not just the database from now on.

I guess a question would be what security steps should be taken to prevent this again? I do not allow comments or posts by external users. I have set wp-config.php to a 640 file permissions (this I read from another blog). One article suggested changing the name of wp-admin so that hackers will have more of a problem getting in.

Since a google penalty occurred a day after this malware appeared, would you say that it is highly probable that this cause the penalty, or is it just a coincidence and a google panda update hit?

Any other WP security suggestions?


 1:28 pm on Jul 11, 2011 (gmt 0)

Obvious questions are 1) have you kept up with updates to the Core and Plugins, and 2) is the server itself secured or did they get in through another account?


 2:30 pm on Jul 11, 2011 (gmt 0)

If the drop in rankings didn't happen on Feb 24, then it was likely the malware vs. Panda. And Google does indeed give lower rankings to sites that suddenly develop malware issues. I had a Wordpress blog that I wasn't updating or paying much attention to that got hacked with a link injection scheme. Rankings did tank, and stayed low until the hack was repaired and the links removed. Rankings mostly recovered in the ensuing weeks.

The best security precaution is to keep your WP install up to date, along with any plugins. Don't use plugins you don't really need, both for site performance and security.

Newer themes and theme frameworks let you customize without changing the code, which makes updating when a new version comes out fairly painless.


 1:47 am on Jul 12, 2011 (gmt 0)

Good advice. Did you contact google (thru webmaster tools) for your penalty, or did you just clean up the mess, and let google automatically probe your site and find the malware was gone, and penalty removed by itself?

How bad was your penalty? Mine looks like a -60 penalty. Does that sound like what you would get from a malware penalty?


 1:54 am on Jul 12, 2011 (gmt 0)

Obvious questions are 1) have you kept up with updates to the Core and Plugins, and 2) is the server itself secured or did they get in through another account?

I was a little lax with the updates (maybe a month behind). Server is a managed server, not sure about its security and have no idea how they got in. No activity or intrusions in the FTP logs. Have to assume they came in thru wordpress.


 2:44 am on Jul 12, 2011 (gmt 0)

I didn't interact with Google. I just watched the cached pages and eventually the junk cleared out and traffic went up.


 4:55 pm on Jul 12, 2011 (gmt 0)

I never make that assumption. :) Best to contact that host and ask if the server was compromised within the last month or so.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved