Comment on Display Widgets Plugin Review by SEO Gold Services.
I’ve not looked at a Display Widget Plugin v2.6.* hacked site, so not sure how much WordPress security damage it does. If it’s a simple case of the dynamic Post hacking code just adds a dynamic Post and does nothing else it will be easy to fix.
Remove v2.6.* of the Display Widgets Plugin and it’s fixed.
The problem is with the option to add a dynamic Post means the Display Widget Plugin developer (@displaywidget) could insert other malicious code via the dynamic Post. If the hackers done this there could be backdoors added to the site and that’s a much bigger WordPress security issue: you have to find them to secure the site.
First step is remove the Display Widgets Plugin v2.6.* and check if deleting the plugin fixes the spammy links when a user is logged out.
You can delete the plugin in two says, use an FTP program and manually delete the /display-widget/ plugin folder (under /wp-content/plugins/display-widgets/). Or under the Plugins menu click the Delete link associated with the plugin.
That should remove the dynamic Post with the spammy links (check when logged out). To be safe I’d at least update the WordPress password just in case.
If it was my site first using FTP I’d download a full copy of the sites files, I’d also use my server controlpanel to make a backup of the entire site (this gives me a backup of the files and the database).
I’d then look through every directory for anything out of place (looking at file dates can help) and even if I didn’t find anything reinstall WordPress manually via FTP deleting old files and replacing with new.
Basically I’d get the latest WordPress zip file, extract it on my PC, rename the folders within:
Rename: /wp-admin/ to /tempwp-admin/
Rename: /wp-includes/ to /tempwp-includes/
Upload the two folders via FTP, when uploaded rename the original folder:
Rename: /wp-admin/ to /oldwp-admin/
Rename: /wp-includes/ to /oldwp-includes/
Rename: /tempwp-admin/ to /wp-admin/
Rename: /tempwp-includes/ to /wp-includes/
The above gives you a clean version of the main WordPress directories.
Also upload the new files from the zip file wp-activate.php, wp-blog-header.php etc… (there’s around 16 files) over the old and manually check what files are unchanged (some old installs have out of date WordPress files, delete them) in the root of the WordPress install: (.htaccess, wp-config.php for example won’t be over wrote DO NOT delete them), you should download these files and manually check them for changes.
The above will give you a clean install of WordPress, if the site works delete the old folders /oldpwp-admin/ and /oldwp-includes/.
Next is check what’s in the /wp-content/ directory, this is usually where images, plugins, themes and caches are stored. Delete all plugins you don’t use (if it isn’t active, delete it), delete all themes you don’t use keeping one of the default WordPress themes like TwentySeventeen (should have no more than three themes in the themes folder: one default theme, one parent theme, one child theme). Exception to this is if you are on a multi-site version of WordPress and different sites use different themes: same concept, but keep all active themes.
Like what I did with the /wp-admin/ folder I’d do similar for the /plugins/ and /themes/ folders. On my PC I’d create two folders /tempplugins/ and /tempthemes/ and put in them fresh copies of the plugins and themes I use. I’d upload them to the /wp-content/ folder and then rename /plugins/ to /oldplugins/ and /themes/ to /oldthemes/ (when everything is working delete the /oldfolders/.
This way I get a clean version of most of WordPress, other folders under /wp-content/ I’d check manually, if a cache plugin was installed I’d clear the cache (should delete a lot of the cache files) and manually check what’s left.
By doing the above if a hacker has uploaded a backdoor script to any of the directories you’ve replaced they are gone for good. You just have to be careful manually checking what’s in the wp-config.php file the .htccess file and anything under /wp-content/ you didn’t delete/replace.
You also have to check below your root directory. On my server the root directory is under /public_html/, but below that folder is /awstats/, /cgi-bin/, /tmp/ etc… these all need checking manually. On my system /tmp/ for example should be empty, but sometimes old session files remain, I delete them all.
After that I’d check through the database for changes and look through the site when both logged in and logged out for anything untoward. I’d also change all passwords, that includes the passwords for FTP access to the server, the MySQL password (update the wp-config.php file) and the WordPress login password.
There is no right way to do this (I prefer the manual approach as I won’t miss anything: a security script could miss something), it’s a case of looking for things that shouldn’t be there and as every site is different…
All that being said, when I’ve been hacked (I’ve owned 100s of domains it’s impossible to be 100% secure for 15+ years) I’ve always reverted back to the last clean backup, change the passwords just to be safe and make sure whatever was vulnerable is fixed: regular backups are your best friend :-)
Update September 16th 2017 : I’ve released a Free Security Update/Upgrade of the Display Widgets Plugin.