Checking your WordPress blog for hacked files

WordPress is a very empowering software, but also can be easily exploited because of how it was created. WordPress was designed to make it easy for users to customize their blog without having to login to the server, but this opens up possibilities for holes. I’ve had a couple of my WordPress sites hacked and I wanted to share a few tips to help identify files that have been hacked. provides a free security scanner that you can point at your WordPress site and have it check for spam links or possible security issues. It won’t catch all of the issues, but it is a great place to start.

What if sucuri finds spam links? How will you get rid of them? I’ve created a very simple bash script that allows you to check multiple WordPress sites for offending text. The script can also be run from the command line of the server that your wordpress is installed on.

  1. Create a file on your wordpress server and call it and then paste the text below in it, replacing with the directory of your wordpress install
#! /bin/bash
grep -r "netstat"

In this case netstat is a networking command line call that I found in some of my hacked files that allow the hackers to gain server access. You can replace the “netstat” with any text and it will scan through all of the files and list out files with it.  If sucuri finds spam links, put some of the text in quotes and run the command. Note that you can run

grep -r "netstat"

from just the command line as well and get the same results. When you are running the command or bash script, it may show that it is unable to access certain directories in your wordpress installation. These are most likely hacked directories. Check the permissions of the directories and change them so that you can get access to them. In my case, the directory’s name was log. I changed the permissions of the directory using:

chmod -R 700

where would be replaced with the directory that wasn’t able to be read.

Once you change the permissions then you can delete the directory. Check to make sure there isn’t any critical files in the directory first.

I’m in no way a security expert but the steps above helped me identify and clean up hacked code.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create your website at
Get started
%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close