From 991fca28136f919ed1118ce430f9dab239553fcc Mon Sep 17 00:00:00 2001 From: skybound0532 Date: Sun, 1 Mar 2026 00:03:10 -0800 Subject: [PATCH 1/5] update export instructions --- docs/user-docs/services/web/wordpress.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-docs/services/web/wordpress.md b/docs/user-docs/services/web/wordpress.md index 9d88dbc..b4bb1ce 100644 --- a/docs/user-docs/services/web/wordpress.md +++ b/docs/user-docs/services/web/wordpress.md @@ -76,7 +76,7 @@ The basic steps to migration are as follows: 2. Use the web admin dashboard to install all the themes and plugins you were using at WordPress.com -3. Log into your WordPress.com dashboard and go to `Settings > Export` to +3. Log into your WordPress.com dashboard and go to `Tools > Export` to download a zipped XML file with all your site's posts and content. Note that this export usually will not include all of your media content. From 250244d0c958d00a1ff78a96b757ec23c4148529 Mon Sep 17 00:00:00 2001 From: skybound0532 Date: Tue, 3 Mar 2026 16:56:42 -0800 Subject: [PATCH 2/5] add compromised wordpress site instructions for userdocs --- docs/user-docs/services/web/wordpress.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/user-docs/services/web/wordpress.md b/docs/user-docs/services/web/wordpress.md index b4bb1ce..0926a71 100644 --- a/docs/user-docs/services/web/wordpress.md +++ b/docs/user-docs/services/web/wordpress.md @@ -89,11 +89,32 @@ The basic steps to migration are as follows: installation. Additionally, you should try and go through most of your posts and pages with images, as you may need to relink things again. -Further details can be found at [the support page by WordPress.com][1]. +Further details can be found on the [WordPress.com documentation][1]. [1]: https://en.support.wordpress.com/moving-to-a-self-hosted-wordpress-site/ +## Fixing a Compromised Site + +### What happened? + +A malicious actor gained access to and was able to inject code into your site. They may create redirects from a page to a different site, such as a gambling or scam page, or they will run processes on our servers. + +Such exploits are fairly common, as WordPress is by far the most popular web content management system. Usually, they gain access through an outdated plugin with a security vulnerability, but there are many possible ways this might have happened. + +### What do I do? + +Reach out to [help@ocf.berkeley.edu](mailto:help@ocf.berkeley.edu) with your group account username. We will roll your site back to before the compromise date. If you have any recently uploaded media files that you would like before the site is rolled back, let us know in the email and we will save them for you. All data stored in the database (blogs, etc) will not be rolled back. + +### How do I prevent this from happening? + +- **Keep your site up to date:** Regularly update your PHP version. More information can be found on the [WordPress.com documentation][2]. Enable automatic updates for plugins by selecting `Plugins > Enable auto-updates`. +- **Install security plugins:** WordPress has many security-oriented plugins that can help prevent attacks. +- **Switch away from WordPress:** Since WordPress is by far the most popular web content management system, WordPress sites are the most targeted in attacks. Using a different web platform or static site generator will make it far less likely your site will be targeted. + +[2]: https://wordpress.org/support/update-php/ + + ## Frequently Asked Questions ### I forgot my admin password and can't log in From 402b3b720b373cd4c706d55a7b94810aec916886 Mon Sep 17 00:00:00 2001 From: skybound0532 Date: Tue, 3 Mar 2026 17:08:26 -0800 Subject: [PATCH 3/5] add compromised wordpress site instructions for staffdocs --- .../procedures/fix-compromised-wordpress.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 docs/staff-docs/procedures/fix-compromised-wordpress.md diff --git a/docs/staff-docs/procedures/fix-compromised-wordpress.md b/docs/staff-docs/procedures/fix-compromised-wordpress.md new file mode 100644 index 0000000..7d8b746 --- /dev/null +++ b/docs/staff-docs/procedures/fix-compromised-wordpress.md @@ -0,0 +1,13 @@ +--- +title: Restoring a Compromised WordPress Site +--- + +Users may request for their site to be restored after it is sorried. Rollbacks can only be performed with `root`. + +1. If the user requests for their media to be backed up, `tar` the `/public_html/wp-content/uploads` folder and email it to them. +2. Run `reset-wpadmin username`. Note that the user will need to recover their password on the WordPress web admin dashboard later, or manually do so according to the instructions on the user-docs. +3. Run `restore-wpbackup target-username staff-username` as root/with `sudo`. Select a backup using best judgement. It is usually best to check for when files were last changed to estimate a compromise date. +4. Delete their `public_html` directory. +5. Rename the backed-up directory to `public_html` with `mv public_html_backup /* public_html`. +6. Run `wp core update` in their `public_html` directory. +7. Unsorry the account. \ No newline at end of file From a3dbb701ada90d9a61a05acbd5801983bbca2d5f Mon Sep 17 00:00:00 2001 From: skybound0532 Date: Tue, 3 Mar 2026 17:13:47 -0800 Subject: [PATCH 4/5] update fix-compromised-wordpress.md command formating --- .../procedures/fix-compromised-wordpress.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/staff-docs/procedures/fix-compromised-wordpress.md b/docs/staff-docs/procedures/fix-compromised-wordpress.md index 7d8b746..9466e3f 100644 --- a/docs/staff-docs/procedures/fix-compromised-wordpress.md +++ b/docs/staff-docs/procedures/fix-compromised-wordpress.md @@ -5,8 +5,16 @@ title: Restoring a Compromised WordPress Site Users may request for their site to be restored after it is sorried. Rollbacks can only be performed with `root`. 1. If the user requests for their media to be backed up, `tar` the `/public_html/wp-content/uploads` folder and email it to them. -2. Run `reset-wpadmin username`. Note that the user will need to recover their password on the WordPress web admin dashboard later, or manually do so according to the instructions on the user-docs. -3. Run `restore-wpbackup target-username staff-username` as root/with `sudo`. Select a backup using best judgement. It is usually best to check for when files were last changed to estimate a compromise date. +2. From `supernova`, run + + reset-wpadmin username + + Note that the user will need to recover their password on the WordPress web admin dashboard later, or manually do so according to the instructions on the user-docs. +3. Run + + restore-wpbackup target-username staff-username + + as root/with `sudo`. Select a backup using best judgement. It is usually best to check for when files were last changed to estimate a compromise date. 4. Delete their `public_html` directory. 5. Rename the backed-up directory to `public_html` with `mv public_html_backup /* public_html`. 6. Run `wp core update` in their `public_html` directory. From d598fad85c9f912d84bf912f1cd22894b135af49 Mon Sep 17 00:00:00 2001 From: Eric Gu <69128383+skybound0532@users.noreply.github.com> Date: Wed, 4 Mar 2026 12:53:27 -0800 Subject: [PATCH 5/5] correct restoration instructions --- docs/staff-docs/procedures/fix-compromised-wordpress.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/staff-docs/procedures/fix-compromised-wordpress.md b/docs/staff-docs/procedures/fix-compromised-wordpress.md index 9466e3f..53dcb88 100644 --- a/docs/staff-docs/procedures/fix-compromised-wordpress.md +++ b/docs/staff-docs/procedures/fix-compromised-wordpress.md @@ -15,7 +15,7 @@ Users may request for their site to be restored after it is sorried. Rollbacks c restore-wpbackup target-username staff-username as root/with `sudo`. Select a backup using best judgement. It is usually best to check for when files were last changed to estimate a compromise date. -4. Delete their `public_html` directory. -5. Rename the backed-up directory to `public_html` with `mv public_html_backup /* public_html`. +4. Delete the contents of the `public_html` directory. +5. Move the contents of the backed-up directory to `public_html` with `mv public_html_backup/* public_html`. 6. Run `wp core update` in their `public_html` directory. -7. Unsorry the account. \ No newline at end of file +7. Unsorry the account.