In 2012 I had 3 sites, have files replaced with the message
Hacked by ghost-dz
Each seemed to be affected to a different extent. i.e. some I could still login to my WordPress Dashboard and others I couldn’t.
Resetting your WordPress Password
You can reset by going to the WordPress Login page for your website, http://your.site/wp-admin and clicking on “Lost your password?” then typing in your Username or E-Mail (sometimes it can be user details which have been changed which is blocking access – you’ll know this is the case if the system won’t accept your usual username or e-mail) and clicking “Get New Password”. [A link will then be e-mail to your address which when you click on it will ask you for your new password.]
If you are still having problems after trying this you will need to go into the cPanel for your site to modify the WordPress database. [If you are having problems accessing your cPanel ask your host to change your password.]
Once in your cPanel, click on phpMyAdmin and then select the database for your site next select the wp-users table [note that this should actually have another prefix e.g. hard_users if you’ve done some WordPress Hardening], find your user account and click edit. In the field user_pass select MD5 from the dropdown and then type in your password in the password field. This will encrypt your password once you click “Go”
This is the same place you can change your username – I haven’t thought through the implications of this, so use with care.
You can scan your site for free with this online tool http://sitecheck.sucuri.net/scanner/
Fortunately I’ve done some “WordPress Hardening” before so I could still access my Dashboard.
I think these so called hackers just look for files on web servers that are publicly writeable. I just fixed a site with the same problem – I had left a template file with permissions 755 and they’d written to it. Reuploaded the file from a back up I had and changed them to 644, all sorted now.
Virtually all of the sites I repair for hacking are hacked due to the FTP user/password being stolen in some way. Occasionally a plugin will be the culprit.
I recommend my clients review this when installing new plugins:
As well as install the Bulletproof Security plugin I discuss here.