Everyone Hates Hackers
Let me start with a mini-rant: Why do people bother hacking small independent businesses/bloggers? Like seriously, I can almost understand that some hackers have a political vendetta against governments or organisations and the reasons for redirecting to funny or hoax sites, but why target freelancers or small businesses who are likely already struggling to get by? When groups such as LulzSec or Anonymous hack news sites like the Sun and redirect to a fake page with a story of Murdoch’s death – I can see the amusement. But when groups take down the CIA website or leak sensitive documents (that could lead to hostile political situations) I just don’t understand the motive. Similar to people hurting others for no reason, it is just plain evil. That said, attempted hacking happens all the time and it will likely continue forever.
This only makes me worried about the increased risk and exposure we have to hackers as technology evolves. Imagine a hacker gaining control of driver-less cars, aircraft, energy systems etc. The results could be devastating!
My WordPress Blog got Hacked
Although not quite as detrimental to society as taking over control of a power station, my blog was maliciously attacked on two occasions recently. I can’t help but think that a group of Indian SEO experts who I politely refused to pay 100s of dollars to on numerous occasions might be involved. Their response to my fifth decline of business was something along the lines of ‘You will need as soon sir… I promise you’. Now maybe I have been watching too many movies, but I think they might be guilty!
My dismay all started with a nice message from Google Webmaster Tools:
Just what I love to wake up to on a Saturday morning! There was me thinking that Google had decided to email me to let me know that SavvyScot had been upgraded to page rank 4…. but no, I had been infected!
When I first got this message a couple of weeks back (the first time the site was compromised) I didn’t know where to start. After springing out of bed and instantly awake, I was in a bit of a panic. This was soon made worse after I realised that I had wrongly assumed there would be a simple step-by-step process that I could follow to put things right. WRONG. Google Webmaster tools provides a scanning tool that you can use to determine which parts of your blog/site are infected, but the removal was a complete mystery! What the heck had happened?
In short and on both occasions, the WP-INCLUDES folder was infected with malware which contained redirects in the CSS. In essence, this meant that Google flagged my site (alongside numerous other browsers and search engines) as being unsafe. This removed SavvyScot from all search listings on Google and actually prevented anyone from visiting it by clicking through.
As I am sure you will agree, at this stage getting the site cleaned and live again is a top priority – you don’t want to have readers / search bots being put-off ever returning to your site!
Fixing a Hacked WordPress Blog
One of the reasons that there is no manual or step-by-step guide, is that the possibilities of where and how your site is infected are endless. You must first start by using the Google scanning tool and work out exactly where the malicious code is contained. The second time I was hacked, this was restricted to just the WP-INCLUDES folder, so I could simply delete it from my hosting account (open up the FTP portal and delete the WP-INCLUDES folder from the wordpress directory) and replace it with a different version.
If you back-up your site regularly, you will likely have a number of iterations of the WP-INCLUDES folder. The trick is to pick a slightly older one (to ensure that you revert to a version prior to the infection) or even replace it with the default WP-INCLUDES folder from a fresh WordPress installation; you can obtain one of these by downloading the package WordPress.com. If you replace the folder with a brand new one, you will need to define the wordpress configuration file. Thankfully, this is easy to do and can be done through the wordpress admin interface. You will need to have your host’s details to hand and the SQL database name, username, password and hosting address.
It is also likely that when you restore the folder and attempt to visit one of your posts, your site will display a 404 (Not Found) page. To begin with this freaked me out, but there is a very simple fix. Simply reset your permalinks settings by changing it to a different option, saving them and then changing it back.
Fixing More Complicated Hacks
The above steps are a little bit of a breeze, but unfortunately it is often not that easy. The first time that my blog was compromised, I had to completely wipe everything and restore from a backup; the infection had spread outside of the WP-INCLUDES folder and pin-pointing the exact locations was a nightmare. There is also no guarantee that you have removed all the malicious files – they could be on a timed script to replicate again. This can get quite complicated as your SQL tables may need to be renamed or edited in other ways. This highlights the need for backups, because without one, I would have lost a LOT of my content!
Upon deleting everything from your hosting account, the first step is to reinstall WordPress. I am not going to guide you through this process, as I assume you already know how to do that! Upon completing the install, you will then need to ensure that the blog is pointing to the correct SQL database on the back-end. This can sometimes be done through a tool in your hosting control panel, but you will somehow need to edit the wp-config.php file. In simplest terms, the configuration file tells wordpress where to access the database where your posts, comments and content is stored and the credentials to use.
In some cases, the SQL database can become infected, so you may need to delete that and restore from a backup too. Reloading these can be tricky and you may need to seek expert advice. Most hosts have some sort of semi-friendly SQL interface (such as phpmyadmin) which makes the task slightly easier. In my case, I had to revert to a SQL backup that was a few weeks old and manually reload other content.
Finally, you will need to reload the WP-CONTENT folder (which includes all your images / videos / uploads etc.) from a backup to ensure that the content in the SQL database (i.e. a post) is referencing the correct images. You will also need to ensure that your plugins are installed and any other settings are configured.
Hack Fixed: Next Steps
The first thing that you are going to want to do is submit your site to Google for re-consideration. This can be done through the Webmaster Tools page for your site. It will take a number of hours for Google to review your site and in my experience I didn’t always fix it first time. Restoring from backups becomes a painful process, in not knowing how far back to go! Google scan sites pretty regularly for malware / other infections, so you shouldn’t have to revert to a copy that is more than a couple of weeks old.
At this stage, your site may be fixed, but you should definitely consider what you can do to stop it happening again!
Top Tips to Prevent Your Site / Blog From Getting Hacked
- Firstly, I would recommend that you turn of the feature that users can automatically register in WordPress. This is something that I had turned off originally, but after updating WordPress, it must have reverted to allow this. Consequently, I had about 180 ‘subscribers’ register with bogus email addresses. I am sure that there is some sort of vulnerability in WordPress where this might allow users to gain access to a subdirectory of the WP-INCLUDES folder.
- Re-evaluate your hosting provider. On both occasions that my site was compromised, numerous other GoDaddy sites were also infected. Bit too much of a coincidence I think! I have consequently migrated my hosting over to Nuts and Bolts Media where I feel in much safer hands. Nuts and Bolts Media is a much smaller company and consequently I got superb customer-service. The owner (Andrea) personally completed the migration process – for free! I now have the comfort of knowing that my site is hosted from a server farm alongside other reputable blogs – instead of co-located on a virtual server with goodness knows what else! It is also actually cheaper than what I was paying GoDaddy.
- Consider disabling plugins that have not been updated by the author for some time or those that you don’t use. As WordPress is updated, old plugins can remain unchanged and loopholes can be exploited.
- Change your Password. You should be doing this regularly anyway, but use this as a prompt to schedule a weekly/monthly change.
- Re-evaluate your Site/Blog backup system. Did you restore everything you wanted? Do weekly backups work for you, or would twice-weekly have worked better? Do you keep a short-term copy of your content on your laptop locally? Do you rely solely on one backup plugin, or do you take manual backups? On what frequency does your hosting provider take backups?
If you made it through this 1600 word article I am impressed. If I manage to help even one person in the remediation of their problem, I will be happy!
Have you been hacked before? What happened and did you lose much?
