How to Identify and Fix a Hacked WordPress Website
Is WordPress hack-proof? Never say never, but it is commonly accepted that the WordPress Core has strong security. Professional analysis of hacked WordPress sites typically reveals the point of entry to be the result of a weak administrator or FTP password, a domain or hosting level breach, an insecure plugin or theme, running an outdated version of the WordPress Core, or a point of entry other than the WordPress Core.
The smart techies know that keeping your site free of viruses, hijacked files, and security vulnerabilities is easier said than done, but often a little effort goes a long way. For example, you could follow Our 10 entry-level WordPress security steps and have a more secure WordPress site than many others do.
Compromised Sites Aren’t Always Easy to Identify
The question website owners need to know the answer to is, “How do I know when the threshold has been crossed — when my site has been hacked?”
In March 2012, ZDNet reported:
…over 90 percent [of website owners] didn’t notice any strange activity, despite the fact that their sites were being abused to send spam, host phishing pages, or distribute malware.
– “63% of website owners don’t know how they were hacked” (emphasis added)
In April 2012, Google’s Matt Cutts revealed how common and unaware hacked websites and their owners really are:
Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites with injected links. The most common reaction we hear from webmasters is “The problem is with the Google search. There is nothing wrong with our website.” That’s a real quote from an email one site owner recently sent us. Sadly, it turns out that the site is almost always really hacked.
– “Example email to a hacked site” (emphasis added)
The StopBadware PDF, linked to from the ZDNet article above, answers the question, “What are the compromised websites used for?”
- Hosting malware
- URL redirect
- Hosting phishing, spam pages, pornography
- Vandalism
- Other content or activity
- Sending back link to hackers website
How to Identify a Hacked Website
One of the benefits of using a common website platform, like WordPress, is that security scanners know what to expect. They can tell that WordPress Core files shouldn’t contain certain code or load assets from external domains or contain obfuscated code.
No matter how your website is built or managed, some common signs of a hacked site include:
- Displaying popups that you didn’t implement
- Displaying odd text in your footer or in the “View Source”
- Links to other sites or auto-linking of keywords that you didn’t create links for
- Seeing obfuscated / encoded text in plugins
- Website redirecting (immediately or after a short length of time) to another URL
- Any mischievous or unusual activity or spikes in traffic or bandwidth usage
Above are telltale signs that you’ll be able to identify just by browsing your own site.
Following are automated methods of identifying compromised sites.
Google Webmaster Tools Email Alerts
Google Webmaster Tools is a great resource for webmasters, which you probably already know. One of the great features is their email notifications when they detect bad activity (i.e. hacked!) on your site. You were verified as the site owner so they email you the notification directly. This notification is what Matt Cutts’ quote above refers to. So now you know that if you receive an email about this, Google’s got a great accuracy rate and you should immediately go into high-alert mode.
Google Scanners
Fetch as Google and Google Safe Browsing diagnostics (google.com/safebrowsing/diagnostic?site=http://YOURDOMAIN ) are two ways you can scan your site to see it how Google sees it.
StopBadware Clearinghouse
The StopBadware Clearinghouse can be searched quickly, but it’s likely to already be included in Google’s Webmaster Tools results. In other words, you’ll probably receive an email from Google Webmaster Tools before checking the StopBadware Clearinghouse. However, it’s good to check during the site recovery process.
Sucuri SiteCheck Scanner
Sucuri’s SiteCheck malware scanner checks against Google Safe Browsing, Norton Safe Web, Phish tank, Opera browser, SiteAdvisor, and several other blacklist databases. It also runs its own searches for malicious or suspicious iframes, scripts, downloads, redirections, and other items. It also provides a list of the scanned URLs and scripts, the website’s software (e.g. WordPress), and the software version information.
webcheck.me Scanner
The webcheck.me Scanner checks security, the existence of plain-text email addresses, MX records, SEO quality, and other tests. It’s a visually-appealing, high-level view of your site’s overall health.
Browser Security Scanner
Maybe one you didn’t expect, the Qualys BrowserCheck scans your internet browser for security vulnerabilities, including outdated computer software and browser plugins like Java, Adobe Flash, Adobe Reader, and Microsoft Silverlight. It’s possible that the browser, FTP client, or other access point is to blame for a compromised site.
How to Fix a Hacked WordPress Website
Once you know or suspect your site has been hacked, Googlerecommends you:
- Take your site offline
- Assess the damage
- Work on recovery
- Get back online
StopBadware lists similar steps:
- Identify badware behavior
- Remove the badware behavior
- Prevent future infection
- Request a review to remove your site from badware lists (the blacklist clearinghouse mentioned above)
Backup, Backup, Backup… Restore?
If you pinpoint the date and time of your site’s hack, the simplest solution is to just restore your website to a backup prior to that time. This is why it’s important to use a reliable backup utility, one that not only backs up but makes it easy to restore.
However, this previous backup is the one that was vulnerable to attacks, unless the point of entry was at the domain, server, or FTP level instead of the software level. Regardless, it’s important to make sure this restored version of your site is free from the same vulnerability(ies).
It’s a good idea to backup your .htaccess and wp-config.php files, your wp-content directory, and your database separately from your full .zip backup file(s) so that you can replace portions of your site, like the WordPress Core files.
Replace WordPress Core Files
Hackers typically go after a high yield hack. For example, if they can hack WordPress Core or a popular plugin or an entire webhost, they hack once and gain access to a multitude of sites. Additionally, they probably don’t care to hack a80yva9a dot com because it’s a site and domain of no value in terms of visitor traffic or perceived reputability.
Because of this high-yield theory, it can be beneficial to replace the web server’s copy of the WordPress Core files. You can always get the latest version of WordPress at http://wordpress.org/latest.zip.
Additionally, you should re-install all your plugins and inspect your themes before re-installing. I also suggest inspecting the rest of the wp-content directory for mysterious files.
Change All Login Credentials and Protect WordPress Logins with SSL
No matter where the security breach seems to have originated from, you never know the entirety of what information might have been acquired.
Create new passwords for all logins — SSH, server management, FTP, Google, ManageWP, and WordPress User accounts — without prejudice (i.e. don’t assume any weren’t compromised). Also, generate a new set of wp-config.php security keys / salts. You can completely change the log in page.
If you don’t already have an SSL certificate to secure WordPress logins, now is the time to implement it. Follow the additional items suggested by WordPress Codex “Hardening WordPress”, including using an SSL certificate.
Resolve Specific Issues
The steps above apply to all sites attempting to recover from a hacking incident. You might also have webhost, web server software, or other issues to address. Using the scanners above should help pinpoint additional security concerns; however, no scanner is fool-proof and the WordPress database could still be compromised.
Reminders
Let me assure you; it’s easier, more reliable, and less of a headache to “act as if” — operating a secure site and taking security precautions to the next level on a regular basis — than it is to restore a hacked site and only then pay attention to security.
I suggest you perform some of the actions above on a semi-regular basis — taking regular backups and verifying they are able to be fully restored, changing login credentials, etc. — in addition to forcing strong passwords, limiting login attempts, and taking other security precautions.
Adding your site to Google Webmaster Tools provides a number of benefits, one of which is receiving security alerts via email. Make sure to add your site to Google Webmaster Tools.
Make sure you take regular backups. Typically, once or twice per day is sufficient. Others consider every other day, once per week, or once per month adequate. The optimal backup schedule depends on how often your site content changes and how much traffic your site gets.
If you’ve ever had a site hacked or helped someone else resolve their hack issues, please share what worked best for you. Now is the time for “the fish was this big” stories. 😉
