Early on March 10th, webenso.com was infected by malware. It started out as parts of the site not working however by the end of the day, it had been blacklisted by Google with any access to the site getting the dreaded red “reported attack site” image.
If your WordPress site is hacked – what do you do?. First things first, are you (or your web designer) up for the challenge? Security is a specialized field that can require a different perspective and skill set. If you are not comfortable with browsing through code and don’t know your way around
.htaccess, other configuration files and phpadmin, consider using a service that will clean up your site for you. Whether you get help or not, it helps to be familiar with the issues and remediation steps. Here’s my take on what you need do.
Initial Steps and Diagnosis
- Change your passwords Change every password. EVERY password.
- Change the passwords for every WordPress user. You can do this in the “Users” menu via WordPress. You can also update the database table directly (wp_users) with random characters for the password to disable the account.
- Change both your hosting account password AND your phpadmin password.
- Regenerate the WordPress secret keys and update the
wp-config.phpfile with them. Doing this will invalidate any outstanding login session with your WordPress admin. I was seeing malicious files show up after deleting them. Once I regenerated and uploaded my secret keys, that stopped. This link is a API link that generates new keys for you. And here is the WordPress Codex information on Security Keys.
- Backup your account. Ideally you would like a backup that preserves the timestamps on the files. But at least download a copy through ftp. Why are you making a copy of a corrupted installation? For later analysis. And if you don’t have ssh access to your account, being able to “grep” (a search utility) through the local copy of your files is crucial.
- Look for modified files. Look through all the files in your account for recent or different timestamps. Generally most of your wordpress files will have the same timestamp reflecting when wordpress (or a plugin) was installed, so a different timestamp should jump out at you. These are likely the infected files. In my case, all my
index.phpfiles were infected (there are several in different directories), as well as
registration.phpin the wp-includes directory.
- Identify the malicious code Looking through the code I found a suspicious line of code enclosed with script tags that invoked a
.htmlfiles in add on domains that were hosting non WordPress sites. This infection was also enclosed in script tags and using a function called createCSS(). The code stood out to me because it included a long string of numbers. Other code to look for is base64_decode. Once you have identified the type of infection, you will need to search through all your files for the malicious code.
Cleaning up your site
Identifying and cleaning the infected files is one thing, but do you know how your site was compromised in the first place? The usual suspects are weak, easily guessed passwords and compromised plugins. It’s possible the backdoor was installed on your website a while ago which means that just removing the infection you see or restoring to a recent backup isn’t enough.
In my case I didn’t identify the source of the inflection until later, so I took the cautious approach. Here is what I did:
- Completely removed the wordpress installation (since just reinstalling wordpress doesn’t remove any new files created by the hacker) and installed the latest WordPress version into another directory. This caused me some grief down the road with my images as their location changed and I had to re-upload them.
- Created my users by hand, giving them strong passwords.
- Instead of just pointing my new wordpress installation to my original database, I exported my database, table by table and imported selected tables. This was probably overkill, but there is a type of attack called “database injection” so I was being careful. I did run into an import problem where a column “post_category” was missing in my new wp_posts table. This is because this column is deprecated in more recent versions of WordPress. What I did was delete the table in the new WordPress database and let my script create the older version of the table.
- Reinstalled my theme and plugins – which I am still in the process of doing.
Getting off Google’s black list
If Google has identified you as an attack site, visitors will see a scary red image warning them away (see picture above). You want that to go away as soon as possible so you will need to ask Google for reconsideration. I did this as soon as I had reinstalled WordPress (step 1 above). If your website is already set up in Google Webmasters Tools just log in and request a malware review. My website had already been flagged by Google so it was pretty obvious how to request a review. The review took about a business day at which point the red attack page stopped appearing. I even got an email from Google warning me about the malware although by then I had already taken action.
How I was infected
webenso.com was infected by a trojan that infected my PC laptop when I clicked on a zip file in a email message purporting to be from DHL. Coincidentally I had been waiting on some real estate documents that were to be emailed to me otherwise I would have never open that zip. My virus scanner caught and quarantined it but it didn’t not catch two files that lodged themselves into my browser’s temporary files folder. When I logged into WordPress to write a post, they uploaded and created a way for the hacker to get into my site. When I ran a full scan, Avast found the two files. Moral of the story, always run a full scan immediately after your virus scanner detects a problem.