Last week one of my WordPress sites got infected with malware. This is the second time within a 30 day period. Previously, I somehow survived almost 3 years with only one defaced site and no malware attack. No wonder, I was not prepared for what awaited me after that first attack.
The first experience was much worse, mainly because I didn’t know what to do in such a situation. Panicked, I was trying to fix my site but I really didn’t know what I was doing.
Signs that Your Site May be Affected with Malware
– When you visit the page, you get redirected to a different location.
– If you have anti-virus software on your computer – a highly recommended practice – you may notice that upon accessing the site (or any other site for that matter) that the Virus Alert displays.
Had I paid attention to these, I could have reacted faster the first time. However, I ignored those signs initially, because I wasn’t really sure what was going on – and I delayed taking action for too long.
Malware Attack #1
The first time I learned that I got infected is because I saw a warning message from Google next to my site in the Google search results “This site is infected with malware” or something similar.
This immediately set me off in the panic mode. I tried to find the infected files, but wasn’t sure what to look for so I searched for advice on what to do next. I thought about restoring the site from backup, but I had to leave to take my son to tennis practice.
Upon returning, I continued to search for information and help; and found a Sitesecuri.net website, a company that offers malware monitoring and cleaning service. I checked my other sites using the free scanning tool that they have on their page. I learned that almost all sites residing on this hosting account were infected, which only increased my panic.
I called the hosting company, Bluehost, to see if they could offer any help – perhaps they could help me find the infected files – but the service person wasn’t very helpful – he just referred me to a different provider of malware removal services.
Unfortunately, it was already Friday evening, too late to sign up for Securi service (the site guarantees the cleanup within 4 hours Mon-Fri, 8PM-8PM) or call anyone else. My husband, a network engineer, wasn’t helpful either. I realized I’d have to wait till Monday or try to find someone help me clean up the mess over the weekend.
The next morning I went to check up my sites: three of them were blocked by Google, including two of my biggest sites, with lots of traffic. I didn’t want to wait, – I wanted to do SOMETHING – so I started restoring some of the sites, deleting old sites, and updating old WordPress installation. This was not a good idea. In the process, I deleted a site by mistake and I learned that one of my backup files did not work as it should, so I lost at least two weeks of work on that site.
Then I learned that my hosting account had been suspended. At this point, all my websites, including the ones that were not infected were not accessible.
But there was also a positive site to the suspension. My host also sent me a list of files to clean up – including the malicious lines of code that needed to be removed from the wp-config.php file that kept redirecting visitors to spammy sites. What I couldn’t understand was why they couldn’t have done the scan and sent me the files the night before – when I called them, but I was happy to have the list of infected files.
Now at least I knew what to do – so I wasn’t just waiting doing nothing while my sites were down. It took me somewhere about 6 hours to go through all the files, remove the malicious files and code, before I could ask Bluehost to reinstate my account. They did that promptly sending me another few files to clean up.
After that, I went to Google Webmaster tools and filled up the form to have my sites checked by Google Bots and have the malware alerts removed. That took a few hours, but I was happy to see that the traffic returned to my sites immediately – so the sites did not get penalized.
Overall, it took me probably over ten hours to clean up the damage, plus one of my sites lost some data that still needs to be added back.
I set up a commitment to clean up all the files on the other hosting accounts that I have, and I’ve been doing that slowly, and then it happened a second time.
Just four weeks later – another attack.
Malware Attack #2
Last Friday, right before leaving for the Friday tennis practice with my son I noticed an anti-virus software alert after visiting one of my sites (this time on another hosting account), my heart sank, but I knew what to do next.
I went straight to Securi.net and started scanning my sites. Fortunately, only this one site had been infected, and it hadn’t been even blacklisted yet.
I didn’t want to spend another weekend trying to clean up the site and worrying about other sites on this account, so I signed up for the cleanup service right away. When I returned from my son’s tennis practice – the site was squeaky clean! No more malware! Hurray!
If your WordPress site is hacked – what do you do?
The usual suspects are weak, easily guessed passwords and compromised plugins. It’s possible the backdoor was installed on your website a while ago which means that just removing the infection you see or restoring to a recent backup isn’t enough.
If you are willing to take a shot at it, here’s what you may need to do:
** Change ALL your passwords. Change the passwords for every WordPress user. Also, make sure that you have no “admin” users. You can do this in the “Users” menu via WordPress. You can also update the database table directly (wp_users) changing the “admin” name to something else. Change both your hosting account password AND your phpadmin password.
** Backup your account. Ideally you would like a backup that preserves the timestamps on the files. But at least download a copy through ftp.
** Look for modified files by checking the timestamps. Generally most of your wordpress files will have the same timestamp reflecting when wordpress (or a plugin) was installed, so a different timestamp should be easy to identify. These are likely the infected files.
Cleaning Up Your Site
Let me ask you first, are you up for the challenge? Security is a specialized field that can require a different perspective and skill set. If you are not comfortable with browsing through code and don’t know your way around .htaccess, other configuration files and phpadmin, consider using a service that will clean up your site for you (see my recommendations below).
Getting off Google’s black list
If Google has identified you as an attack site, visitors will see a scary red image warning them away. You want that to go away as soon as possible so you will need to ask Google for reconsideration.
I did this as soon as I had cleaned up my website. If your website is already set up in Google Webmasters Tools just log in and request a malware review. My website had already been flagged by Google so it was pretty obvious how to request a review. The review took a couple of hours at which point the red attack page stopped appearing.
Moral of the Story
1. Always run a full scan immediately after your virus scanner detects a problem.
2. Always keep your software up to date. Often times when you let your software get a few updates behind it becomes vulnerable to hackers. This was the cause of my problem, I skipped on some updates on some of my old sites. Don’t do this!
3. Consider hiring someone smarter than you. In the first case I was able to remove the malicious code myself, based on the file I got from Bluehost, but it took many hours and that was already AFTER my site has been blacklisted by Google and my hosting account suspended by Blue – not a desirable scenario.
Using a site like Securi.net Web site malware removal is great because they automatically scan your sites for hacking – and will fix the issues if they arise.
However, even though I have been very happy with Securi.net responsiveness and quickness in cleaning up my infected site, I decided to sign up with CodeGarage.
Using a site like CodeGarage is even better because not only monitor it for hacking – and will fix the issues if they arise, they also automatically backup your WordPress sites, making sure the backup is done correctly. And backups can be tricky – trickier than they ought to be. Servers are finicky. Databases go down when backups are running. Scheduled tasks mysteriously stop working. If your sites are worth backing up, it’s worth making sure they’re getting backed up properly.