So you think your website has been hacked? Don’t panic, chances are the problem can be fixed and you can prevent it from happening again. Before you start getting too deep into things you need to determine what type of issue you are facing. There are many different ways that an intruder can gain unauthorized access to your WordPress website, there is also a possibility that your website has not been hacked at all.
Whitescreen/PHP Error Messages
If you are seeing PHP Errors or just a blank white screen when visiting your site, chances are that you have not been hacked but you are instead facing a less serious issue. The bad news is that there are many different kinds of errors that you could be experiencing, so it may take some work to track down your problem. The good news is that you most likely have not been hacked and your data should be safe.
In the above pictures I show 2 possible examples of PHP errors, an out of memory error and a generic PHP syntax error. In either case it’s very likely that either a plugin/combination of plugins or a theme is responsible. If you are seeing a white screen you can try to find a file called error_log on your server, error_log is generated automatically by PHP in the same directory as the problematic file when errors are encountered. There may be multiple error_log files in different directories on your server so be sure to check the timestamps when reading the logs.
To troubleshoot this type of issue, I would start by using FTP to change the name of the wp-content/plugins directory to plugins-disabled which will disable all plugins. If the site loads up after doing that then you know that the culprit is a plugin or a combination of plugins and you need to turn the plugins back on 1 by 1 to find out which one is responsible. If turning off the plugins doesn’t help you can try switching your theme to a default WordPress theme. You should be able to log in to wp-admin since it’s unlikely that a theme issue will restrict access from the admin section of the website. If neither of those strategies work for you, try searching for and posting your error on the WordPress support forums. Chances are someone can help you track down your problem.
Unwanted Content & Google Malware Warnings
A couple more common issues are the dreaded “This site may harm your computer” warning from Google, and unwanted content appearing in your Google page descriptions, or visibly or invisibly on your website. When you start seeing content on your website that you did not put there, it’s a fairly clear indicator that you have been hacked.
The first step is to relax. Yes, someone has or had unauthorized access to your website but it’s not the end of the world. I’ve encountered quite a few websites who have fallen victim to unwanted pharmaceuticals ads, x-rated keywords, and “payday loans” links and I’ve been able to fix and secure all of them without losing any content. You will need to be prepared to spend a good amount of time focusing on this, it’s not a fast process, so make sure that you have a couple of hours set aside.
DISCLAIMER: In many cases repairing a hacked site can be simple if caught early enough, but it does require some technical experience. If at any point you feel over your head it is an extremely good idea to seek help from a security professional. Follow these steps at your own discretion and make a FULL BACKUP of your site in it’s current state FIRST.
Step 1. Determine where the malware is and fix/remove any issues
This can be a bit of a pain but if you are seeing unwanted content or malware warnings you need to determine where that content is being injected. First, you will want to install 2 plugins:
If you have been blacklisted by Google you will want to open up Google Webmaster Tools and make a note of what links they are reporting as problematic. Often when Google blacklists a website it’s because a script somewhere on the page is linking to or pulling content from a known malicious source. You can identify the scripts by using the Firefox plugin FireBug. Once FireBug is installed, press F12 inside Firefox to open it up. Click on the Net tab and then load up your website. Firefox will probably tell you that your site is dangerous, you can ignore that warning and continue to the site. You should see something that looks like the following inside FireBug (click to enlarge):
This is a list of all the URLs that your site loaded up. Firefox should be smart enough to tell you which ones are malicious by highlighting them red. Make note of all URLs that are highlighted red or look suspicious.
Running Theme-Checker is a good place to start when examining your theme. It will tell you if anything in your Theme doesn’t look right. Make note of anything suspicious reported by a Theme-Checker scan.
After running Theme-Checker you’ll want to download your entire WordPress installation via FTP. This can take a while, so start the download and be patient. When you have the entire installation downloaded open up the folder that you put it in inside of your favorite code editor. I use Sublime Text and load the folder as a project, but you could use DreamWeaver or really anything that supports a project-wide search functionality. Now you are going to search the entire installation for anything suspicious reported by FireBug or Theme-Checker, and you are going to have to read the results one by one and determine if it looks like something that should be there or something that shouldn’t. Anything returned in red by FireBug is usually either missing or malicious and should be removed if found in your theme, but some reports are more ambiguous. Next, you are going to search for suspicious code, such as (keep in mind that these lines of code are not necessarily always malicious, they are just commonly used tools of malware):
2. function(p,a,c,k,e,r), function(p,a,c,k,e,d), function(p,a,c,k,e,t)
Sometimes hackers will reverse code to obfuscate it (yes, really!), so good terms to search for are lave & edoced. You can also look for strrev as that is the php function used to reverse a string on the fly.
After identifying and removing any malicious code from your files make sure you upload the cleaned files to your site andd check the pages with FireBug to ensure you got rid of all the red. Don’t forget to use Google Webmaster Tools to request a re-scan of your site.
Finally, login to your database with phpMyAdmin and check the wp_users table to be sure there are no extra, hidden users in your site.
Step 2. Change all of your passwords
I recommend installing the plugin Login Security Solution. This plugin performs a number of login security related tasks for you, take a look at the plugin settings to see all that it can do. What I am going to recommend you use it for at this point is to force a password reset on all of your site’s users. This is mostly just a precautionary suggestion, but depending on how your site was exploited you want to make sure that none of your users’ accounts have been compromised.
You will also want to change all FTP account passwords as a precautionary measure.
Step 3. Protect Yourself
So you’ve finished cleaning up your hacked installation, congratulations! How do you prevent this from happening again? Well, the unfortunate part is that hackers are always working on some new way to exploit technology, so there’s no way to guarantee 100% safety. However, you can do your best to protect yourself by using a number of strategies to make it more difficult to attack your website.
a. Identify Problem Areas
There are plenty of ways that a hacker can attempt to get unwanted content in to your website, but you want to make sure you aren’t making it easy for them. Take a look at the different pages on your site, think like a hacker, and ask yourself some critical questions:
Do you have any forms that allow users to post content on the site? Are you moderating those posts or are they posted automatically?
Do you frequently work on your website using public wifi at Coffee Shops or Airports?
b. Install Security Software
I mentioned Login Security Solution above, you should check out the settings for that plugin. It will provide a number of layers of security based on user login attempts. If someone manages to get in after a custom number of attempts it will force a password reset, it can also force your users to use stronger passwords, and send emails to admins when a potential breach is happening.
Another plugin, Limit Login Attempts, will block troublesome IP addresses after a custom number of attempts. This can be incredibly useful to fight against brute-force attacks.
You should also make sure to install some spam prevention plugins. I like NoSpamNX for comments and Simple Trackback Validation for trackback spam. You can also purchase Automattic’s Akismet plugin which does a great job at blocking comment spam.
c. Update Frequently
Update WordPress and all of your plugins regularly. That’s pretty much all there is to this one. WordPress is constantly releasing security updates as security holes are reported so the more up to date you can be, the better. Plugins can also accidentally have security holes and the good ones are also frequently updated. Make sure you update your software whenever new releases come out.
d. Keep regular backups
Google “How to backup WordPress” and you will find a plethora of free and paid back-up applications. I personally like BackWPUp, but there are so many options available. You can take a look around and see what you like. Ideally, you want something that will let you schedule regular backups and stores them somewhere remotely. And remember, with backups redundancy is a good thing. Keep some local backups on an external hard-drive too in the case of a complete meltdown on your backup server. In a worst-case scenario, if your site is ever completely destroyed by a malicious person or script, you will now have a fairly recent backup containing much of your data.
f. Scan Regularly & Hire a Professional
Installing the Anti-Malware plugin mentioned above and running monthly scans is a great idea. Even if you don’t find anything it is worth the effort to know you are safe.
If you are on a shared hosting account, scanning your WordPress installation is probably the best thing you can do. Unfortunately shared hosting accounts are notoriously bad for security and you are restricted in how deep you are allowed to go with your security precautions. If you have a VPS or dedicated machine, there are a number of solutions, like ClamAV and RootKit Hunter, available to scan for malware and vulnerabilities on a server level and send you detailed reports. I would recommend looking into what solutions are available for regularly scheduled scans and monitoring reports on your Operating System.
Finally, I’d suggest that if you have the budget to hire a security professional you should absolutely have a dedicated employee or company in charge of monitoring and keeping your website up to date.
Step 4. Understand the technology
Owning and operating a website is a lot like owning an operating a car. Sure, you could get by not knowing much about how or why things work the way they do, but you’d better have a good mechanic. Personally, I always recommend that people take a little bit of time to search around the internet and learn the high-level ins and outs about web technology. A small amount of knowledge can take you a long way in understanding what is wrong with your website and how to prevent future problems. If you don’t have the time to educate yourself, or if you feel hopelessly confused whenever you try, your best bet is to find someone trustworthy and dependable who does know how this stuff works to help you make sure you are prepared.