FAQ My site was hacked
Português do Brasil •
(Add your language)
Help I think I've been hacked
So you've carefully installed WordPress, you've made it look exactly how you like with a decent theme, you've maybe installed some fancy plugins and you've crafted some fine posts and Pages. In short, you've put a lot of time and effort into your site.
Then, one day, you load up your site in your browser, and find that it's not there, or it redirects to a porn site, or your site is full of adverts for performance-enhancing drugs. What do you do?
Some steps to take
- Stay calm.
- When addressing a security issue, as a website owner, you're likely experiencing an undo amount of stress. It's often the most vulnerable you have found yourself since being on line and it's contrary to what every one told you, "Hey, WordPress is Easy!!"
- The good news is that all is not lost! Yes, you might lose some money. Yes, you might take a hit against your brand. Yes, you will recover from this.
- So, yes, take a step back and compose yourself. Doing so will allow you to more effectively take control of the situation and allow you to recover your online presence.
- Scan your local environment.
- The first place you should start with is your local environment. In many cases, the source of the attack / infection begins in your local box (i.e., notebook, desktop, etc...).
- Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice extends to both Windows, iOS and Linux machines.
- Scan your website.
- There are various ways to do this. Today there are a number of great plugins in the repo that make this process easier.
- You also want to unhide all the files and folders, to include extensions for all files files. You can run a search for *.exe files, sort them by size, most malicious code is executable and is lesser than 5MB usually but can be > 5MB. Also not every .exe under 5MB is malicious, delete the known viruses/worms/autoruns, make a list of all suspected executables, check against online database. Caution: Make sure you don't delete the system files. Securelist has an article on how to find an infected file.
- You want to be mindful of the various types of symptoms and how they affect your website and it's visitors. For instance, malicious redirects can often be found in files like .htaccess, and index.php at the root of your website. While others will focus on the wp-content/themes directory targeting index.php, header.php, footer.php and functions.php. These are the more simple variations ofcourse.
- If you're experiencing a Google Blacklist problem then things are slightly different. You'll want to create an account with Google Webmaster tools and follow their steps for reconsideration.
- Check with your hosting provider.
- The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.
- One very serious implication of a hack these days is around Email blacklisting. This seems to be happening more and more. As websites are abused to send out SPAM emails, Email Blacklist authorities are flagging the website IP's and those IP's are often associated with the same server being used for email. The best thing you can do is look at Email providers like Google Apps when it comes to your business needs.
- Improve your Access Controls.
- You will often hear folks talking about updating things like Passwords. Yes, this is a very important piece, but it's one small piece in a much larger problem. We need improve our overall posture when it comes to access control. This means using Complex, Long and Unique passwords for starters. The best recommendation is to use a Password Gnerator like those found in apps like 1Password and LastPass.
- Remember that this includes changing all access points. When we say access points we mean things like FTP / SFTP, WP-ADMIN, CPANEL (or any other administrator panel you use with your host) and MYSQL.
- This also extends beyond your user, and must include all users that have access to the environment.
- Change your secret keys.
- If they stole your password and are logged in to your blog, even if you change your password, they will remain logged in. How? because their cookies are still valid. To disable them, you have to create a new set of secret keys. Visit the WordPress key generator to obtain a new random set of keys, then overwrite the values in your wp-config.php file with the new ones.
- Take a backup of what you have left.
- If your files and database are still there, consider backing them up so that you can investigate them later at leisure, or restore to them if your cleaning attempt fails. Be sure to label them as the hacked site backup, though...
- Find and remove the hack.
- This is perhaps the hardest part of this entire list and the part that will require the most work. It will come down to your individual technical knowledge and insight around website hacks. To get you started though below are a few resources that will get you going in the right direction:
- Donncha wrote a good article on what to do if you suspect a hack, it is well worth reading through and acting on, as it goes into more depth than this page.
- You can also read How to clean your hacked install
- Sucuri has put out a number of technical posts that will help - Removing malware from a WordPress blog - which explain in details some steps you might need to take.
- Additionally you can leverage that post that shows you some tricks of the trade to help you get to the bottom of the issue - FTP Tips and Tricks to Help you Clean Your Website.
- One obvious response to a hack is to delete everything and start from scratch. Tempting, yes, but highly unrealistic. What you can do however is reinstall certain elements of the site with little regard to impacting the core of your website. You always want to make sure you reinstall the same version of software your website is using, if you choose an older or newer one you're likely to kill your website. When reinstalling, be sure not to use the reinstall options in your WP-ADMIN. Use your FTP / SFTP application to drag and drop the versions. This will prove much more effective in the long run as those installers often only overwrite existing files, and hacks often introduce new files.. :)
- Hackers can use your .htaccess to redirect to malicious sites from your URL. Look in the base folder for your site, not just your blog's folder. Hackers will try to hide their code at the bottom of the file, so scroll down. They may also change the permissions of the .htaccess file to stop newbies from editing the file. Change the permissions back to 644.
- Leverage the Community
- We often forget but we're a community based platform, this means that if you're in trouble someone in the community is likely to give a lending hand. A very good place to start if you're strapped for cash or just looking for a helping hand is the WordPress.org Hacked or Malware forum.
- Another very good resource is StopBadware's Badwware Busters forum. This is a nonprofit that is committed to helping website owners just like you.
- Using version control?
- If you are using version control, it can be very handy to quickly identify what has changed and to rollback to a previous version of the website. From the terminal or command line you can compare your files with the versions stored in the official WordPress repository.
svn diff .
Or compare a specific file:
svn diff /path/to/filename
- Consider restoring a backup
- If you restore from a known clean backup of your WordPress Database, and re-upload your backed up WordPress plugin and theme files through FTP or SFTP, that will ensure that all those bits are clean of malicious code are gone. At the very least ...
- What? No backup?
- You have two very grim choices. You can start a new fresh site from scratch. You can attempt to manually locate and remove the malicious code. Even the chances of an expert being able to completely clean your site are poor. Someone can spend days looking through files, removing small snippets of hacker code. If they miss one bit, the entire hack can be replaced by the hacker in a second once the site goes online. Read about backdoors to get an idea of what you're up against. If you're reading this and have not yet been hacked and have not backed up your site, go do it NOW!
- Replace the core WordPress files with ones from a freshly downloaded zip.
- Replacing all your core files will ensure that they are no longer left in a hacked state. If you didn't already restore backup copies of your plugin and theme files, replace them too.
- Once you are clean, you should update your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.
- Change the passwords again!
- Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now. Again remembering to use Complex, Long and Unique passwords.
- Secure your site.
- Now that you have successfully recovered your site, secure it by implementing some (if not all) of the recommended security measures. Learn more about where WordPress is most vulnerable.
- Forensics - Identify what happened...
- Once your site is secured, check your site logs to see if you can discover how the hack took place. Open source tools like OSSEC can analyze your logs and point to where/how the attack happened. Here is a nice little write up that walks you through the process of using OSSEC for your Website Security.
- Here is another great example of how logs can be leveraged to understand what the attacker was up to.
- Keep regular backups.
- Now that the nightmare is over, start keeping regular backups of your database and files. If this ever happens again, all you will need to do is restore from the last known clean backup and change your passwords and secret keys.
Back to FAQ