What you need to know if your WordPress site gets hacked

What you need to know if your WordPress site gets hacked

You’ve just discovered your WordPress site was hacked. What do you do?

Causes of hacks

Having a bad password and not keeping the WordPress software and plugins updated are two main reasons a WordPress install gets hacked. It is imperative to keep your blog software and plugin software updated. A third cause is free themes.

An unscrupulous (OK, the web guy may not be unscrupulous, but the practice itself is) web designer will insert code to try to ensure the link he puts in the footer stays intact. The problem is the code opens a backdoor for a hacker to inject code in other parts of your WordPress files or your database. Or both.

Off the beaten path

I’m going to go off the beaten path here for a minute.

I happened to check my log files earlier tonight and caught this – someone was trying to inject code into my files. As you can see it’s all gobbledygook and I have no clue what they’re trying to do. It was most likely an automated attack.

injection attempt

Code like this always translates to something, and this is what it looks like decoded. You can find decoders all over the web. Some work better than others. I’m no expert but the hacker is using wget to get a file from another server (which is probably hacked.), and is going to try to put it on my server. But he failed.

injection attempt translated

How can you tell if your blog was hacked?

Sometimes it’s hard to tell. I had a blog get hacked a few years ago and Google had to tell me, lol.

  • Your content may or may not change.
  • Your site may slow down dramatically
  • Password may not work.
  • You might find your site linking out to sites you would never dream of linking to.

What do you do if you find your site was hacked?

First, before moving on, I’ll assume you have a backup of your site. You do have a backup, right? Database and all the files? If you do not have a backup, all is not lost. The chances are good that your database is still intact. It may have been altered though and you will need to fix it. This goes for your files as well.

The first thing you do, and this goes for a regular static html site as well; is change all passwords!

    • Change your WordPress password
    • Change the control panel password for your site (this usually changes your FTP password as well)
    • Change your Mysql password (you’ll need to change this in your wp-config.php file)

I even go so far as to change the Mysql username, and the database name too. The wp-config.php file will need to be changed to reflect this.

Back in the old days, at the hosting companies I worked for, when a site got hacked, we insisted on the customer not touching the site, but to call us and we would handle it. We made a copy of the site so we could investigate how the hacker got in. We would roll out a backup for the customer if they didn’t have a clean copy of the site.

I’m not sure that hosting companies do this anymore. It’s probably not a bad idea to let them know, but they probably won’t be a huge help.

Check themes
You need to check themes. If you see this kind of coding at the top of your wp-header.php file, you were hacked. This code can appear at the top of any of your theme or WordPress core files. Or you can look at the first image in this post. To check the theme files you simply open each file in any text editor.

cyBpdCBzaG91bGQuIEl2ZSBkb25lIHRoZSBzYW1lIHRoaW5nIGZvciBQcm

There is no need for a theme to have this kind of code inserted into it. Time to change the theme! (There is a way to detect this kind of coding before using a theme. More on that later.)

Check htaccess
Make sure permissions are correct. Permissions should be 644. You can check this via an FTP program or your control panel. Use a security program to lock it down.

Check files
You can FTP into your site and look at your filename dates. If they have a recent date and you know you haven’t touched them recently, this is a good indication of a hack. If your host offers a file manager you can access through your control panel, you can see the last modified date as well.

You can look at the files themselves. They can be theme files or the WordPress core files, some or all may have been altered. I’ve seen instances where every single theme -those not in use -was changed by a hacker. WordPress files can be opened in a text editor.

Check database file
You will need to export your database file. You can do this thru your control panel. Most hosts offer PHPmyadmin so users can manipulate their databases. Once you export the database -you export it as an SQL file, you can open it in your favorite text editor. You will usually see a paragraph of code that makes no sense, or it could be javascript. At any rate, it looks totally out of place – this will need to be deleted. It’s usually right at the top of the file, in the first 50 lines. You will need to go thru the rest of this file with a fine toothed comb to see if there is anymore malicious code.

Begin cleanup
Once you’ve determined that you have been hacked by going through the process above, you need to start cleanup. This is a process that will take some time, so you want to make sure you have a few hours to mess with this. You don’t want to start, and then have to stop to run errands. You need to see it through to the end.

  • Make a list of activated plugins. Make note of plugins you aren’t using.
  • Make a list (if you need to) of themes. Chances are they are all compromised, so you will want to delete these when it’s time.
  • Download all files via FTP.
  • Export database file thru your control panel/phpmyadmin
  • Find out what version of WordPress that you’re using. It will usually tell you this somewhere in your WordPress admin.

After downloading all your files, go back to your WordPress admin, delete all themes but the one you’re currently using, and delete inactive plugins.

Cleanup WordPress files and theme files. If you haven’t made any modifications to your theme files, it is usually easier just to use a clean copy of the theme. You may also want to get a copy of Twenty Ten or Twenty Eleven. These are WordPress default themes and are a good idea to have one of them uploaded in case there is a problem with your current theme or if you simply need to test.

Clean up database file. Make sure to save it. If the database wasn’t touched, there is nothing further you need to do with it.

Once you have your WordPress install cleaned up

  • Upload a clean copy of your theme
  • Upload a clean copy of your current WordPress software.
  • Upload plugins. Turn them off if needed.
  • Import your database if you need to.

Once you have done the above, you will want to upgrade WordPress to the latest version. This is very important. If your install is only a couple of versions old, then this will be easy and probably painless. If you are upgrading a really old version of WordPress, I hate to tell you this; but it will take more time and you will need to manually upgrade the install till you get to a point, and can continue with the auto install. You will find instructions for automatically updating and manually updating WordPress here: Updating WordPress

Security plugins to use

Here are a few security plugins to use. You don’t need to use them all, but if you’re a theme junkie, TAC is a must have.

  • TACscans your themes for malicious code before you use the theme. If the theme has exploitive code, then get rid of the theme.
  • BulletProof Security Protects several WordPress files from hacks.
  • WP Security Scan Checks for several things pertaining to your blogs security.
  • WebsiteDefender WordPress Security Combines two plugins for one big security plugin. See the page at the link to see what the plugin does.
  • AntiVirusSimple plugin protects against spam injections and other exploits.
  • Timthumb Vulnerability Scanner Checks all themes for the TimThumb app. Checks to see if the file is insecure. If it is, this plugin fixes it.
  • Exploit Scanner Scans for exploits and hacks on your blog.
  • Remove WordPress VersionThis plugin removes the version number from your WordPress install.
  • Login LockdownHelps prevent brute force attacks. Locks out people who are trying to log in. Configure from your backend.

If you’ve experienced a WordPress hack and you don’t want to deal with it, or you don’t know how to deal with it, hire me! I will get you up and running again. Contact me!