Click hereΒ for aΒ 30% OFF Hostgator coupon and start your blog from $4.86 a month
Everyone Hates Hackers
Let me start with a mini-rant:Β Why do people bother hacking small independent businesses/bloggers? Like seriously, I can almost understand that some hackers have a political vendetta against governments or organisations and the reasons for redirecting to funny or hoax sites, but why target freelancers or small businesses who are likely already struggling to get by? When groups such as LulzSec or Anonymous hack news sites like the Sun and redirect to a fake page with a story of Murdoch’s death – I can see the amusement. But when groups take down the CIA website or leak sensitive documents (that could lead to hostile political situations) I just don’t understand the motive. Similar to people hurting others for no reason, it is just plain evil. That said, attempted hacking happens all the time and it will likely continue forever.
This only makes me worried about the increased risk and exposure we have to hackers as technology evolves. Imagine a hacker gaining control of driver-less cars, aircraft, energy systems etc. The results could be devastating!
My WordPress Blog got Hacked
Although not quite as detrimental to society as taking over control of a power station, my blog was maliciously attacked on two occasions recently. I can’t help but think that a group of Indian SEO experts who I politely refused to pay 100s of dollars to on numerous occasions might be involved. Their response to my fifth decline of business was something along the lines of ‘You will need as soon sir… I promise you’. Now maybe I have been watching too many movies, but I think they might be guilty!
My dismay all started with a nice message from Google Webmaster Tools:
Just what I love to wake up to on a Saturday morning! There was me thinking that Google had decided to email me to let me know that SavvyScot had been upgraded to page rank 4…. but no, I had been infected!
When I first got this message a couple of weeks back (the first time the site was compromised) I didn’t know where to start. After springing out of bed and instantly awake, I was in a bit of a panic. This was soon made worse after I realised that I had wrongly assumed there would be a simple step-by-step process that I could follow to put things right. WRONG. Google Webmaster tools provides a scanning tool that you can use to determine which parts of your blog/site are infected, but the removal was a complete mystery! What the heck had happened?
In short and on both occasions, the WP-INCLUDES folder was infected with malware which contained redirects in the CSS. In essence, this meant that Google flagged my site (alongside numerous other browsers and search engines) as being unsafe. This removed SavvyScot from all search listings on Google and actually prevented anyone from visiting it by clicking through.
As I am sure you will agree, at this stage getting the site cleaned and live again is a top priority – you don’t want to have readers / search bots being put-off ever returning to your site!
Fixing a Hacked WordPress Blog
One of the reasons that there is no manual or step-by-step guide, is that the possibilities of where and how your site is infected are endless. You must first start by using the Google scanning tool and work out exactly where the malicious code is contained. The second time I was hacked, this was restricted to just the WP-INCLUDES folder, so I could simply delete it from my hosting account (open up the FTP portal and delete the WP-INCLUDES folder from the wordpress directory) and replace it with a different version.
If you back-up your site regularly, you will likely have a number of iterations of the WP-INCLUDES folder. The trick is to pick a slightly older one (to ensure that you revert to a version prior to the infection) or even replace it with the default WP-INCLUDES folder from a fresh WordPress installation; you can obtain one of these by downloading the package WordPress.com. If you replace the folder with a brand new one, you will need to define the wordpress configuration file. Thankfully, this is easy to do and can be done through the wordpress admin interface. You will need to have your host’s details to hand and the SQL database name, username, password and hosting address.
It is also likely that when you restore the folder and attempt to visit one of your posts, your site will display a 404 (Not Found) page. To begin with this freaked me out, but there is a very simple fix. Simply reset your permalinks settings by changing it to a different option, saving them and then changing it back.
Fixing More Complicated Hacks
The above steps are a little bit of a breeze, but unfortunately it is often not that easy. The first time that my blog was compromised, I had to completely wipe everything and restore from a backup; the infection had spread outside of the WP-INCLUDES folder and pin-pointing the exact locations was a nightmare. There is also no guarantee that you have removed all the malicious files – they could be on a timed script to replicate again. This can get quite complicated as your SQL tables may need to be renamed or edited in other ways. This highlights the need for backups, because without one, I would have lost a LOT of my content!
Upon deleting everything from your hosting account, the first step is to reinstall WordPress. I am not going to guide you through this process, as I assume you already know how to do that! Upon completing the install, you will then need to ensure that the blog is pointing to the correct SQL database on the back-end. This can sometimes be done through a tool in your hosting control panel, but you will somehow need to edit the wp-config.php file. In simplest terms, the configuration file tells wordpress where to access the database where your posts, comments and content is stored and the credentials to use.
In some cases, the SQL database can become infected, so you may need to delete that and restore from a backup too. Reloading these can be tricky and you may need to seek expert advice. Most hosts have some sort of semi-friendly SQL interface (such as phpmyadmin) which makes the task slightly easier. In my case, I had to revert to a SQL backup that was a few weeks old and manually reload other content.
Finally, you will need to reload the WP-CONTENT folder (which includes all your images / videos / uploads etc.) from a backup to ensure that the content in the SQL database (i.e. a post) is referencing the correct images. You will also need to ensure that your plugins are installed and any other settings are configured.
Hack Fixed: Next Steps
The first thing that you are going to want to do is submit your site to Google for re-consideration. This can be done through the Webmaster Tools page for your site. It will take a number of hours for Google to review your site and in my experience I didn’t always fix it first time. Restoring from backups becomes a painful process, in not knowing how far back to go! Google scan sites pretty regularly for malware / other infections, so you shouldn’t have to revert to a copy that is more than a couple of weeks old.
At this stage, your site may be fixed, but you should definitely consider what you can do to stop it happening again!
Top Tips to Prevent Your Site / Blog From Getting Hacked
- Firstly, I would recommend that you turn of the feature that users can automatically register in WordPress. This is something that I had turned off originally, but after updating WordPress, it must have reverted to allow this. Consequently, I had about 180 ‘subscribers’ register with bogus email addresses. I am sure that there is some sort of vulnerability in WordPress where this might allow users to gain access to a subdirectory of the WP-INCLUDES folder.
- Re-evaluate your hosting provider. On both occasions that my site was compromised, numerous other GoDaddy sites were also infected. Bit too much of a coincidence I think! I have consequently migrated my hosting over to Nuts and Bolts Media where I feel in much safer hands. Nuts and Bolts Media is a much smaller company and consequently I got superb customer-service. The owner (Andrea) personally completed the migration process – for free! I now have the comfort of knowing that my site is hosted from a server farm alongside other reputable blogs – instead of co-located on a virtual server with goodness knows what else! It is also actually cheaper than what I was paying GoDaddy.
- Consider disabling plugins that have not been updated by the author for some time or those that you don’t use. As WordPress is updated, old plugins can remain unchanged and loopholes can be exploited.
- Change your Password. You should be doing this regularly anyway, but use this as a prompt to schedule a weekly/monthly change.
- This list of advice from Data Label is a great resource for how to keep your data safe, online and offline.
- Re-evaluate your Site/Blog backup system. Did you restore everything you wanted? Do weekly backups work for you, or would twice-weekly have worked better? Do you keep a short-term copy of your content on your laptop locally? Do you rely solely on one backup plugin, or do you take manual backups? On what frequency does your hosting provider take backups?
If you made it through this 1600 word article I am impressed. If I manage to help even one person in the remediation of their problem, I will be happy!
Untemplater says
Unfortunately it’s not a question of have we been hacked, it’s a question of when. In this day and age it’s pretty much inevitable, especially since even giant corporate and government websites with entire security teams are vulnerable. We just have to be cautious, keep regular backups and act as quickly as we can when —- hits the fan. Good to know that the subscriber functionality can revert to enabled without alerting us. I’ll have to keep an eye out for that.
I’m glad you were able to get your site all sorted out. What a pain to have to deal with, especially twice in such a short time!
savvyscot says
I think you might be right… I agree that regular backups are key and that we can be thankful that we are not the target of the more experienced hacker groups!! Thanks for the kind words π
Grayson @ Debt Roundup says
What an in depth article. The one thing I recommend is to change your table prefixes when you first install WordPress. Most hackers have automated scripts that search for the table names and then inject SQL calls to exploit the loopholes. This is an easy step that most do not do. It would need to be done first, but can be done at any time carefully.
savvyscot says
Cheers Grayson.. Changing the tables is a great idea – thanks for the add. π
Mo' Money Mo' Houses says
I’m gonna save this post for when I make the switch to WordPress and get hacked (though hopefully I won’t get hacked but it seems like it happens to many people!).
savvyscot says
Haha! You make me laugh Jess π
John S @ Frugal Rules says
Great and very informative post! I see you beat me to the punch in moving your hosting over to Andrea. π We move next Monday and absolutely can’t wait as we have heard wonderful things. I have not been hacked before, though have been dealing with a spate of spam issues lately. It just makes me wonder…really, you don’t have anything else better to do in life?
savvyscot says
I know I did π – My site is SO much faster now, it is unbelievable! I totally agree.. spammers and hackers are just failures in my eyes. Why not try and use those skills to make some cash?
Shannon @ The Heavy Purse says
I have not been hacked but it scares me just thinking about it. So thank you for such an in depth post. My web person had a couple of sites hacked, so she put a couple of things in place to try make them at least work harder to hack mine. We added the antivirus plugin, limit log-in attempts and wordpress table rename. What do you use for your backup?
savvyscot says
Pleasure – hopefully you don’t actually have to use it. Who do you use for hosting?
Shannon @ The Heavy Purse says
Godaddy. π My site wasn’t infected, fortunately.
savvyscot says
Time to jump ship soon me thinks..
Jose says
Thanks! I am bookmarking this post, Just In Case!!!!
savvyscot says
Hope you never have to use it π
Jennifer Lynn says
I was hacked to smithereens the week before last and I am still recuperating. Just a painful headache all around. Thank you for throwing up a guide. I too use Godaddy hosing and seriously will reconsider after this crappy incident. Customer service there is just bloody awful!
Jennifer Lynn says
Hosing = hosting, of course. Bit of a Freudian slip? π
savvyscot says
Hopefully you will never have to use the guide – but you’re welcome π – agreed that the service is rubbish. I would seriously recommend Nuts and Bolts Media!
KK @ Student Debt Survivor says
Being hacked is such a nightmare. Like you said, I don’t understand why someone would want to hack people’s personal blogs (esp. when the owner/author isn’t controversial or making big money)? I guess it’s something about power and knowing they can. Sorry to hear about your hacks and hope you got everything straightened out.
savvyscot says
Exactly… small fish really. If anything it just shows that they have no real skills in picking out high-value targets! Thanks
Kim@Eyesonthedollar says
That really makes me nervous. I have no idea why people would want to hack a personal site and what joy they might achieve from causing havoc. I would have no idea how to do any of this and would have to get professional help. We did have our office website hacked and got the malware warning. It is ten times much smaller than my blog. No reason why someone would want to do that. I do have a back up service, so that makes me feel a bit better.
savvyscot says
That just seems plain cruel! Glad to hear you have backup – that is the main thing to be careful of! π
Ron says
Great advice and I think one of the reasons blogs get hacked is to get access to your other online accounts.
I did a post about Wordfence security that goes into that and what you can do to protect yourself.
I also think one of the best plugins to get to protect your blog is Wordfence.
savvyscot says
Cheers Ron and good Link up!
Glen @ Monster Piggy Bank says
Great write up mate, hopefully you will be fine now.
I ended up getting one of my sites hacked a while ago by accessing the ftp on my site via filezilla. it actually stores your password in clear text and many exploits look for that exact password file so they can infect your website.
Moral of the story – don’t use filezilla.
savvyscot says
Cheers Glen – Here’s hoping π Thanks for the heads-up on filezilla… will definitely avoid
Brick By Brick Investing | Marvin says
I can’t even imagine. I’m sorry you had to go through that man. Absolutely awful, like you said who the heck hacks a PF/Freelancing Blog? There’s no money in it for them! This has sparked me to start backing up my site on a regular basis. After pouring hours and hours into my site I might go absolutely nuts if one day it was just all gone.
savvyscot says
Marvin – you are exactly right what you said at the end dude… it really does make you go nuts!! I was so so frustrated! Please take weekly or twice weekly backups… it could save the day in the future! π
Drew @ Objective Wealth says
Great effort SS, I’m going to bookmark this for future reference as you never know who’s going to have a pop at you and when. It must have been such a shock when you discovered the hacking but looks like you did a great job getting it back up and running as quick as possible, and you’re all the better prepared for the future. I’ve picked up a lot of tips and issues here I wasn’t aware of – it’s great you’ve shared your experience.
savvyscot says
Cheers Drew! Let’s hope you never need to use it though. It was a shock – then it was just so so frustrating! I can’t believe how annoyed it made me!! Let’s hope it won’t happen again.. Nuts and Bolts are great so I feel safer already π
Justin@TheFrugalPath says
I’m sorry about your site being hacked. After I saw the first attempt I became super paranoid about my own site. I went through my WP security to make sure everything is good. From what I can tell I’m still okay, but I want to go to Nuts and Bolts when my time with Bluehost is up.
savvyscot says
I would definitely make the jump Justin! Hopefully I’ll be OK going forward… It was seriously frustrating!!!!!!!
Kevin Watts says
Great post. It is becoming more important everyday to protect your online information. I wonder how common it is for small sites to get hacked?
Thank you for the post
savvyscot says
Cheers Kevin – getting more and more common these days it seems….
Darren @ ideasforcash.co.uk says
You weren’t seriously using GoDaddy hosting were you! That’s really asking for it π I’m using Dreamhost which is supposedly the best hosting money can buy.
I read of another WordPress blog that I visit being hacked shortly after the WP update to 3.5.1.
I’ll be scrutinising my Google Webmaster tools in future. BTW, does any kind of alert come through the WP dashboard when the blog is compromised?
savvyscot says
Haha! I think Nuts and Bolts can rival it… they are awesome! π
savvyscot says
PS no – no alert!
Simon @ YourWealthPlanners says
Scot my blog has been hacked i’m sure of it! It all looks ok on the front end, but my wp-admin page is now inaccessable. It just quits after a while and says ‘too many reverts’. This happened about a week ago and i’m still none the wiser and don’t know where to turn. Any ideas whats going wrong? I’m in a bit of a panic, any help or pointing in the right direction would really be appreciated.
savvyscot says
I would recommend reinstalling wordpress.. you can do this without losing content – alternatively you can follow the instructions in this post to install the WP-INCLUDES folder again. Either way – it should fix it
Matt says
Lots of very good advice!
My employers site (which I’m responsible for!) was hacked back in May so I’ve had some experience too.
I’d add a couple of things. Many people change their passwords, but still use the login name of “admin” and hackers know this, so they already have half your login details… Changing this to something less obvious, makes their job many times harder. They also use “common” password lists sometimes. I’ve seen one of these, and was amazed to find passwords that 2 of my clients use, so I use random passwords that are strings of random characters rather than say “myfavouritefootball club123”.
Lastly, here’s a trick: I back up my WP sites by FTP to a folder on my hard drive and then virus scan it. Last time, this picked up the hack, so I could simply remove it, completely wipe the remote server and re-upload everything.
Edward Antrobus says
I was hacked once. In that case, it wasn’t so much a case of me being hacked, but of my brother getting hacked and me piggy-backing off of his hosting. 6 months later, he was hacked again but that time it was limited to just the church website he was running. Seriously, who hacks a church’s website?
Cindy Brick says
Thanks for being so detailed on how to fix your hack…
Brickworks, my main site, has been hacked twice. (Actually three, if you want to count the last quickie in with the longer version.) Every time, the hacker didn’t actually make it into the site…he/she just piggybacked onto it. Which meant that anyone who visited got treated to malware attacks, until Google put a stop to being able to visit at all.
We’re in the process of moving to a more stable host, and rewriting all of the pages. It needed to be done, but is a Big. Complicated. Pain.
Aargh.
savvyscot says
That sounds like a horrible situation… Google also blocked access to Savvy Scot through all links from their site. It was a pretty traumatic experience. I would recommend my new host (Nuts and Bolts) if you are still looking! π
Jordan says
Sorry you got hacked! I too was hacked last year. There are differen’t ways to be hacked as you know and luckly my hosting provider helped in the process. WordPress gets hacked all too often, good to stay updated and backed up eh?
Thanks mate for a great article!
Jordan.
savvyscot says
IT SUCKS!! I have moved to a far superior host now too and have the skill set to put things right! π