Hacked right now? Skip to the Resources section below.
Today I will break down how my site was hacked and the process I went through to clean it up, tell you how to find out if a photo has been hacked, and provide resources for preventing and fixing a hacked site. This article covers primarily web-side security, which includes things you’ve uploaded to your server—such as WordPress theme files, plugin files and all the media (photos, audio, videos) associated with your site. Server side security requires a bit more know-how, but I’ll cover a few basics so you can follow-up with your hosting provider.
MY HACK STORY
Pre-coffee one early April morning, I received a spam email through the contact page on my website. This is pretty unusual because I have Akismet (a paid WordPress plugin to reduce spam). Something about this mail seemed off. With a little research, I discovered my website among others on a pastebin. Often pastebin is used to advertise data that is being sold on the black market. It’s not a place where you want to see your name. It’s not that uncommon for a website to be hacked via bad code in a contact page so I knew an investigation was in order. There was nothing too out of place in terms of bandwidth, but the server logs showed otherwise. They revealed a lot of traffic to a file I hadn’t uploaded. I’d been hacked! This wasn’t the kind of hack you see in movies where some group with a name like The Stoner Mafia pisses all over your home page, or the kind of hack that visitors would notice or be affected by if they visited your site, rather it was the most common kind of hack that results from vulnerable WordPress code. I resisted the temptation to dump the whole site and upload a backup because I knew that finding the vulnerable file/code would be critical to preventing another hack. What follows is a summary of my cleanup process and some important tools for preventing such an attack. Tools, I had intended to utilize but just hadn’t gotten to yet!
This wasn’t the kind of hack you see in movies where some group with a name like The Stoner Mafia pisses all over your home page,
My site is self-hosted on a Virtual Private Server (VPS) to give me more control of my content. I chose managed hosting, which means I have help on the server side when I need it. Managing your own content means that your business can be built independent of the whims of large corporations and that is important to me. But you don’t have to be operating your own server to be a victim of this kind of attack, or to experience far reaching consequences for your brand.
…you don’t have to be operating your own server to be a victim of this kind of attack, or to experience far reaching consequences for your brand.
SIDENOTE MANAGED HOSTING: Don’t be fooled by companies claiming to offer full root access for extremely low rates. Managed hosting usually means that you have access to experts who can help or advise you which updates to make to your server. Hosting companies generally don’t do automatic updates because they can break your site. Choose an option that best fits your needs as well as your skill level.
HOW I CLEANED UP THE MESS
I immediately deleted the file that was being constantly accessed from my server and informed my hosting provider that I’d been hacked. Your hack doesn’t affect just your website; it can affect whole blocks of IP addresses called neighborhoods. When one IP address goes bad, sometimes other sites get reported as bad sites, even though they are clean. Not reporting a hack immediately could get you banned by your provider.
My hosting provider ran a server-side security scan and searched the server logs for the point of entry. The good news was that the hackers did not gain root access, but they did inject scripts by exploiting a vulnerable file that made my server a slave. After I knew what I was looking for, I manually searched for malicious code within my WordPress files. There are tools that can do this for you. (See resources below.) Code had been injected into 80 or so files very deep within the site. Code was also injected into a photo on the site (more on this in a moment). The most common kind of code injected looks like this:
If you have some knowledge of text editors and need to fix a file yourself, typically this code is placed at the end of a file. Hackers may also upload extra files to your server to perform other tasks. By making many servers slaves or routers of bad traffic, they can handily cover their butts. If you have no idea where to start to find the extra files and you are without scanning software as I was, open a local backup (that you are sure is clean) and compare files. Look at the dates to see when the files were last modified. The modified dates on those files will tell you where you need to look in the server logs to find the point of entry. You also need to open and fix or replace those files with clean versions. Hopefully you have a backup—if you don’t, you’ll be deleting the bad code manually.
My hunch was that the contact form was vulnerable and I was right—it was among the first files to be deleted from the server. Ultimately, it was a file that allowed a user to upload a banner to the theme that created an exploitable hole. Any file that allows content to be uploaded (photos in your comments for example) is a spot to keep an eye on for vulnerabilities. I took for granted that the creators of the theme I was using had a decent rating and didn’t scrutinize their code too closely and that was a BIG mistake. My theme was chalk full of tasty vulnerabilities. I have since found a theme check plugin to help with this process. (See resources below.)
SIDENOTE ABOUT WORDPRESS THEMES AND PLUGINS: WordPress themes are vulnerable as are WordPress Plugins. Do not pick a theme from an unproven developer. Themes with thousands of downloads are generally better supported and more likely to bring future security updates. Avoid plugins or Themes that haven’t been updated to the latest WordPress version and stay away from old plugins or those with very few downloads. I recommend having as few plugins as possible and making sure that you always update them, or at the very least, review the developer’s release notes to see if the update fixed a security issue. Always implement security fixes as soon as possible.
As if I didn’t have enough on my hands, my hosting provider informed me that my site was spamvertising. Email spam from other infected machines were driving traffic to my site. I discovered that the spammers had also started my dormant email server and it was spamvertising other sites. My host’s security team did not catch the email exploit in their security scans but I found it and was able to stop the bleeding quickly. Removing infected files meant that anyone who clicked on a spam link to my site would be directed to a 404 not found page. I also added a notice of the attack on the site and let my social media accounts know that I’d been hacked so that anyone researching my site would see that my intent was not to spam them!
DOMAIN BANNING & BLACKLISTS
I didn’t know about spamvertising before this but quickly learned that a site can be blacklisted from the internet as a dangerous site, which has obvious and serious consequences in terms of branding, SEO, and could result in people seeing a big red ‘dangerous site’ message instead of your home page. I signed up for blacklist monitoring. (Resources below.)
BANNED BY GMAIL
Luckily, my site never made it to any blacklists, however, during the cleanup process, I had my server configured to send me a lot of alerts. Unfortunately, one of my Gmail accounts was listed as a backup email. Since the server was under attack, I was getting a lot of alerts. Gmail banned my domain after ONE ALERT that showed bad code that hackers were trying upload to my site. Ironically, I had been banned for trying to prevent my domain from getting banned. I have filed an appeal but Google states that they won’t tell you if the ban has been lifted. I haven’t heard anything back and I am still banned. Be aware that you have little recourse if something like this happens (which I think is total bullshit by the way). If you are a marketer relying on an email list, this could be pretty devastating. Even with a marketing background, I hate email lists and fortunately, this was not the case. Still, I am concerned about my brand being unfairly blacklisted by the most powerful company on the web and how it might cross-contaminate my other Google services, like AdSense or Adwords.
Ironically, I had been banned for trying to prevent my domain from getting banned.
CUZ GOOGLE SAID
Because Gmail banned my domain, the email provider I am paying for banned me too. Luckily paying for the service meant that I was able to reach a human and get the ban lifted. Even so, it took hours to get through to the right person at my email-hosting provider who had the server privileges to be able to lift the ban. In the meantime, I wasn’t getting the alerts I needed from my server!
MY GOOGLE GURGLED—DOWN THE DRAIN
Since my domain was being spamvertised by other infected servers, the bad referral traffic and attempts to break the site were at times overwhelming. Also, I think I might be a porn star in Latvia. I resisted the urge to just pull the site offline because it can severely penalize your domain in Google search and I knew the hack was invisible to any reader accessing my site. My site went from a full page listing on Google to a much more abbreviated one as a result of the hack—in just four days. That felt like several years’ worth of hard work down the drain.
…I think I might be a porn star in Latvia.
I spent a solid month and many 18-hour days cleaning up. And that was before getting to the fun part of redesign, which took another three weeks. If I had taken a week to implement my planned security measures, it certainly would have saved me a ton of grief! Adding 410 pages for the bad links in htaccess helped the traffic die down and making sure bad files hit a 404 not found page helped too. But I’m still getting a steady influx of bots looking for those bad infected files. And that means bandwidth, and bandwidth means real money.
SIDENOTE: YOU PROBABLY HAVE HACKED PHOTOS ON YOUR COMPUTER RIGHT NOW—HOW TO SPOT THEM! Most websites don’t even know their photos have been corrupted. Often, I’ll look for album covers online when I write music reviews and I find hacked photo files every single day from huge sites that don’t know they are hacked. You should be checking every single photo you download from the web for malicious code so your computer doesn’t become a web slave. The code is injected into the EXIF data. To find the bad code, on OS X, open the photo and Get Info. Click on the pen to see if there is code in that section (like the code in the photo above). If you see code, throw the file. Alternatively, you can open it in Photoshop and clear all the data, save as a Photoshop file and then resave as a usable jpg, png etc., but I recommend tossing the file and emptying the trash.
Below is a list of tools to prevent or help mitigate an attack and other best practices for keeping your WordPress site in top form. If you are being hacked, definitely check out this section of the WordPress Codex, download a scanner plugin and get to work. http://codex.wordpress.org/FAQ_My_site_was_hacked
0. THEME CHECK
Before you even bother to customize a theme, check it for vulnerabilities with a plugin like Theme Check. (There may be newer better ones but this one worked well for me, even on WordPress 3.9.1) This particular developer also offers another checker for plugins. Lots of red warnings—don’t use the theme. If you paid for it, ask for a refund.
1. CLOUDFLARE.COM (Service that helps protect your site from bad bots.)
What it does: Blocks malicious web side attacks including bots that are constantly searching for code vulnerabilities. Even if you have great security and good headroom in your bandwidth, these spiders/bots can really slow down your site. Cloudflare caches your site which helps increase its speed. Cloudflare offers free and paid services that require you to use them for your DNS (Domain Name Server). This means you have to change your registrar and assign Cloudflare as your web DNS provider. They do not handle email.
What it does not do: It does not protect your server from command-line or brute force attacks at the server level, but it helps cut down on the most common web/spiders searching for exploits.
2. WORDFENCE.COM—(WordPress Plugin that scans for malicious files and helps repair them.)
Wordfence scans your WordPress theme and plugins and media for malicious code and allows you to monitor and block incoming traffic in real time. It can also fix most of the problems it finds. If you don’t have any access to your server it can be an invaluable tool for tracking down a malicious file or shutting out the worst offenders during an attack. If you use the paid version, you get quite a few more options, including one-click country blocking (very useful during an attack) spamvertising checks and email support. They also send out informative emails regarding WordPress plugins that have been hacked so you can act fast and disable/remove them from your server before you are affected. You should scan your site at a minimum of once daily.
What it does not do: Fix actual server issues, but it can fix your SQL database. If your server is compromised, work with your hosting provider to clean it up. If you find infected files, it’s a good idea to contact your hosting provider and have them perform a scan of the server, regardless of whether you are sharing the server or not. If you are on a shared server, your site may become infected because a neighboring site is compromised.
3. MXTOOLBOX.COM (Free Blacklist monitoring service with paid remediation should your domain become blacklisted.)
What it does: Helps you monitor the health of your site to make sure it is not blacklisted on any of the major blacklisting sites across the web. You can set it to send you alerts.
This site will help you investigate IP addresses and report IPs that are trying to do harm to your server. Cloudflare is a better solution because they utilize the Honeypot database and shield your server’s IP address, but Project Honeypot is a great free solution to help cut down on bots. They also have a convenient lookup so you can research IP addresses and determine whether they are potentially dangerous.
There is a lot of bad advice about htaccess (the invisible file in the root of your public html) that can actually make your site more vulnerable. Beware of code that you don’t understand. There are some malicious bits of code out there disguised as helpful. Know that adding a bit of code that you think is secure to your htaccess file may cancel out another line of code—so it’s best to get help from someone who knows what they’re doing. That’s why I’m not going to include code here. I accidentally exposed one of my administrators this way and basically had to just delete that administrator and give them a new name. My server is being hit 24/7 by bots trying to brute force that administrator’s name, which thankfully, no longer exists.
What your htaccess file needs: Turning Off Indexing, Protecting htaccess from being exposed, redirecting bad pages as “gone”, making sure you have 404, 410 and 403 pages working, stop hotlinking, and protecting wp-include and wp-config files at a minimum.
Again, get someone to handle this if you don’t know what you’re doing. You have to know how to make invisible files visible on your computer in order to edit them and this requires knowledge of shell access/terminal on your computer. Some users may be able to edit htaccess directly in WordPress or in a theme within the WordPress dashboard.
6. CAPTAIN’S LOG: STARDATE NOW—KEEP A SERVER LOG OF YOUR ACTIVITIES ON THE SERVER
Keep notes about software updates, versions, and when you’ve backed up. Don’t forget to backup your local machine, too! I religiously use Time Machine locally—crashes happen!
7. ALWAYS UPDATE YOUR PLUGINS
Deactivate plugins you aren’t using and most importantly delete them from the server. Even if you’ve deactivated them, that code with cobwebs in it is not doing you any favors. Store the files offline in case you want to revisit them.
8. ALWAYS UPDATE YOUR THEME & LEARN TO USE CHILD THEMES
If the person who developed your theme hasn’t touched in it a year, consider upgrading. You want a developer who is constantly updating their theme as new security challenges arise. Learn about and use child themes so that updates by the developer to your theme don’t break your customization. Start here: http://codex.wordpress.org/Child_Themes
9. DO NOT STORE OTHER FILES ON YOUR WORDPRESS SERVER
Unless you know what you’re doing with partitions and firewalls, never put other files on your server, only that which is needed to run your site. This is not the backup storage area for your personal or important information.
10. THINGS TO DISCUSS WITH YOUR HOSTING PROVIDER
Ask your provider about Brute Force protection, Mod Security and Restricting FTP and SSH to a couple of IP addresses and have your webmaster lock down any unnecessary ports. There are many things you can do on the server side to beef up security and these tasks are best handled by a sysadmin at your hosting provider if you don’t know what you’re doing.
11. DOMAIN EMAIL
Include alias addresses for abuse and postmaster at a minimum. There is a long laundry list of best practices for email addresses that are supposed to be on every server, but if you have one for abuse, someone who has AOL and got spam about your site just might write you an angry email that could tip you off to a problem.
12. YOAST SEO (WordPress Plugin), download it and learn it.
Understanding SEO (Search Engine Optimization) is made easy with this WordPress Plugin and having good SEO practices lets search engines index you more easily. The better shape you’re in before a hack, the easier it will be to recover from a hack.
13. COMMENTS AND CONTACT FORM
If you have comments or a contact form on your site, use the plugin Akismet to block bots from commenting or leaving code in your comments. This could prevent an unsuspecting user on your site from clicking a malicious link. (Personally, I’ve disabled comments—I make the case here.)
Even though Google tracking generally excludes bot activity, it’s a good idea to pull Google advertising and inform any paying advertisers that you’ve been hacked.
A WORD ABOUT COST
Web security can get expensive and like anything, you get what you pay for. If a brand that you have invested your time/effort and money developing is harmed, what is it worth to you? How much time/skill do you have to mitigate problems? As I have discovered, having full control of a website has its pros and cons. If you want to skip the business of hosting altogether, there are always free options like Tumblr, that allow you to host your domain.
While this certainly has been a learning experience filled with frustration and anxiety, it ultimately resulted in a complete redesign and overhaul of the site, a set of better protections and attention to web security in general. No site is hack proof. If someone truly wants to take your site down, they’re going to do it. All you can do is hang on and know that at the end of the day—it’s just typing.
Thanks for reading.