WordPress Hacked? Lets Fix It Together!
WordPress hacked? I feel you. Really. I had most of my WordPress sites hacked, and it’s a pretty helpless feeling when you are sitting there with a site that is redirecting traffic to some hacker’s porn site, Google is complaining and threatening to disable AdSense, and you have no way to fix the problem, if you even know what the problem is. There are several ways that hackers get access, and several things they do regularly to cash in on your work, making them money while Google downgrades your sites in the search results. Yes, I hate them too. So, what are the hacks they perform, exactly?
WARNING! THIS IS NOT A LESSON OR INSTRUCTION ON HOW TO DO ANYTHING TO YOUR WEBSITE. I AM SHARING MY EXPERIENCES ONLY. EVERYTHING YOU DO TO YOUR OWN SITES IS ENTIRELY AT YOUR OWN RISK AND I WILL NOT BE RESPONSIBLE FOR ANY DAMAGE TO YOUR CODE. ALWAYS KEEP A BACKUP OF YOUR SITE SO YOU CAN RECOVER ANYTHING YOU CHANGED IN ERROR. ESTABLISH AND PRACTICE GOOD HABITS WHEN IT COMES TO CODE MANAGEMENT. GOOD LUCK!
In my experience, there have been three distinct attacks. First is a change to the rewrite rules in the .htaccess file in the root of your WordPress directory. This file forces php to change what is written in the url address bar of your browser. The browser went to URL A, but the address bar contains URL B. Why do this? Well, one way the hacker profits from his hack is by having Google index your site with a bunch of bogus keywords and references to some site out there on the internet that pays the hacker for the better search results placement.
Another attack is to add code to your site that would auto-generate php pages that would be periodically included with the requests that come in for your site (See Fig 1). All the highlighted files in this figure are those that were added by the hackers and need to be removed.
Figure 2 contains an example of the code that will typically fill these bogus php pages in your WordPress codebase. Again, you must delete all these files, without deleting the WordPress core pages. I would suggest taking a known clean WordPress codebase and comparing the files within it against your production site.
Another hack is to insert encoded text within the actual core WordPress files. The ones I’ve seen infected over and over again are Index.php, wp-config.php, and wp-settings.php. (See example in Fig 3.) I’ve done some random checks of other files but haven’t found the hacks there.
Figure 4 contains yet another example of inserted code located in the WordPress core files. This is often hidden in comment blocks – they will insert end of comment, a bunch of their encoded code, and then a start of comment again. You have to watch for this – your eye will get better and better at spotting these problems, I’m sure!
An example of a correct and clean .htaccess file is shown in Fig 5. You can even delete everything in the .htaccess – the only consequence is that rewriting won’t take place. This is minor in comparison with living with the hack like a permanent parasite on your site’s back.
I’ve been there
Currently I am hosting about 35 sites on GoDaddy, and five more on BlueHost. EVERY ONE of my GoDaddy sites has been hacked at some point. EVERY ONE. On BlueHost – not one site. Analyzing the hackers’ actions is very interesting – they are finding multiple entry points and there seems to be no way to be safe, except for a daily restore-from-backup routine, blowing away the site each day and replacing it with a known good version. This is not an elegant solution, to say the least, but I have no choice but to clean the sites twice a week.
How do you clean your WordPress installation?
- Delete all known hacker-installed files (Fig 1).
- Go through the core files and find and remove any inserted code blocks (Fig 4).
- Check .htaccess for inserted rewrite rules (Fig 5).
Paths of Entry
I’ve long wondered just how the hackers get in to the server, and I’ve seen several.
- Use an outdated plug-in or theme to get in, make an admin user, and modify some files.
- Hack in by getting into the root of the server, thus having access to multiple sites (thousands of WordPress sites are hosted on a typical ISP’s shared server.
- Brute force their way into WP admin (this is the least likely option, I think).
Speaking to GoDaddy support gave me no answers – they are great to help with the rudimentary issues of shared hosting, but when it comes to hackers, I think.
Good luck, and comment on your experience with WordPress hackers!