20 Ways To Find Your WordPress Hacking Problem

A couple of weeks ago, a Twitter friend of mine contacted me in a panic. Her WordPress blog had been hacked. She’s a popular blogger with a busy site that gets 30k unique visitors a month and hundreds of comments a day.

She was horrified to see that Google was now showing a red screen to all her visitors warning them the site was infected! I created a list of 20 things you can try to narrow down the problem and secure your WordPress install.

What’s the problem?

The first thing I did was talk with her about what she had noticed to make her think the site had been hacked.  Her faithful readers were the first ones to report the problem.  With over 2,500 daily visitors, she needed her site back up and running ASAP.

Readers reported:

• A red warning window saying the site was infected
• A strange popup asking them to install software

Where to start

I spent time up front collecting information so I knew what we were dealing with.  My early detective work paid off because I had the right information, tools and workflow in place.

• How the WordPress site was compromised and hacked
• What malware or scripts had been installed
• If the site was still infected and which files
• How to stop the hack and plug the hole
• Options for restoring the site from a clean backup
• Protecting visitors from the malware wanting to install viruses on their computers
• How to prevent this sort of thing from happening again

20 Ways To Find Your WordPress Hacking Problem

Here’s my outline I created as I went through the process of systematically collecting, analyzing, securing and monitoring her WordPress blog to resolve the comprimise.

1. Read this http://codex.wordpress.org/Hardening_WordPress
2. Create a backup of the files and database before you make any changes via the cPanel or your host
3. Put your site in maintenance mode with a plugin like WP Maintenance Mode
4. Turn off all plugins except the maintenance mode plugin
5. Contact your host and ask how far they can roll back the site
6. Document why you believe the site was hacked including screenshots,  code snippets and any notices from Google that the site has been marked as malicious and removed from Google’s index
7. Google for any strange code phrases or suspect javascript
8. *STOP* If you are not  comfortable reading php code, browsing a MySQL database, using FTP or editing files with a text editor, you need to get help from someone
9. Begin reviewing the log files to identify why this may of happened
10. Install monitor WordPress for changes and hacks like:

Exploit Scanner
Akismet htaccess writer
Audit Trail
InspectorWordpress
Simple History
WordPress Hashcash
WP-Sentinel
Login LockDown

1. Make sure there are no backups of your database or files in the public directory
2. Change all passwords for WordPress users
3. Change your FTP password
4. Change the mysql user password that connects the database to the WordPress install and update your wp-config.php file
5. Make sure the WordPress security keys (SALT) are filled out in wp-config.php with complex strings
6. Change your cpanel or Plesk Password
7. Remove or update the other WordPress installs that may be on subdomains in Multi-Site
8. Run a local virus scan against the zipped backup file
9. View core WordPress files with a text editor for strange things in the header.php, single.php or footer.php as well as viewing the source code from the live site.  The plugin, Exploit Scanner, will highlight suspicious code.
10. Monitor the security plugins and log files to determine the problem

Don’t forget about resubmitting your site to Google

You should have an idea of how the site is being compromised within 24 hours.  At that time, you can make the necessary changes.  If the site has been marked by Google as having malicious malware, you’ll need to sign into Google Webmaster Tools and ask Google to remove the site.  That takes anywhere from 4 – 24 hours.

Google’s red warning box at the beginning of the post directed people to a link with more information about the site.  Here is an excerpt of the Google Diagnostics page after the WordPress blog was secured:

What happened when Google visited this site?

Of the 874 pages we tested on the site over the past 90 days, 130 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-17, and the last time suspicious content was found on this site was on 2010-11-18.Malicious software includes 13 exploit(s), 1 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 9 domain(s), including tafenep.co.cc/, surulyq.co.cc/, bkztbkz.co.cc/.

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including tafenep.co.cc/,bkztbkz.co.cc/, miscsale.com/.

This site was hosted on 1 network(s) including AS11798 (BLUEHOST).

Don’t forget to backup!

I cannot stress enough that you should make an immediate backup of your files and database before you start any work.  From there, keep track of the changes you make.  That’s why I like SimpleHistory plugin because it will track things like the activation of plugins.

Questions?

My friend asked how this happened.  I gave her a list of reasons.  Should I post that list for readers?