Take a deep breath, and we’ll first try to fix the cause, then we’ll look at stopping the problem happening again. If your badly stuck and haven’t the time, you can hire us to fix the hacked WordPress website.
How do you know your website has been compromised?
So there are generally three types of website hacking that occurs.
- Proof of concept – Generally taken to prove something isn’t secure, and to show flaws in a system.
- To steal data from your business and or your user data
- Affiliate / Spam redirects, the most common.
Proof of concept is generally taken by a hacker who’s more ethically orientated and it to find flaws/vulnerabilities in a system. They are usually done to help find flaws before a more malicious user finds the fault. It’s common for large companies to pay for an ethical hacker to find flaws in their system to prevent more significant problems down the road. Worth having a look at FireBounty to see examples of ethical hackers work.
Theft of data is a severe breach, and if customers information has been leaked, it’s essential to report this information to the proper data protection agency in your country. To try to prevent issues like this, it’s essential to follow strong security practices. Such as having secure passwords, SSL certs, process credit card information off the server via Braintree, Stripe or PayPal.
Affiliate / Spam inserts/redirects are the most common type and are done purely to try to get money from commission/affiliate marketing. Usually, they target WordPress websites that follow poor practices. Visitors see ads that shouldn’t be there, and/or are redirected to other websites / popup windows that are not relevant to the website.
Some of the weak entry points include:
- Poor shared hosting environments
- Outdated server software
- Outdated CMS software
- Old plugins
- Weak Passwords
- Pirate / Warez Plugins / Themes
The first area we look at with a website is who the host is? Is it a managed service? Is the system running the latest software versions and kept up to date? If the website is on a platform such as WP-Engine or Kinsta we’re pretty confident that the hosting environment is secure and reliable. If its not on one of the major hosting platforms, the first thing we’d recommend is moving host to try prevent this from happening in the future.
Are you running the most up to date versions of CentOS, PHP7.2 and mySQL? New software updates bring improved speed and reliability as well as new features. But they also include a lot of security updates and patches for known problems. These known problems are the areas hackers will use the to attack as they know they are vulnerable.
From the hosting point of view its important to have a robust firewall system in place to stop bad connections to the server. Its also important to have a form of brute force attack to stop bots trying to guess your account credentials and gain access to your website.
On top of this we recommend using a service such as CloudFlare to protect your server’s IP address, and prevent malicious traffic as early on in the chain as possible. On top of this CloudFlare includes SSL protection for your domain as well as the ability to protect your website from DDOS attacks that try to take your website offline.
Change your password. Use a minimum of 8 – 12 characters, and be sure to include capital letters, numbers and symbols. The passwords for your control panel, ftp, WordPress login should all be unique. They should never be a single dictionary word or anything obvious some one could guess. If like me you have difficulty remembering a completed string other than your own phone number, invest in a password manager such as LastPass to keep username/password credentials for all your digital assets unique and safe.
WordPress CMS Software Updates
When was the last time you checked your website software is up to date? Having a maintenance plan in place to check weekly greatly reduces the risk of any vulnerabilities being found on your website. Most people think that updates are to bring new features, but they will also patch an array of vulnerabilities that ethical hackers have discovered.
Similarly with WordPress plugins, its important to keep them up to date. To be honest its worth having a good audit of your plugins and keep only the essential plugins for your website. Its also worth seeing if they are maintained by the developer, or have they been left abandoned and unsupported. If so these are risky culprits that are worth replacing with an alternative plugin. Becareful who you trust to run plugins / untested code on your website.
Yes some plugins can be really expensive, especially for small business websites only taking off. It can be very tempting to buy a heavily reduced price GPL licence software or torrented plugin / theme from a third party source, especially if your only trying something out. But plugins/themes like these are not free, there is always someone who wins. Typically the hackers who pirate them include hidden backdoors unknown to you that allows them to get access to your website unknown to you, or to update them with malicious code later on.
If you like a plugin or them and it provides value to you or your business, do the right thing and buy a legal licensed copy from the author direct. Not only does it help the development of future versions, but you know that your less likely to getting a shitty backdoor software. It also gives you the ability to reach out to the software developer should you need any technical support or assistance with their product.
Ok, I’ve done all the above to try prevent my website being breached again, how do I clean my website?
Firstly, take a full copy of your website and download a copy locally should you need to access any of it. Looks through your website via FTP by last modified date and look for recent files that have been edited. Sometimes there is a reason for a recent edit such as an update, but it can be that they were edited to insert malicious spammy code directly into the PHP.
Download the latest version of WordPress and override all the default files and folders (except wp-content and wp-config.php). This will revert any modifications made to the core of WordPress and default to the latest and most secure build.
Install your theme from scratch again. Make sure you have a backup first in case you lose any changes. It’s recommended making any changes to a WordPress theme via a Child Theme. This was updating the main theme won’t lose your modifications.
Rename / Remove your plugins folder and manually add each plugin again from a reputable source. Have an internal audit of all the plugins used, check that they are regularly updated and maintained by their developer. Make sure all themes/plugins are using the most up to date versions available.
Clear all cache and try to look at the website from an incognito browser and see if the problems still occur? If so its beyond the PHP files being edited and it more than likely a mySQL injection that’s happened at the database level.
What this means is that the malicious code is written directly to the database and inserted to every page or post view. Try find the string of the JS/code that’s doing the redirect by using Chrome developer tools. Usually, you can search by the redirected URL string.
We’d recommend taking a MySQL dump of the database and opening it in a large text editor and try a search for patterns that match this injected string. Sometimes the string can be encrypted so can be harder to find, but you should be able to find some sign of the code that’s injected. Try to Find/Replace to remove all occurrences of the string, save the SQL file and import the new database to the server via PHPmyAdmin. It’s essential that you take a full backup of everything at the beginning in case you remove or overwrite any good data accidentally.
90% of the time, the above steps are enough to fix the cause and get you back to normal. If you’re having difficulty with this reach out to us and we can perform this for you and also look at tightening up your security.