Detecting and Recovering a Hacked WordPress Blog

My wordpress blog has been hacked

For both personal and professional use, WordPress blogs are all the rage at the moment, especially in the CrossFit and PDR communities and not without good reason. They are trivial to install, easy to use and pretty simple to customise to give your own unique look and feel, without any programming knowledge.

As any WordPress owner will tell you though, they are also prime targets for spammers. Most of this comes in the form of comment spam, where typically “bots” (automated programs) or armies of Indians / Chinese / Philippinos post fairly short, pointless or plain random comments, just so they can get the link back to their site from the “url” field when you enter a comment.

The reason for why they do this is that the internet currency is hyperlinks. The more links you have to your site (generally) the higher up the search engines your website will appear. The fact that the search engines all got together years ago to stop this with the introduction of the “nofollow” tag (which is applied by default to all WordPress comment links) means that their efforts are mostly pointless, but lets not stop something as trivial as the facts get in the way of a determined spammer huh?

One of WordPress’ strengths is it’s plugin model, where you can get extra bolt on bits of code that upgrade its performance. The main anti-spam plugin is Askimet, which comes pre-installed on virtually all WordPress blogs. It’s vital to keep this up to date with the latest versions though, using WordPress’ very simple Automatic Update function (listed next to the plugin’s entry on the plugin page, if an update is available).

Realising this, some spammers go a step further however and actively seek to hack into the administrator screens of a WordPress blog so that they can surreptitious insert links of their own directly onto the site. There are lots of ways to attack a site which are out of the scope of this article (Google “SQL Injection” for an example if you are interested), but what is important is that it is not always obvious that you website or blog has been the subject of a successful attack.

Why? Because hackers go to some lengths to hide the evidence by hiding the links they create, either by printing them in white on a white background, or explicitly making them hidden with a “style”. This only works (in their minds perhaps) because the search engine programs that scour the internet (typically called “spiders”… see what they did there?!?) don’t see any of the fancy formatting that’s in place on websites to make them look pretty to the likes of you an I, they see just the raw text only (it’s a bit Matrix if you ask me). So the search engines’ spiders will see a link that’s been hidden from you.

If you don’t know your blog’s been hacked and you can’t see any evidence of it, how do you ever tell then? My own blog has been hacked twice and each time I spotted it in a different way. The first time, I started getting automated emails from my web host warning that I was approaching, then exceeding my bandwidth limits. But when I checked the stats, I wasn’t getting any more visitors. Investigation discovered that my home page had grown to 900kb, just in text. The result of 2000 hidden links inserted at the bottom of the page! You can check this by right clicking on your blog and selecting “View Page Source” (in FireFox) or “View Source” (in Internet Explorer) and you will see your website how the spiders see it.

The second time, I noticed a significant drop in the number visitors to the site, it dropped about 3/4 over night (you do use Google Analytics right?). Also using the excellent and free “Google WebMaster Tools” service (as with Google Analytics, you must use this for all your sites, it’s invaluable) it started to give a hint that suddenly bandwidth was going up. I was getting that deja vu feeling. Sure enough, checking the source again, there were about 500 hidden links this time. Pesky hackers! The reason my traffic had dropped was that Google had identified my site as being hacked and dumped me out of their index, and that was that.

In order to recover from the hack in both instances I was lucky, it simply required an upgrade to the latest version of WordPress (which over wrote the hacked files). Not doing this trivial activity as soon as upgrades become availabe is the reason most blogs get hacked in the first place. It works like this:

  1. WordPress discover (or are told about) a security vulnerability.
  2. WordPress fixes the security hole and issue an updated version.
  3. Hackers get the new code, compare it to the old code to see what’s changed, and so work out how to hack older versions.
  4. Hackers write a program to exploit the security hole and go looking for WordPress blogs that haven’t been updated yet, to crack open with a security exploit that they didn’t even bother to work out themselves. Simples.

Tip 1 then is: keep your WordPress install bang up to date if you want to keep it hack free. It’s a simple process to do with the automatic upgrade facility WordPress has. Though do use the built in backup tool (which just does the WordPress database), as well as ensuring your website host or cPanel admin is backing up the whole site too (which includes all the files you’ve uploaded, like images), just to be sure.

*** WARNING: Now for the science bit. If you’re at all unsure what you’re doing DON’T DO IT. I’m not responsible if you make things worse by following and advice here without understanding the consequences. This article is a guide only, not an instruction manual with guarantee. There are many places on the web you can recruit a competent WordPress dude to help you for a modest fee; do that if you unsure. I’m afraid I simply do not have the time to help you out if you get stuck. ***

If you have been the victim of a hack though, it’s important to take some other steps to make sure the hacker hasn’t left another doorway into your blog:

  1. Check the WordPress Users list, specifically you are looking for other admin accounts that you haven’t created. Delete them if you find them.
  2. Check your hosts ftp accounts (e.g. in cPanel) to make sure an ftp account hasn’t been setup for the hacker. Watch out if you find one, when you delete it DON’T click the option to also delete the ftp accounts files, you will likely delete your entire blog. I know, I did this once by accident!
  3. Check the MySql database users (usually via the hosting program: phpMyAdmin) to again see if there are extra accounts here.

If however your site has been hacked badly and defaced for example and files are missing or the blog is not working, then a full restore from back is in order (you are backing up, right?). This is the fastest way I’ve found of restoring from backup, but it’s a bit scary if you’ve never done it before and you need to be sure you have a full WordPress database and full site (file) backup. If you aren’t completely confident that you know what you’re doing, you’re better off paying an expert to do it for you:

  1. Use cPanel’s Fantastico to remove the WordPress installation. This removes all the files and database!
  2. Use cPanel’s Fantastico to re-install WordPress. This creates a new clean database. (In new versions of WordPress you get to pick the administrator username. DON’T use “Admin”, use something else. This adds an extra layer of protection.)
  3. Login to WordPress and update it to the latest version (which should match your backup’s version if you’ve been backing up properly).
  4. Using an ftp client, find the file called wp-config.php and copy it to your local hard disk. This file contains the login credentials for WordPress to access the database.
  5. Use phpMyAdmin to “drop” all the tables in the WordPress database (don’t delete the whole database, just remove everything it contains).
  6. Use phpMyAdmin to do a restore of the WordPress database from your backup, which will recreate all the tables and the content.
  7. Again using an ftp client, copy over the new installation’s files with the files from your site backup.

That process has so far (touch wood) never failed to put my blog back to the state of my last backup. It also has solved other common WordPress problems like the infamous Blank Screen of Death and the truly terrible Internal Server Error 500 but I sincerely hope you never have to use it!

{ 0 comments… add one }

Leave a Comment