Recovering from a site hack
How I revived my site after it was hacked and blacklisted by Google
It happens when you least expect it. Everything’s chugging along nicely and WHAM! Your site’s been hacked. It happens to the best of us. And it happened to me on New Year’s Day.
Yes, while everyone else was recovering from a glorious night out partying, I was in front of my computer screen. Sifting through the logs and discovering the impact of the hack.
DISASTER! My site’s IP had been blacklisted. Which meant my site, along with other sites on the shared host using the same IP was marked as spam. Blacklisted IPs bring a multitude of problems, bounced emails, drop in Search Engine Rank, visitors getting a big red warning when trying to access my site.
Not the best way to kick off a new year but whatever doesn’t kill you makes you strong eventually eh?
Fortunately, I was able to sift through the files, identify the cause of the problem, find the hack, remove it and get the IP off the blacklist.
In this post, I will try to dissect how that site was hacked, as well as the step by step process I used to clean up my site. If however, sifting through lines of code isn’t your idea of a great way to spend the day, fret not. I will also list several great plugins (yes this is a WordPress leaning site) which can do the job.
Site Hacked? How?
How did they gain access to your site? It varies. It may be as simple as having a weak password that is easily guessed or cracked. Or something more complex. Perhaps not having a firewall or security plugin installed.
Another common question is why your site was hacked? My site which was hacked was a site I had set up for a local support group I created back in 2006 on a shared host. The site was rarely in use, and I had last updated it sometime in 2010. I was running an outdated version of WordPress with all the vulnerabilities unpatched and ripe for the picking. I know, not the most responsible thing to do. But it happened, and I’m documenting it here in the hopes that someone else learns from my mistakes.
Not only that, I didn’t take many special security precautions. Zero security plugins, no attempts to limit logins to only my IP address or the number of attempts. Yes, this was the proverbial low hanging fruit for any aspiring hacker. In fact, the only thing I did right was chosen a username that wasn’t “admin” and set a somewhat secure password.
It could have been worse, this site was on a development server, with no other sites to corrupt.
Shared hosting comes with the same danger, one weak link on the shared server and all the sites could be compromised. The same goes for VPS.
Shoulda Coulda Woulda
Prevention is always better than administering a cure, and here are some simple things you can do to keep your WordPress site secure.
- Keep WordPress, scripts, themes and plugins updated
- Choose themes and plugins from a trusted source
- Host your site with a trusted provider
- Get a dedicated server where possible
- Use a secure password with high entropy and change the default username
- Regularly backup your entire site, including your files and the database.
Ever wonder why there are so many sites providing “free downloads” of paid plugins and themes? More often than not, whoever is providing them has added a pretty malicious piece of code to the plugin/theme you’ve downloaded. And while it may have all the features of the original plugin. These free downloads pack a nasty surprise, the valiant Robin Hoods, while giving to the poor, have constructed a backdoor on your site once it’s been installed.
They’ve essentially created an additional door right to the very core of your site. The added files often masquerade as seemingly benign WordPress core files. One may gloss over php5.php or users-wp.php or something similar, but these can be portals directly into your site’s admin/backend.
You may also notice that emails you try to send that originate from your server get bounced back to you with a basic SMTP 550 error message.
Sometimes you may get a more detailed explanation of what the issue is depending on the email’s server you’re trying to reach. The returned message may list the link to the website that blacklisted your site or IP address.
You’re searching for a dentist in your area, and you notice some listings come up with weird text about prescription drugs. Why would a dentist be selling drugs like Viagra or Cialis? You click the link, and you’re redirected to some dodgy “online pharmacy” guaranteeing worldwide delivery without the prescription.
These pharmaceutical hacks, alongside knock-off watches, purses and shades are usually done via injecting a line of code into the headers, and the redirects possibly via the .htaccess file. Not only are these hacks utilising your hosting account for storage and bandwidth. They also use the credibility of your brand (in Google’s eyes) to sell their brand.
Go to Google and type in site:yourdomain.com, except actually replace yourdomain.com with your own site’s URL and browse the results.
The indexed pages should only display titles and descriptions related to your site. Seeing links with a description or title relating to spammy content with your site linked to it is a confirmation your site is compromised.
Posting a link to your site from Facebook will also have Facebook crawl your site for the meta description (Title, description, preview image). Sometimes the more malicious hijackers would hijack all links, and the result would be spam appearing in the description or title of the link preview.
Back it up
Before you attempt any recovery, it’s best to backup your site. Backing up despite being hacked? Sure it sounds a little counter-intuitive. But You want to make sure you have something to roll back to in the event of data loss.
For WordPress sites, there are plenty of backup options available. Snapshot, BackupBuddy, and VaultPress.
Backed up, now what?
Here are some sites that provide free scans for hacked files:
- Unmask Parasites – Lets you know if your site has been hacked. This is a great first step in determining whether there’s a problem.
- Sucuri Site Check – A slightly more comprehensive scan than the previous link. Also, lets you know if your site has been blacklisted.
- Norton Safe Web – You can quickly find out if there are any threats associated with your site.
- Quttera – Scans your site for malware.
- VirusTotal – You can scan your site or IP address for common viruses, trojans, malware and the like. It uses over 50 different scanners to get more accurate results.
- Web Inspector – This scan checks to see if your site has been blacklisted, but also scans for backdoors, malware, trojans, viruses, phishing, suspicious code and more. A fairly detailed report is generated in about a minute or two.
- Malware Removal – Malware, virus, script injections, malicious redirects and more can be checked with this site scanner.
- Scan My Server – Scans for malware, SQL injections, XSS and more while also offering a detailed report, but an email address is required along with adding the provided backlink to your site to verify ownership. The report is emailed to you and takes about 24 hours.
In How to Clean Up a Hacked WordPress Site https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ , Wordfence lists some great commands to use with SSH access to help you find malicious scripts and code.
Depending on where the offending code lies, you can manually flush it out:
A backdoor file created with only malicious scripts in it – Delete that file.
Malicious code found in a WordPress core or plugin file – Delete it and upload a fresh and clean copy of the file.
Malicious code found in a legitimate custom file – Remove the malicious code and save the file.
If you would rather bypass the daunting cleanup, you can restore your site from an unaffected backup, then update your site, plugins, themes and scripts, and increase your site’s security.
When you think you have located and removed all the malicious code, run through the sites again to make sure you didn’t miss anything. Once you’re confident you have fixed everything, it’s a good idea to contact your hosting provider.
You can let them know you were recently attacked, but you cleaned everything up and would like them to double check your site for additional vulnerabilities. They can help you verify the security of your site, but it’s also important to make them aware of the situation.
One list you do not want to be on Black
Once your site has been cleaned up, it’s time to address your IP address. Get the IP address of your site. http://www.yougetsignal.com/tools/web-sites-on-web-server/
Enter IP address into Spamhaus and Unmask Parasites.
I prefer to use Spamhaus as they also link you to the sites where you are blacklisted so that you can apply to get whitelisted.
https://www.spamhaus.org/query/ip/22.214.171.124 Simply replace the IP 126.96.36.199 with your server’s IP.
If your site is blacklisted, it will appear in red, and you can click on the link to go to that site to manually apply for the IP address to be reviewed and whitelisted.
You can usually apply in just a few clicks, and once your applications are submitted, it can take up to 48 hours for your site to be processed.
Most of the time, you won’t get notified once the process has completed. This means you need to create a manual Spamhaus search after waiting a while to see if your site has been placed on the safe list.
Keep in mind that you can often only apply to be removed from the blacklist once, so you need to be sure your site is clean and that you have completely resolved any threats. Otherwise, your site and IP address could risk being permanently blacklisted.
If you have been blacklisted by Google, the application process is a bit more involved and can take 12 to 24 hours to process. Luckily, they do have the instructions for requesting a review readily available.
Once your site and IP address have been reviewed and whitelisted, you’re done, right? Not exactly. There are still some critical steps left you need to take.