This site recently fell victim to a hack, whereby someone managed to inject some malicious code which went on to mess with large parts of my wordpress installation. The code served to redirect visitors to sites that looked innocuous enough, but contained malware.

Thankfully, I caught it very fast and the malware was pretty out of date, so my computer identified it immediately, quarantined it and then trashed it.

Unfortunately, it took me a long time to get rid of the infection. I spent all of last night working on the site, trying to figure out where the remaining parts of the malware were.

Eventually, the only solution that provided me with some confidence that the site was clean was to roll back everything to the way the site was over a week ago, including the database.

How Can You Tell You’ve Been Hacked?

If you’ve been hacked, either your website has been defaced, or more likely repurposed to serve someone else’s goals, and it will be pretty obvious that this has happened.

  • The content won’t be your content
  • There will be links to sites you don’t recognize
  • Your site will automatically redirect people to another site without asking them first

In my case it was the unwanted redirect – my homepage would appear very briefly and then a sequence of redirects would lead people to another site that tried to use a couple of old exploits to put malware on the computer.

In other cases, a hack might be less obvious. In this case the hacker is trying to keep the compromised site alive and ignorant of the problem for as long as possible.

They do this by either burying the altered content somewhere you won’t find it, or by using code to exclude you, search engines and indexes for the compromised content. When you log in, everything seems fine. When Google indexes your site, it looks normal. When one of your users visits the site, it suddenly looks very different.

Buried content can use your website to push another website up the google rankings by polluting your content with links to an unrelated URL. This means the other site benefits from your search engine reputation, but you don’t realize you’re being used in this way.

How Does A Hack Work?

The WordPress installation is so huge there are almost limitless places for malignant code to hide. Typically, however, code hides in a few favourite places because that’s where it’s easiest to put it.

The Core WordPress Files

Malignant code often resides in the core wordpress “.php” files that are executed on every page. For example:

  • config.php
  • index.php
  • header.php
  • footer.php

The code will be obfuscated, which means it’s been made unreadable so you can’t figure out what it does.

It might look like this

@include “\057ho\155e/\164es\154ab\145t/\141br\141ha\155ti\160s...

or like this

@require "\154ab\145t/\141br\141ha\155ti\160s\057ho\155e/\164es...

These instructions are instructing PHP to fetch and execute a PHP file from elsewhere on your site. That file will contain much more obfuscated code that will then seek to compromise your system further. The gibberish after “include” or “require” is a way of expressing characters using escape codes that makes them hard to read. You can de-obfuscate them with a PHP de-obfuscator such as unphp.net to see what files they point to in your system. Often the PHP they’re including is hidden in a file that’s masquerading as an image.

Your Javascript Files

A favourite place for malignant code to attach itself is the beginning of Javascript files. This is an easy place for the code to inject itself once some part of the virus has write access to your website.

In this case, a large chunk of obfuscated javascript will appear at the top of your javacsript files, and often it infects every single javascript file in your system.

Look for a long piece of illegible javascript at the top of a javascript file.

htaccess Files

There are files on your server called “.htaccess”, and these contain rules that are applied by the web server when it’s serving up your website. These rules include useful things like rewrite rules that make the URLs of your articles look neat and tidy, or access rules that control access to directories with passwords.

Unfortunately, they can also contain rules that redirect certain visitors to others sites, and you the administrator will be none the wiser if the hacker has carefully excluded you (or perhaps all administrators) from the rule.

.htaccess files are a favourite target for hackers.

Database entries

Most of your wordpress blog exists as database entries.

A website hack often compromises the database because then, even if you are careful enough to clean all of your php files, when the compromised code is run from the database, your entire site is recompromised.

Virus is the appropriate term for this kind of hack, because if you don’t eradicate every last trace of it, it comes back.

In this case, template entires in the database are often targeted as these are “EVAL”ed, which means they are executed as code, often with administrator access.

If someone compromises your database, they own your site.

What Did I Do About It?

I spent the better part of 2 hours erasing bits of virus here and there where I found it. Then I realized that when I checked my site by loading the front page, the bits I’d deleted reappeared.

That’s when I realized the hack was more serious than a bit of script to redirect visitors away. The code was designed to reinstall any bit of itself I deleted as soon as any part of it was run again.

I was finding bits of malignant code in my javascript files, in my PHP files, embedded in fake image files. Large chunks of obfuscated and illegible code were appearing all over my website.

An HTML file appeared in my home directory with an obscure name, containing the password to my database in clear text – clearly the database was compromised also.

I downloaded the database to my harddisk and started looking through it in a text browser, and quickly came to the conclusion that I could never be sure I’d rooted out every last part of the hack, and I would always be at risk of it coming back.

I couldn’t install any new plugins because any attempt to go to the administrator panel redirected me to some fake blog about travel insurance that tried (and failed) to install a virus on my computer.

So I logged into my hosting provider control panel and rolled back all my files and my database 10 days. Then I cleared my browser cache and related cookies. I lost almost 2 weeks of content, but my website was suddenly back up and running.

I then disabled and deleted any plugins that weren’t essential, changed my admin and my database passwords, installed both WordFence and Sucuri and took a local backup of my entire site.

I went to bed at 2am, frustrated and angry at the crazy loss of time.

What Should You Do?

Before you get hacked, please do the following things :

  • Make sure your hosting provider takes regular backups of your database and files, and that you can roll your website back to a previous backup with ease.
  • If for some reason they can’t or won’t do that, find a way to take a local back up of your own website and database and start doing it regularly.
  • Pick one of the security plugins (or more) and install it, to improve the chances of catching anyh infection early. The earlier to notice you’ve been compromised, the less damage you’ll do to your visitors and to your reputation.
  • Make sure the wordpress files have appropriate permissions (655, for example) to ensure no-one can write to them. Make sure any files with configuration data (passwords or logins) cannot be viewed, downloaded or modified by outsiders.
  • Make sure all your passwords are strong. Make sure you understand what a strong password is. For example, T&M0ThY is not a strong password, but vantagepoint4412giftedmouse is a strong password. Most advice on passwords is wrong, so read up a little on what a strong password really looks like before picking a word with a number tacked onto the end.
Strip taken from xkcd, of which I am a huge fan
  • There are multiple points of entry to your website – the database, wordpress vulnerabilities, plugin vulnerabilities, your ftp server, your web hosting provider access… and I’m only naming the obvious ones. Each of these has a password. They should all be different, and they should all be impossible to guess. If your blog is a bit like a job, having strong passwords is part of that job.
  • Since you can never be 100% safe, you should keep an eye out. The plugins above will help, but you should never leave your website unattended for a week at a time. You should be taking a look at the front page, preferably from an unknown IP address, every once in a while, just to see what it looks like from the outside. If a popup you didn’t install happens, or it reidrects to another website, or there’s content you don’t recognize, you’ve been hacked. Deal with it quickly.