Hacked Blogs: Who Ya Gonna Call?
How many times have you seen the panicked tweets of people who’ve had their blogs hacked? Ever wondered what you should do if it happened to you? Today, I’m talking to an expert in dealing with hacked WordPress blogs, Michael VanDeMar. Listen, learn, and then be careful out there!
How He Knows
Donna: I know you have a popular blog post that describes how to completely clean your hacked WordPress installation. In fact, it’s even been linked to as a resource by WordPress themselves (twice) and by the well-known WordPress geek Lorelle VanFossen as well. My question is, how did you become so familiar with hacked WordPress blogs? How do you know how to clean one?
Michael: I went through a period a few years back where I was getting hacked every other month, and on multiple sites. Usually it was because I didn’t follow one of my bestest friend’s advice*, and would procrastinate on upgrading. As it is I learned by necessity how to quickly and effectively clean up a blog, and have used that knowledge to try and help others as well.
Protect Yourself
Donna: So, everyone agrees that the best way to prevent getting hacked is to keep WordPress upgraded to the latest version. What else should we all do in addition to that?
Michael: Up until the most recent versions of WordPress, every single version that was released wound up having relatively serious security holes in them. Now that WordPress itself seems to have plugged all of those, there are 2 main ways that a WordPress installation can get hacked:
1) Insecure hosting environment. Unfortunately this year some of the bigger names in hosting have had security issues, and almost always when they were discovered, it was WordPress that was attacked by the hackers, and in many cases unfairly blamed for the security holes. You should always investigate your host before buying a package, make sure that not only are they safe, but check out how they responded to problems in the past. Those that owned up to them and addressed the issue, instead of repeatedly issuing denials that anything was wrong, are probably the ones who take security more seriously.
2) A virus on a computer belonging to someone who has ftp access to the web server. Although this is more rare, it does happen. Certain FTP programs store their passwords in plain text, which means anyone who can read the files on the computer can see what those passwords are. If a person is using one of those programs, and their computer gets a virus, there are viruses that will read those passwords and ftp up malicious files to the host. The solution to this, aside from using strong virus protection (or switching from Windows to Linux), is to not store your passwords in your ftp program.
There are some plugins that can sometimes help catch certain types of hacks, and you yourself wrote a very handy script designed to check the last modified dates on files located on the server and alert you of any change, but unfortunately there are ways that hackers have found to get around most of those (although of course they still help in many situations).
What About DIY?
Donna: I know you often clean hacked WordPress blogs as a service. In what situations would someone need to hire you to clean their hacked blogs? Can’t they just do it themselves?
Michael: Yes, many people can, and the guide I wrote was intended to be a DIY type of instruction manual for people to do just that. However, one of the main attractions of WordPress in the first place is that it allows people with almost no technical knowledge to be able to build and maintain their own websites. With one-click installation and built in upgrade functionality, you don’t even have to know how to FTP files to your server to be able to have a WordPress blog. Cleaning a blog (at least, cleaning one properly) involves actually going into the sql and looking inside the php files themselves. For many people that is unfamiliar territory that they would rather leave to a professional. Plus, getting hacked is scary. Some people who might even have some basic web development knowledge feel better having someone who is more familiar with the ins and outs of dehacking a website handle the job.
Back Door Access
Donna: Ok, I’ve actually been asked this question a few times, so I thought I’d let you answer it here. If I do get hacked, can’t I just upgrade my blog and everything will be ok?
Michael: Unfortunately in most cases that will not help the situation. When hackers get into a WordPress installation they usually modify more than just the core WordPress files, which is the only thing that gets overwritten when someone performs an upgrade. Theme files and plugins will get extra code injected into them, whole new pages that act as back doors to the site will get added, and the database will have malicious code inserted into it. The only sure fire way to make sure that everything is good is to start with a blank slate, and rebuild the files, retaining and carefully scanning only those files that cannot be gotten from fresh, clean sources.
Do The Happy Dance
Donna: Do you do a little dance when satisfied clients tweet how great you are?
Michael: Yes.
It’s Not Your Momma’s Cleaning Service
Donna: Tell us about your hacked blog cleaning service and how someone should get in touch with you if they need to hire you.
Michael: If someone does have issues with cleaning their blog, or has hired someone else to do it but still keeps getting hacked, I am available for hire to do cleanups. When I do perform cleanups myself, in most cases they are complete wipe and reinstalls, as I suggest doing in my guide, retaining only those elements that can’t be replaced with fresh downloads (the uploads folder, customizations to a theme, and the database). For all of the elements of a hacked site that I do retain, I carefully scan them by hand and then put the blog back together in it’s original condition. There are many, many places that hackers can hide malicious code in your installation, and none of the automated or scripted solutions out there will find them all. When I scan by hand, I don’t just look for specific lines of code, I look for broad matching patterns in all of the places where back doors and virus droppers can be hidden. I have written some tools to help me with this, so I can be both thorough and relatively quick at the same time, but I still need to visually examine the results to be able to determine what is malicious versus what is simply suspicious.
I actually finally added a contact form on my blog. If anyone is interested in my services, the contact form on my blog is the best way to get in touch with me.
Care To Share?
Donna: Is there anything else you want to share with us? About WordPress hacked blogs or the meaning of life, even?
Michael: I can’t think of anything for this one.
Disclaimer
Donna: Disclaimer: Michael is my best buddy, so yeah, that may make me favor him, but what it really means is that I know his work. I’ve seen firsthand, many times over, how he painstakingly makes sure he misses nothing. He spends much more time being careful to ensure that every single detail is handled than anyone I’ve ever met. So if I tend to favor his work, it’s not just because he’s my best buddy – it’s because I know my best buddy’s work so well. That, I believe, is the best kind of endorsement.
* “bestest friend” = me. Why does my advice go unheeded so often, and for so long? Don’t answer that!
Tags: hacked, WordPress
| Hacked Blogs: Who Ya Gonna Call? | |
 | How many times have you seen the panicked tweets of people who’ve had their blogs hacked? Ever wondered what you should do if it happened to you? Today, I’m talking to an expert in dealing with hacked WordPress blogs, Michael VanDeMar. Listen, learn, and then be careful out there! How He Knows Donna: I know [...] |
12 Responses to “Hacked Blogs: Who Ya Gonna Call?”
Trackbacks/Pingbacks
-
The Lighter Side of SPAM Comments. They're Reel People Too! | AlexWhalley. Build | Rank | Profit says:
[...] someone who hacks my code or something. It’s easier to delete a comment than hire someone to fix a hacked blog – probably a thousand times less stressful [...]
I am an eBusiness Coach, Web Developer, Internet Marketer, SEO, Inbound Marketing Consultant, and General Web Geek, making my living from home.
If you feel my blog has contributed to you in any meaningful way, and would like to throw some loose change into a tip jar (metaphorically speaking), a click on the donation button below would definitely be appreciated.
I wrote an article about how to clean up your WordPress blog after it has been hacked, as I have seen some blogs pretty abused by malicious code injection.
It isn’t just WordPress security vulnerabilities, most of the time the hosting provider itself has a security loophole or vulnerability. Also file permissions on all of your php files and folders are critical, and you need to use wp-security scan among some others to make sure your permissions are right.
Disable directory indexing is another really critical one, edit your .htaccess file and add Options -Indexes to remove this.
Making sure you have backups of your site often is key to restoring to a good point if your SQL DB contains damaging data.
Justin Germino recently posted..AdSense Earnings Milestone
Right, Justin, you mentioned that the provider often has a loophole, and that was the first main way Michael mentioned – insecure hosting environment. I completely agree about backing up. I’m a backup freak, and I’m constantly reminding people to backup, backup, backup. The plugin, WP-DB-Backup, available here: http://wordpress.org/extend/plugins/wp-db-backup/ is the best way to make sure you always have a backup. I tell it to backup every single day, and email the backup to a gmail account. This way, gmail will always have plenty of past backups available at all times.
Twitter: DonnaFontenot
Hi Donna,
Your article definitely a best article that I have read today. I don’t even aware there’s a service to clean and recover the blog in emergency case. Now I will write down your friend contact form address so I can contact him when I need his service
Mike recently posted..5 plug-ins to boost more traffic and income to your blog without spending more money
great post Donna! You know what I just learned recently that adding ‘style’ attributes inside your post editor can welcome malicious trojans on your blog… found this out while making my blog feed work.
Cindy recently posted..Favorite Websurfer StumbleUpon Now on iPhone and Android
Whew… I haven’t had this happen to me yet and I hope it doesn’t happen anytime soon! Scary! But thanks for the great advice. If this ever does happen, I’ll be sure to come back to this post to review all the information again
Laura Davis recently posted..50 Best Finance-Related Movie Quotes of All Time
Does backing up with the CP panel not suffice, or do I need to email the backup to myself with the plugin?
Stephanie Suesan Smith recently posted..The Texans Irish Bride by Caroline Clemmons
That all depends, Stephanie. Are you backing up both the files AND the database via cPanel? If so, that’s sufficient – if and ONLY IF you remember to do so on a regular basis.
The beauty of the plugin is that it’s automated, and doesn’t rely upon your memory.
Twitter: DonnaFontenot
I do a full backup at least once a week, but went ahead and installed the plugin and set it for once a day. I would hate to lose even a week of work.
Stephanie Suesan Smith recently posted..Container Vegetable Gardening
Happy to hear it! 3 cheers for automated backup!
Twitter: DonnaFontenot
Six of my blogs have been compromised this year. Some of them were folder permissions being changed unknowingly with my FTP software, and the others were through various other insecurities.
While I could probably figure things out myself or just upload a backup, I usually have my hosting provider take care of it. They don’t charge me for it (I use Hostgator), and it’s usually fixed within a couple of hours.
The downside to uploading a backup (if you upload a full backup, which you should), is that you’ll lose any new database activity (posts, comments, etc) and may lose some website statistics that were added since your last backup.
Being hacked is one of the downsides of using popular software (or having a popular website), but fortunately there are a lot of ways to fix the issue should it happen to you.
Rick Adams recently posted..Unclaimed Cash – Where Your Money Is Hidden
Rick, one of the issues with restoring from a backup is that often times these hacks can sit for months at a time with no symptoms, and they have back doors embedded in the code. When you put back the old site there is usually a very good chance that you are putting the back door right back in place along with it.
Michael VanDeMar recently posted..Proof That The New SEOmoz Tool Is At Least Half Accurate