On Christmas Eve 2009 all of my websites were attacked. I have two hosting accounts with GoDaddy and all of my wordpress sites on both accounts were down. In addition two business partner’s of mine who have their own unique hosting accounts (one with GoDaddy and the other with HostMonster) also had all of their wordpress sites go down at the same time.
After almost a full month of work I have finally managed to clean my server completely of any and all malware and to rebuild my sites with MASSIVE increased security way above and beyond the standard WordPress stock installation. Knowing that I was not the only one to be attacked and that there will yet be many more people in the future I would like to outline some suggestions of both how you can prevent these types of attacks in the future and how to clean out the malware on your site if you have already been infected.
I recently purchased the “Lock Your Blog” Program from Alex Sysoef who is a WordPress Genius! The DVD is free if you pay the requested $9 shipping. In addition to having the DVD shipped to your home, you can also access the videos on his site after you pay the shipping fee. I highly encourage anyone concerned with WordPress Security to follow this link and purchase his program and go through it step by step. Just the same I will outline some of the highlights here:
PREVENTATIVE WordPress SECURITY: Keep me safe!
You have to understand that wordpress is so widely used by so many people online that it becomes a primary target for hackers. While I assume that you have already installed WordPress on your server, preventative security starts with the install process. Changing the default table prefixes and WordPress user keys is essential to protecting your site from intruders. Check out www.expertwordpress.com for a custom version of wordpress that eliminates these stock security loop-holes.
If you have already installed WordPress download and install the WP Security Scan plugin. By activating and running this plugin you will be able to determine which of the basic loop-holes you have. This plugin has a few tools that may be helpful in closing your site down from future attacks also.
Install the plugin Secure WP which will change some of the default codes in the background of your WordPress that otherwise leave you exposed including hiding the version of WordPress you are using.
Install the plugin Limit Login Attempts. The default settings are good enough but you may choose to enable to notification setting so you can receive and email when anyone tries to login more than 4 times unsuccessfully.
Install the plugin WP-DB-Backup and configure it to email you a daily or weekly backup of all your WordPress databases. This will help you restore your site should it be compromised.
Keep all your plugins and core WordPress updated. Developers update their plugins regularly to close security gaps and fix bugs that could otherwise leave you exposed. Visit the tools menu of your blog as often as possible to run all available updates.
Configure and install the Akismet plugin to automatically quarantine spam comments. Set it up to auto-delete comments after 30 days.
RECOVERY: I’ve already been hacked!
Bad news huh? Your site has already been compromised and now you need to clean it out and get it back online.
- Contact your hosting provider and let them know you think you have been attacked. Ask them to verify that your databases are still clean of any malware. Most hosting providers do not have the resources to automatically scan and clean all of your files at any given time but they do monitor your databases and can scan them with relative ease. They may also have other suggestions to help you clean your site.
- Via your FTP client software (e.g. Filezilla) delete all your themes that you are not using. Also delete any other files that you aren’t concerned with keeping. This will speed up the time you will spend cleaning through files.
- Setup an account with Google Webmaster Tools and setup and verify your site. If Google has crawled your site recently and found any malware it will display a warning in your Google Webmaster Tools account and walk you through locating and deleting the malware. After you clean your site you will also come back here to request a new crawling to verify that your site is no longer infected.
- Also check with http://stopbadware.org/ to see if your site has been registered. They also have a lot of good tips (non wordpress specific) to cleaning your site.
Ok, now for the WordPress Security specific things you have to do. To be perfectly honest if you have been compromised then there is most likely malware code in almost every php file on your server. It spreads quickly and hides in very unique places. This essentially means you have to delete everything and start over. This means the process of cleaning malware from your wordpress site basically includes backing up all the non-replaceable files, and starting afresh. The only way to do that without losing all your content will be to purchase a new hosting account and rebuild your site almost from scratch. This will be 100% less time consuming and more secure in the long run than it would be to attempt the manual scan of every file on your server. Here is a step by step solution that should help you complete this process.
- Just in case we fail in duplicating your site we want to create a full backup of all blog in case we have to revert back to it eventually. Do this by installing the wp-db-backup plugin and performing a backup of your databases.
- After you verify with your hosting provider that your databases are clean from any malware navigate to your tools menu and select the “Export” option. Export content from all the authors. This is the process of saving all of your posts, pages, and comments. The file needs to be less than 2MB.
- On the new hosting account install a new version of WordPress. I suggest doing a custom install utilizing the suggestions on www.expertwordpress.com. The stock version of WordPress has far too many WordPress security holes and we want to install a custom version that will avoid the common issues from the beginning.
- Follow the steps listed in the “Preventative Security” section above to secure your blog against future attacks.
- Search out, download, install, and activate a fresh copy of the theme you are currently using on your blog.
- In the Tools menu perform a WordPress Import of the XML file we saved in step 3. You should now have all your old content on your new blog as well as have the same general look.
- Make a list of all the plugins you used in your old blog and install fresh versions of each on your new blog. Double check all the settings and configurations to make sure they are the same.
- Copy the content of each of your widgets under the Appearance menu to your new site. As long as you are copying and pasting the content from within the WordPress appearance menu you will NOT have to worry about inadvertently copying over any malware code.
- Custom theme changes. By now your site should be almost 100% duplicated. The only things left to do will be to make the subtle changes that you made to customize your theme. Since these can vary in a billion ways I can’t provide instructions here but whoever helped you customize your theme last time can certainly help you do it again!
Now that you have rebuilt your site from scratch you should be safe from any potential future threats. Make sure all of your passwords including Database, Hosting Account, and WordPress passwords rank high in the password quality scale including at least one number and upper case and lower case letters.
Jacob S Paulsen