Recently we have had to help a few clients with sites that had their WordPress installations hacked into and re-purposed for black hat uses.
In some cases the hacks were very obvious – the home page had been over written and it was announced that the site had been hacked.
But in 2 cases the hacks were more subtle and difficult to find. So this is what we found in these 2 cases and how we dealt with it:
In the first case, someone had figured out a way to log in and reset the user_activation_key field in the WordPress database. In case you don’t know, this is a field used when someone needs to reset their password.
What the hacker was doing was manually populating that field with an activation key and then using that key to log in to the site to take control of it.
It didn’t take too long to find out what has happening and once we cleared that field in the database the hacking stopped.
The second was a little more nefarious and harder to find and stop.
We had a client whose site would magically show links to payday sites – but they would only exist for a few minutes then disappear.
At first we weren’t sure what was going on. The sites traffic was improving as were rankings for quite a few months. Then all of a sudden they started to drop – quite drastically. The site went from all first page rankings to all 3rd page and lower in a matter of days.
We weren’t sure what was going on, so the first thing we did was take a look at backlinks to the site – see if there was something there we missed. But nothing appeared out of the ordinary.
So we started logging changes to the site to see if we could find out if it was something site specific (IE the site going offline for any time period) and that’s when we found the site was being changed.
Using a third party site monitoring software, we selected the option to monitor for changes. When the emails first started rolling in and we reviewed the logs we noticed the new links. They would appear near the top of the HTML code, but in some cases weren’t visible on the website. However the text only view of the log showed us the new links hiding behind a slider image on the home page. Yet when we went to view the live site we noticed the links weren’t there.
We made some changes to security assuming someone had accessed the site backend, so forced a password refresh on the 3 site users. We thought we had solved the issue when it happened again a few days later.
We then assumed that somehow there was a fault in the plugin so we began to review the plugin templates. Sure enough we found some code in there that shouldn’t be there and removed it.
The site was fine for a couple weeks – no more payday loan links appeared.
But then another email came in – this time the links appeared on the left side of the page around the navigation are.
This one had us stumped because they were the same types of links – payday loans etc, but they weren’t in the slider (which we had replaced with a different one). And since we had been monitoring all activity on the site we knew no one had hacked in and we knew no one had logged in with one of the user accounts that weren’t supposed to.
In other words the site was functioning normally as it should and the security plugins we had installed were doing their job.
But again, by the time we looked at the live site the links were gone. We reviewed the navigation templates as well as the other page templates but found no code out of the ordinary.
Then again, 3 days later it happened – the links came back. We were able to review the live site and sure enough there the links were. We quickly logged into the WordPress installation and headed over to the template editor, but no weird code there.
Of course as all of this is happening, rankings and traffic are continuing to drop.
We started reviewing plugins then – to see if someone one of them had been exploited but we found nothing out of the ordinary.
This happened a couple more times until we realized the code was in the “functions.php” WordPress file.
Right at the top was a whole bunch of code that shouldn’t have been there that started with:
wp_function_initialize = create_function
followed by:
$wp_function_initialize
And a bunch of what appeared to be random characters. So we removed this code from the functions.php page.
It has been over a week now and the links haven’t returned nor has there been any other odd activity on the site. Traffic hasn’t picked up yet but rankings appear to have stopped dropping.
We believe now that we’ve taken care of this issue it will take a few crawl cycles for Google and other engines to realize that the links to payday sites are gone for good and will begin to return the site’s rankings. Traffic will follow after that.
Takeaways from this:
First, a vanilla install of WordPress is not secure enough even for basic attacks. Since we started down this path, we have installed a security plugin as one of the plugins on the site – even if it is development and not live yet. That is because we’ve seen sites as new as 7 minutes get probed by outside sources.
Think of that for a minute – a BRAND NEW site on a new domain and within 7 minutes of WordPress being installed someone was actively looking for flaws in WordPress.
Don’t get us wrong – we aren’t saying WordPress is faulty. After all it is the most used CMS system out there and that’s why hackers are so active. To look at it another way – why are there more computer viruses that go after Windows that Linux? Because there are way more Windows based computers than Linux computer users out there.
So the first take away from this is to install some sort of security plugin. If you can you should also password protect your wp-admin folder. This adds an extra layer of security as you need to use 2 usernames and passwords to log into the WordPress admin area.
We use the “Better WP Security” plugin. It has lots of configuration options and so far has been very effective. A warning though, sometimes the information it provides can be overwhelming. You just need to figure out what your comfort zone is with this plugin should you chose to use it.
Second, sign up for one of the multitude of free website monitoring services out there. Some sites send emails, some text messages – and they will instantly let you know if something has changed with your site.
Don’t rely on Google Webmaster Tools to do this for you – it will only tell you if they’ve had problems crawling the site. Use a service that will tell you when something has been changed.
If you do get an email or text from the site, first review the changes to see what they are. This is because some changes are normal.
For example, one on site we monitor, commenting on blog posts is turned off after 48 hours. So we get emails daily where the only changes to text were about the commenting options on the blog post. This is expected so we don’t worry about them.
Where you should be concerned is if you see changes that you don’t expect (as was the case with “payday loan” text and links being added). If you get emails like this, drop everything and see if you can fix it! Because this is a serious breach that could lead to even worse things happening on your website.
Third, keep your WordPress installation and plugins and themes up-to-date. This is because new exploits are discovered on a daily basis. By keeping your system updated you lower the risk of being hacked in the first place.
Finally, schedule regular backups. This is because if your site is somehow compromised it isn’t the end of the world. While it’s not an ideal situation, if you need to you can always restore the backup or reinstall WordPress.
We have had to do this in the past – as long as you have your theme customizations safely stored somewhere and have a current database backup you can have your site back up and running in ½ hour or less.
Plus, if you need to move hosts it is much easier to restore the site from a backup than having to recreate it on the new host.
