HackedTW

I have a story for you. Last Sunday I was working on project Action for Goodwin Social Media. I had just finished a small project and was uploading it to my host when I saw an odd directory.

This directory was coap. Never heard of it before. Thought maybe my web host was adding a new feature. Thought it a bit weird but didn’t put too much into it. That is till I saw the file config.php.suspended. Now, this was very strange and I started to hearing warning bells going off in my head.

All of this isn’t good. I did a search through my hosted files and the .suspended extension started popping up all over the place. I started to worry that I might have been compromised and so I looked on the other directories for the other domains and sure enough, there were signs there. There was a new user on each domain who had administrator privileges. This site’s traffic was actually flooding in. It then finally started to sink in. The horrible reality was I had been hacked. Nice way to end my weekend.

I have now got to worry about how some spazoid was able to access my sites. Was the security flaw with me or my host? I kept my plugins and site up to date. The fact that this putz was able to reach all of my domains it meant that the breach was probably a server side hack. Which in that case not much I can do other than alert the host about it. That way they can plug the hole.

BadGoogleResultI looked for clues to the hacking. I looked over at Google’s Webmaster tools or Search Console. Google was already aware of the hack. They saw there was an increase of 404 errors and under security, They were saying that there was a URL injection script running. did a search for my site and the worst information was tacked to my search result for Goodwin Social Media. “This site may be Hacked” If there ever was a bad google result this is it. Ouch!

How to fix it.

There are several ways you can fix a hacked site. You can restore a backup and this is the best and easiest solution. a quick restore and the problem is fixed. The issue you may run into is your host could charge for the convenience of the restore. It also depends on how old the backup is. If you post weekly and you haven’t backed up in 2 months then you have 8 blog posts to reupload. You also will lose any other changes that you may have made to your site.

If for whatever reason you can’t use a backup you may have to do a little more work.

Look at your users

This isn’t to say that your other users are at fault. It is to say that you just may find that you have a new administrator listed. often it the hacker will try to disguise themselves as an official sounding script that is needing admin permissions. One, plugins don’t need permission. Second, if you didn’t create it then it is not supposed to be there.

Check Google Search Console

There is a good chance that Google has sent you a message that states

Hacked Content Detected on: <youwebsite.com>

To: Webmaster of http://www.yourwebsite.com,

Google has detected that your site has been hacked by a third-party who created malicious content on some of your pages. This critical issue utilizes your site’s reputation to show potential visitors unexpected or harmful content on your site or in search results. It also lowers the quality of results for Google Search users. Therefore, we have applied a manual action to your site that will warn users of hacked content when your site appears in search results. To remove this warning, clean up the hacked content, and file a reconsideration request. After we determine that your site no longer has hacked content, we will remove this manual action.

Following are one or more example URLs where we found pages that have been compromised. Review them to gain a better sense of where this hacked content appears. The list is not exhaustive.

The message then proceeds to explain how you can resolve this problem. I would also follow those tips.

If you go to the Security section on the left-hand side you will see all of the locations where strange and malicious scripts are residing. Yes, it looks daunting but is fixable. often removing certain offending files or scripts and the whole problem will unravel rather quickly.

Strange Traffic

While in the Search Console also look at Crawl Errors under the Crawl menu.Click the tab Not Found. This will help explain the reason for the hack. If it was spam objective, you will all of a sudden have an increase in 404 errors and I mean a big enough increase that Google Will send you a message. When I looked at mine I had over 500 new errors in one day! This will be something you want to fix also. Google doesn’t like for sites to have a lot of 404 errors if you have a bunch of then it looks like your site is dead. A dead website grows out of date and has poor information. So after we are clear of the hacking you can return to fixing these errors.

Run scans

First search for the files. If you have a .suspended give away like my host does then the search will help out greatly. If you have any of these files or any other files for folders that you do not recognize.You can test to see if they are needed by just changing the name of one and visiting your site. Browse all of your pages and several of your blog posts and then look at your feed. If you get a lot of garble and no error messages then you are good. If you do not have any errors? Then proceed to the next file.You can save a lot of time and worry by running malware scans on your site.

There are a couple of scans you can run. There are online web scanners that will help where the problems could be.

Sucuri Website scanners – The guys a Sucuri are masters at security. They do not let you down with this scanner. I was able to find several bad pages that were not a part of the original site.

Quttera Scanner – New site to me but they were able to find problems the Sucuri missed but Sucuri missed files that Quttera found. So you want to use both.

Run both scanners and see what they come up with. They often will tell you what files are infected but it is up to you to figure out how to remove them.

Plugin scanners

Another way you can scan your site is with plugins for your WordPress site

Wordfence is the number one security software plugin for Wordfence. Wordfence has a Firewall to keep bad scripts from even getting a foothold.

A scanner that looks to make sure your plugins are up to date. It also compares all the plugins, themes and core WordPress files against the repository. They do this to check to see if there have been any changes to the files. If so then they can repair the file. if it is a file that isn’t in the WordPress Repository then you can delete it. That easy.

Wordfence also monitors for brute bots and people alike scanning a website for vulnerabilities. If a hacking attempt is detected then that IP address is blocked.

Sucuri Scanner plugin has many of the same features of WordFence. They actively scan and with their huge database of the internets malware and security holes, Sucuri is going to find 95% of the offending files and scripts

QutteraWeb Malware Scanner is the third scanner that I like to use. It seem

So what I would do is install all three of the scanners and use them at least once. Make sure they all come out clean and then when finished remove two plugins that you do not want and keep the other. All three of these scanners also have a paid aspect to them and it can hurt the throw them a few scheckles as a means of thanking them for the help.

GoodGoogleResultAfter running the scans Then you want to go back to the search console and submit for reconsideration under the Security tab. This is a waiting game. It can take upwards to a week for google to rescan your site. If they do then you have more work to do. Then you ned to retry again. but if it is clean you will have the Site is possibly hacked removed from your results

 

What I learned

Many many lessons about websites being hacked. The biggest being that it is an all-consuming worry when you do get hacked. But know that it isn’t the end of the world. Though your view of the world may be shaken a little. This problem can be fixed

Back it up

Backup everything. keep a running backup. don’t rely on the host have your own backups. Back up the site files and also back up the database. Some hackers are able to enter scripts into the database. These can be hard to find if you don’t have a back of your database. also if the hacker is a very destructive hacker they may even remove all of your blog posts. Depending on how long you have been writing those could mount up to being a few thousand.

Security

As always use strong passwords. Don’t use your name backward or something like that. If you have trouble keeping your passwords in mind you might use something like LastPass and allow them to create the strong passwords you need

Double authentication also helps. The biggest problem you will have is the inconvenience. If your convenience is more important than your business then don’t worry about dual authentication. You can Google Authenticator to fit the bill. it is often compatible with other authenticators.

 

Keep updated files

With your site, there are times that you have to update the files. Many people will hold off from updating incase the update breaks a plugin or two. Since they don’t want to have to go through the hassle of fixing the plugin if it does break they don’t update the core WordPress files or the plugins or the themes. All of this piece can let a hacker in. So you need to decide how important is that site. important enough to tackle a possible inconvenience or the opportunity to lose your whole site?

Extra Security items

When setting up your site you can create an administrator. Whatever you do do not name it admin. To log into your site you have had to know what the username is. Hackers will often guess common usernames and Admin is the top guess. If they guess your username then they are half way to getting into your site.

If you have admin then create a new user with a different name and change the admin account to a subscriber. That way if they do get into the admin account they can’t do anything with it.

Also with your writing account use one user name and use a different username for your admin functions. That way again they are not able to find out the admin username.

Getting hacked is not and if problem it is a matter of when it is going to happen. You have to do your best to make sure you have yourself covered as best as possible. There are plenty of bored smart people who don’t know how to use their gifts for good. With that being the case you will have to just make it as tough as possible.

You will get over the annoyance and feel a sigh of relief when it is over. just know you are not alone you are part of a very large club.

Have you even been hacked? how did you handle it? Let us know in the comments below.

I am here!

Bryan Goodwin

Social Media Manager at Goodwin Social Media
Bryan has been in the social media field in one form or another. whether it is blogging, podcasting, or trying out the latest social network . There is a good chance that you will find him talking somewhere.
I am here!

Latest posts by Bryan Goodwin (see all)

What if your WordPress Site gets hacked?
Tagged on: