How to Recover from a WordPress Hack

I’ve been an IT professional for two decades. I’ve been through just about every IT and security disaster you can imagine, except for one: a hack on one of my personal websites. Let me tell you what I found and how I fixed it.

One recent morning, I went to create my Pick of the Week post on my main site, mojosarmy.com, and instead of being able to log into my site, I was met with a note that said ANONCODERS followed by a list of the hackers’ handles. This was a surprise, because I keep everything as up to date as possible. I immediately went to work with the standard operating procedure: 1. changing my login passwords to stronger ones 2. changing the passwords of the associated email addresses 3. backing up my files and database.
After clicking the ‘forgot password’ link and resetting my admin password, I was able to get in to the WordPress dashboard and verify that all my posts and files were still there, I just couldn’t browse to them.

The next step was searching for obvious files that were changed in the last two days and removing them, and then the tedious process of looking through the rest of the files to see what I missed, and sweating every minute that it wasn’t fixed. I knew I was racing against time.

Was I worried that someone would steal financial information? No, there’s none on my site. Nothing like that. I was worried because I know that once your compromised system gets picked up by security sites, your site and domain will be blacklisted. Once your site is flagged, it affects your traffic, your search rankings, and turns away all those eyeballs you work so hard to funnel back to your little home on the web.

The hacker message remained after I removed the files I could find, so I then installed the Wordfence plugin, which will do a scan for changed WordPress core files and look for known exploits. It did find a couple suspicious files I missed, but I still couldn’t get to any of my pages. In the meantime, I installed Bulletproof Security on my other WordPress sites and changed those passwords as well.

The next step was to reinstall WordPress in place through the update panel. WordPress updated smoothly, but even with a fresh install and all the plugins turned off, the problem persisted. At this point I had a sinking feeling that the hacker code was in the database somewhere, but I couldn’t find any unusual tables or fields looking in my host’s phpMyAdmin and comparing to another known good site.

It wasn’t until I ran a scan from the Sucuri site that I saw some information that led me to the last problem: some malicious Javascript had been placed in a sidebar widget. I simply needed to delete it in Appearance > Widgets to finish clearing the site. The whole ordeal was over in 24 hours, but the lessons remain.

An ounce of prevention really is the best cure. Honestly, it’s not that hard to use strong passwords or even two-factor authentication, and it’s not that hard to take steps to keep your site from being the ripe low-hanging fruit. But we get complacent and think it will never happen to us, I understand, believe me. Trust me when I say that a small amount of extra work up front will save you time, anguish, lost clicks, lost revenue, and loss of trust in your brand.

Recommendations: keep your site and plugins up to date with the latest patches. Use strong passwords and don’t use those passwords on other sites. Install a security plugin to help harden your site and alert you when something unusual happens. Be careful when installing third party plugins that haven’t been updated recently, or that are not well known. And maybe most importantly, make regular local backups of both your site files and your database.

Another recommendation is to not use the username “admin” as your administrator for any site. Since I installed the security plugin, I’ve been getting constant alerts about attempts from all over the world to break in by brute forcing the password for admin.

Important and helpful links:

Prevention

Hardening WordPress on the WordPress Codex has great advice
Bulletproof Security plugin
The 7 best WordPress Security Plugins according to Infosec

Cure

Help I think I’ve been hacked from the WordPress Codex helped get me off the ledge
How To Completely Clean Your Hacked WordPress Installation
How to clean a hacked site using Wordfence was helpful and doesn’t require Wordfence to follow
Cleaning up an infected website — Part I: WordPress and the Pharma Hack

*AnonCoders is a group of Palestinian web terrorists that pride themselves on defacing American and UK sites, then bragging about it on Facebook and Twitter. This is somehow vigilante justice in the name of Palestine. Good job making people sympathetic to your cause. Not.