How to clean up after a WordPress Hack?

WordPress is a great blogging platform, but also a target of hackers. Many bloggers often find out that they have been hacked long after the fact. You may notice that suddenly all your permalinks have disappeared and that you have lost a great portion of your Google traffic.

In any event, if your WordPress installation was hacked, take action immediately to control the damage. At the end of this post, I’ll give some examples of how your blog could have been hacked, but first, let’s go over the steps to clean up the mess.

The first thing you should do, is make a back-up copy of your WordPress database: Log on to you server, select databases, select the WordPress database and click on the “export” tab. Next, make sure you select all tables and click on the go button. This will download your WP database to your computer.

You could search for bad code in your database on your local computer by opening the downloaded database in your favorite text editor and use the “find” command to search for inserted code that doesn’t belong there. Or you could do it directly in mysql.

Tables that should be looked at first, is the meta users table. If you are the only person posting on your blog, then there should be only entries that pertain to you (e.g. administrator). These entries should have a tag of “1“. Anything else could be fake user accounts created by the hacker or the WordPress Worm (2009) and should be deleted.

The posts‘ and commentstables should be looked at in great detail: if your blog doesn’t contain many entries, I suggest you’ll look at everything, but otherwise perform a query on the following strings:

  • eval64 _decode
  • iframe
  • instant-zero
  • d0lphin

Next, look in all directories of your site for images with the .php extension. Also look at every folder for “index.php”. These php files may contain the following code and when executed, can re-direct your visitors to rogue sites.

Another favorite location to place bad code is in the uploads folder (wp-content/uploads). Make sure that you recognize the files: these should be media files (images, videos) that you uploaded to your blog. Anything else should be deleted.

Make sure that your template (theme) files are clean: if you’re not sure, just upload a fresh copy.

The last thing you need to do, is to upload a current version of WordPress. I would suggest you manually upload a fresh copy (make sure you keep a back-up of your wp-config.php file first and any template files that were changed by you). If your blog was hacked, I would recommend that you do not update the source code from within the admin area (available in newer versions of WordPress), but rather delete everything in your blog folder and upload a new version: updating to a newer version from within the admin area will not overwrite all files. If you have SSH access to your server, it will be faster to download the WordPress tar ball and unpack it on your server.

After you have your WordPress blog back up and running, keep it secure by upgrading to the latest version whenever an updated version becomes available. Once your blog is clean, you could always update the WordPress source code from within the admin area.

A good thing to do, would be to change your FTP passwords after every WordPress update. Read my post on using secure FTP to upload files to and from your server.

The number one reason why a WordPress blog becomes hacked is that it is running outdated software. We all procrastinate sometimes and many people ignore the “there is a new version available” message, especially after just upgrading. But it is important that you always keep the source code up to date. Whenever a security hole is discovered and a new version is published, hackers have know about this issue for a long time. It isn’t so much a question of if your blog can be hacked, but when.

Here is a good source of dealing with a WordPress hack (plus many informative comments).

Here are 2 blog posts by the Unmask Parasites Blog about similar attacks that are very useful (in fact, some of the search strings mentioned in this post came from that blog):

A Level Playing Field?

You have heard it so many times from countless internet marketing gurus: the internet allows regular people to start a business online and compete with the big guys, hence what they describe “a level playing field“. They have been preaching this mantra for the last 15 years, and while that may have been true in the early days of the internet, come 2010 things certainly don’t look so glamorous anymore.

Anybody who starts a business online faces numerous challenges such as stiff competition, picking the wrong niche in the market place, pay-per-click ads that are overpriced, spam, website attacks, black hat SEO techniques to bring down your site, malicious code placed on your site through vulnerabilities in software you site is running (such as WordPress) etc.

Many people still (wrongly) believe that all they need is traffic. Work on SEO, rise in the search engines and you’ll make money guaranteed. Of course, many internet marketing gurus claim that SEO is the most important piece to success on the internet (just watch a few videos and see how THEY are getting top rankings in Google and making big bucks in their affiliate accounts, it’s like making money on autopilot while you’re sleeping). But SEO should only be a small portion of your entire marketing scheme. What is almost equally important these days, is security. Security as in securing your webserver.

I have been dealing with some security issues myself and will write about them in upcoming posts. There is so much money to be made on the internet these days that crooks, parasites and con artists are constantly finding new clever ways to rip people off (both your customers and you, the business owner). Right now, I would like to mention 2 excellent blogs (about security) that will give everyone who owns a website an idea what they’re up against:

  • Dancho Danchev’s blog Very detailed and entertaining blog with frequent posts about the scum of the internet. See how cyber criminals and internet parasites find security holes in almost everything to lure/force people in buying fake security scanners for their PC and other rip-off schemes.
  • Unmask Parasites blog Read about obfuscated javascripts, twitter exploits, worms, viruses, WordPress hacks and more. If you weren’t paranoid before, you might as well be. Unmask Parasites also offers a free vulnerability scan for you site: you need to scan every page separately, but I would start with your homepage and some of your blog pages.

So it may well be that you are doing everything right in one area (SEO) and the reason that your site is lacking in the SERPs is because of exploits on your server or nasty black hat SEO attacks by your competition.

Some people don’t believe in internet marketing anymore. On the following blog, you can read some entertaining posts about why internet marketing sucks

OnlyWire Review: A Powerful Button?

As many webmasters are always on the lookout for new and easy applications that will make their search engine optimization efforts more ‘productive’, SEO services such as OnlyWire quickly become popular.

OnlyWire is a service that let you place multiple bookmarks across social bookmark sites with just a click of a button. The advertising hook they use is that with “the power of the button“, you can quickly place numerous bookmarks of your favorite (read “your own”) content across as many social media sites you choose.

They currently offer 2 service levels: one is free and requires that you add their bookmarking button all over your website, which may not be desirable by some, in particular if you prefer other bookmarking tools for your readers such as “share this”. The other option they offer is a paid version for $2.99 per month or $24.99 annually. This may not sound like much, but why should you pay for a service that borders on spamming and something does not bring back many valuable back links, as most social media sites use no follow on their outgoing links?

OnlyWire ButtonThe “button” installs very easily as a plug-in for Firefox. They may come out with plugins for additional browsers.

The first question you’ll have to ask yourself, is how many social media accounts do you really need? Are the accounts at delicious, digg and Stumbleupon not enough?

Anyway, how does OnlyWire’s “easy” claim hold true?

It is indeed extremely easy to place your bookmarks across social media sites (once you have set up all you accounts with clever usernames and unique passwords). In fact, it is almost too easy to place your links and it almost feels like you’re spamming. Because of the no-follow policy of most social media sites, it almost becomes a trivial exercise of placing your links on any of those social sites: Do you really think you may get visitors from those links, even if those links are worthless from an SEO standpoint (no link juice)?

OnlyWire does do a good job at listing all the sites you submitted your “bookmark” to. However, it would be nice if the software would allow you to spin the descriptions and titles of your submissions. That way it would keep everything a bit more unique, will help with overall SEO and would not feel so much as spamming.