Recovering from a Hacked WordPress Site
Have you ever had to recover from a WordPress hack? I’ve worked with a lot of people who have. It’s terrifying if a malicious actor damages your site. Your site represents hours and hours of your work. It represents your relationship to your members. You’re going to be anxious to get it back under your control! So, what do you do?
The time to decide that is well in advance of the attack. When you realize you’ve been attacked, it’s too late to start looking in Google for help. How would you know which experts to trust? What criteria would you use to decide if they’re right for you? It’s hard to objectively think through stuff like that when you know that each second you delay, your site could be infecting your readers with malware. Those are the same readers you worked your butt off to attract to your site. Sure, you want to give readers more than they expect. But not if it’s malware!
In this post, I’ll share some of the experience I’ve had helping folks detox sites. I should warn you up front: Some attacks are so tenacious and the fallout so dangerous, it could put your data in jeopardy. You might completely lose your site. But more often than not, there are ways to get your site back up and running.
Start with Prevention!
It’s a good idea to start with a plan to keep your site from being hacked in the first place. You won’t need to recover from a WordPress hack if you prevent the attack in the first place! There are some simple things you could do, and you’re probably already doing a lot of them! Here are some posts I put together to try to help you stay safe:
- Ani-Blogging Safety Tips: Keep Your Domain Name Safe!
- Ani-Blogging Safety Tips: Very Basics Tips For WordPress
- Ani-Blogging Safety Tips: Keeping Your Readers Safe
- Ani-Blogging Safety Tips: Backups And Testing Major Changes
- Ani-Blogging Safety Tips: Keeping Your Site Yours — No Free Lunch Edition
If any of those topics don’t look familiar to you, please do check them out. I’m a selfish pig. When I go surfing anime sites Friday nights, I want to find cool and amazing anime content! I don’t want to run into indicators of compromise, which is security speak for a proof of a hack! So, please, do your part to keep my Friday nights fun!
Because that also means your site is up and running!
You might notice that this post is part of Blog Shop Talk and not Ani-Blogging Safety. That’s because I see my safety posts as ways to prevent an attack from succeeding. If the attack succeeds, then it’s time to recovery, and that’s certainly not prevention!
Anatomy of How to Recover from a WordPress Hack
How To Know If You Need to Recover from a WordPress Hack
Before you can recover from a WordPress hack, you have to realize you’ve been hacked. So, how can you tell? Here are some real-life examples I’ve discovered not only in my job, but during my Friday night excursions into the ani-blogging sphere:
- Your site prompts readers to install Adobe Flash, which hasn’t been a thing for awhile now
- Your site redirects to some cheesy used tire site
- Your site makes readers’ browsers start blinking with messages saying that their computer’s toast and they need to call a 1-800 number to recover
- Mozilla Firefox or Chrome throw up a message saying you’d be flat out nuts to try to go to your site
Hmmmm…. This looks kinda bad…
Okay, that last one is really short-hand for, “Firefox blocked this page because it may trick you into doing something dangerous like installing software or revealing personal information.” Same idea, but I used fewer words.
Do you notice something about those indicators of compromise (IOC)? As your site’s WordPress admin, you would not have seen any of these. Attacks will very often be invisible to you as the admin. That’s why I try to notify site owners when I see their site showing an IOC. But it suggests that from time to time, you should visit your own site, preferably in incognito mode, so you can see the site as your readers see it.
You’re Hacked — Now What?
Two Potential Paths to Recover from a WordPress Hack
There are two paths forward from here. You can recover the site yourself, using your backups and technical knowledge to rebuild the site. Or, you can reach out to an expert to help you.
You might think I’m being facetious with the first option, but I’m not. If you’re someone like James from Chikorita157’s Anime Blog, you can rebuild your site from scratch. Dude knows his stuff — he even rolls his own servers, as he discussed in his post “Anime Blogging and Hosting – Why You Should Start One On a Virtual Private Server Instead on WordPress.com.” In the event of infection, James would likely backup the web server’s log files. Then he would check his site’s data to see if it was still safe. If it was, he’d probably scape off the operating system, lay it back down from a known-good source, reinstall the database (also from a known-good source), reinstall the web server, reinstall WordPress, and finally restore the data.
Then he’d comb through the log backups and see what the heck happened and change his procedures to make sure it didn’t happen again.
What does Tohka Yatogami have to do with this? Why, in the event a malicious actor… Nah. She has nothing to do with this. I just realized I don’t have enough screen caps of Tohka on my site. Capture from the Crunchyroll stream.
Is Self-Recovery for You?
Self-recovery is a great option if you have the expertise do pull it off — and the time. The elapsed time of your outage will likely be less than if you have to reach out to an expert. But it’ll take a chunk of your time. How long depends on the size of your site and how often you’ve had to do something like this.
I can’t really advise you on exactly what to do. Sure, I’ve had experience doing that sort of thing. I was rebuilding from backups back in the mid-1980s, so it’s not l haven’t done it before. But the possible paths forward depend so much on the type of damage done and the extent of that damage that it would be better if I train you in operating system, web server, and WordPress application support first. Then we’d probably DM about ideas on how to proceed.
And wow, that sounds exhausting, doesn’t it?
Reaching out to an expert is nothing to be ashamed of. At my stage of life, for my peace of mind alone (not to mention my time), I’d likely ask a professional to help me recover from a WordPress hack. Finding a vendor who’s both reasonably priced and trustworthy isn’t trivial. But I’d like to share my experience in the hopes it’ll help you.
Asking for Professional Help to Recover from a WordPress Hack
Find a Vendor Before You Need a Vendor to Recover from a WordPress Hack
You absolutely do not want to be scrambling to look for a vendor after you realize you’ve been hacked. The clock’s ticking, and you don’t have time for an exhaustive search. So, I suggest you start now. This very minute. Or as close to it as you can get and not trash your schedule. Trashing your schedule would suck.
I’m going to share the vendor I’ve used multiple times in the past. Their pricing is not only reasonable. It’s generous. This vendor will run a free checkup on your first site, no questions asked. They don’t even ask for your credit card. Best of all? The results are great. So great they can help you see how bad the problem is before you pull the trigger and ask for their help. Then they’ll offer to help you stay safe — for a reasonable fee.
To me, those are signs that the vendor is serious about good service.
The customer service at mySites.guru might not be quite as good as what you’d get at Wagnaria. But it’s really good. And I promise they won’t hit you nearly as hard as Imani would! Capture from the Crunchyroll stream.
I’ve Had Great Luck with mySites.guru
The vendor I’m talking about is mySites.guru. Their pricing plans go everywhere from free for the initial assessment, to £5.00 a month for a single site’s monitoring, to all the way up to £199.99 a year for unlimited sites. That latter is a bargain if you have a lot of sites to manage. A genius Joomla admin introduced me to the site, and I’ve been impressed ever since. mySites.guru supports both Joomla and WordPress, so either way, they have you covered.
What I’m suggesting is that you look at subscribing to something like this if you’re serious about blogging in the long term. WordPress used to have a poor reputation for security, but it’s solid now. As a security practitioner, I have no concerns about WordPress. Certainly not any more than any web-based application.
But malicious actors are motivated by money. And let me tell you: Ransomware and other malware is a gigantic growth industry. It’s best to try to stay safe and prepare just in case someone’s desire for a new beach home drives them to compromise your site.
A Quick Walkthrough of mySites.guru
Let me give you a quick tour of what mySites.guru will tell you about your site. It’s smart to go through this exercise now so that if you do think you’ve been hacked, you’ll now how a hacked site looks different from a healthy site. The examples I’ll walk you through show what a healthy site looks like.
I hope, anyway. Wouldn’t it be ironic if I find out I’ve been hacked? Well, then I could just write about that then, I guess! Though it would legitimately erode my reputation as a security practitioner!
When you first sign up, mySites.guru walks you through setting up your site for the first scan. When you get to the prompt asking you to install a plug in, it’s terrifying. This is exactly what you’d expect a malicious actor/malware purveyor to do! But that’s why you prepare now. You can investigate mySites.guru and become comfortable that they’re legitimate. Before you’re under pressure to resurrect your site. When you have time to understand that installing this plug in is safe.
Once you install the plugin, two things happen. You get a quick site audit and then later you get an in-depth analysis.
By “quick site audit,” I mean quick. It happened in less than a minute for me. Here’s an example of what I saw:
The Snapshot has a ton of great information. While you’re waiting for the Audit, go through mySite.guru’s suggestions.
As a person who’s built PHP applications, I really liked what the Snapshot showed me. Let’s walk through an example. In the figure above, do you see the “Password Protect WP-Admin” entry? If I click on “Investigate,” I would see this:
This tells me what I need to know about an additional layer of password protection I could place on my WordPress administration functions.
If the idea of .htaccess makes no sense to you, don’t worry about it. It’s a way you can set up IDs and passwords to protect your site in addition to what WordPress gives you. Is it required? No. Is it helpful? Sure! More security is always helpful. But do you need it? I don’t have it — at least not yet. I don’t want to enter two IDs and two passwords to get to WordPress’s admin functions. But I’m taking a calculated calculated risk. If I ever get into a situation where someone hacked into my site because I didn’t have .htaccess setup? I’d change my mind right quick.
You can go through the other red items in the snapshot. It’s unlikely any of them are indications of compromise, but it’s good to have something to do while mySites.guru complete the Audit. That’s where you can really see how badly you’ve been hacked.
It’s great that mySites.guru gives you the Snapshot feature to keep you busy. Very large sites can take up to an hour to audit.
As I prepared to write this post, I checked mySites.guru’s audit of my site. At first, I was a bit alarmed at the volume of red on the display:
Should I be worried about all that red under “Hacked?”
As a security practitioner, I’ve gotten to the point where I can recognize a security scam a mile away. “Buy our stuff or you’re toast!” is a common refrain. So when I first saw all those red indicators under “Hacked?” the first time I used mySites.guru, I felt a sinking feeling. “Here we go again,” I incorrectly thought.
This is where the site distinguished itself yet again. Notice the “Investigate” button beside the four red or orange items? It lets you drill down to see if that problem is real or not. A bogus site wouldn’t give you more information. They’d just try to get your cash. So it’s a good sign that mySites.guru goes to the effort to help you decide what’s going on.
Malicious Patterns in Files
If I click on the “Investigate” button beside “Check Suspect/Malicious Pattern Matched Content in Files,” I see something like this:
If a site tries to educate you, you can almost always take it as a good sign.
Do you see “A Huge Warning!!!!” That’s a good sign. mySites.guru is very clear on the potential implications of not being disciplined about how you click. Again — a bogus site wouldn’t go to that effort. This is another sign that you can trust mySites.guru.
I paged down to see a list of files on my site. That list shows files that have strings that mySites.guru has seen in files on hacked sites. Those strings aren’t proof, but they are things you need to look at. In effect, that means a lot of the files in this list (all of the files in my case) don’t really belong on the hacked list. Why? Because there’s a lot in common between hacked files and not hacked files. And that’s okay! Here’s something else the same page says above the list of files:
This is probably the strongest sign that you can trust this site. A bogus site would never admit they might be wrong.
Reviewing the Patterns
When I paged down, I saw the list of files mySites.guru thought might be infected. Each file had icons beside it, and those icons would let me:
- Delete the file: Not recommended unless you know what the heck you’re doing. I’ll put it this way: I’ve supported operating systems since the late 1980s, and I wouldn’t click this. I don’t know WordPress well enough.
- Edit File: Same notation as “Delete the file,” but not as urgent. There’s a slight chance I might recognize an attack on a cascading style sheet (CSS) file. But it’s really unlikely.
- Search the file (the magnifying glass): This shows the file with the possible problem highlighted in red.
I chose the magnifying glass for a file called “sabberworm/php-css-parser/lib/Sabberworm/CSS/CSSList/CSSList.php.” First, what the heck? A file named sabberworm? Isn’t that a dead giveaway?
Turns out, it’s a legitimate file. I determined that checking the vendor through Google. But were the contents still okay? Here’s what mySites.guru showed me:
This turned out to be safe. How do I know? Well, I really don’t…
The variable looked okay. But how could I be sure?
How Do You Know If the Pattern is Okay or Not?
Here’s the problem: You don’t. By becoming familiar with your site before a hack, you can see what’s normal and what is not. But after a hack, how can you tell exactly what’s malicious and what is not? Unless you can read the file’s language and know its context within WordPress, you can’t really know. In my case, PHP is one of my strongest programming languages. Looking at this example, I concluded that a simple boolean expression is probably not dangerous. I strongly suspect that’s accurate.
But we might not be sure. We might have no idea. Further, you might not want to care — your interest in WordPress might be in how well it can publicize your writing, not in how it works. And that’s okay. You might drive a car, but not be able to field-strip the transmission. This post’s goal is to acquaint you with one possible vendor — mySites.guru — and get you comfortable with them.
If you look at that screen shot above and feel a thrill of “I don’t know know what that means,” then you are at your decision point. If you’ve been hacked, you should now have a level of confidence in mySites.guru. If you’ve been hacked, you should be ready to click the icon that says “Request Paid Consultancy”:
Honest to goodness, it’s okay to ask for help.
The Rest of mySites.guru Works Like That
I could show you more screen shots, but really, my goal was to give you a way to prepare for a time when some malicious actor might attack your site — and succeed. I can’t tell you the number of times I’ve been on my Friday night tour of anime sites and encountered a site that seems compromised.
By “can’t tell you” I mean that literally. I try to track down the site owner and let them know, and I’ll often update the Massive List of Anime Sites to indicate there’s a problem. But I only give details to the site owner. I keep that conversation private. I ain’t the best person in the world. But if I can help someone recover from a crisis, that makes me happy. The world has enough sharp edges as it is. Maybe the best I can do is let you know that someone’s looking out for you.
But Wait… What Do I Do to Recover from a WordPress Hack?
If you can’t fix the problem yourself, then my goal was to introduce you to a vendor that could. I didn’t just want to try to say, “I am Security Man. Protector of all Things Electronic! Believe Me.” That’s primarily because you would have pointed and laughed if I had done that.
But I wanted do do something to help. So, I introduced you to mySites.guru as a vendor I trust. I tried to show you why you can trust them, too. And I encouraged you to explore that possibility before you needed it.
Does that make sense? I hope it does. You’re smart folks. You write blog posts that share your analysis of anime with the world. You know what you’re doing, but this security stuff can become specialized real fast. If your site gets hacked, I wanted to connect you to professionals who could help. That idea drove the samples I selected. It also drove which screen shots I shared. I wanted to give you the clearest possible idea of what you could do.
I sure hope I succeeded.
I’ve been writing computer programs since the late 1970s. If there’s one thing that experience has taught me, it’s that I should have been a Boy Scout instead of quitting at Cub Scouts. I should have learned “Be Prepared” when I was a kid. Then I would not have had to learn it in a professional environment. When the stakes were higher. When more people could be hurt.
Take a look at mySites.guru. Get comfortable with them. Or choose another vendor. But please: Be prepared.
Have you been hacked? Do these ideas make sense? Is there something you can share to help folks learn from your experience? I’d love to read your thoughts in the Comments!