Recovering from a Hacked WordPress Site
Have you ever had to recover from a WordPress hack? I’ve worked with a lot of people who have. It’s terrifying if a malicious actor damages your site. Your site represents hours and hours of your work. It represents your relationship to your members. You’re going to be anxious to get it back under your control! So, what do you do?
The time to decide that is well in advance of the attack. When you realize you’ve been attacked, it’s too late to start looking in Google for help. How would you know which experts to trust? What criteria would you use to decide if they’re right for you? It’s hard to objectively think through stuff like that when you know that each second you delay, your site could be infecting your readers with malware. Those are the same readers you worked your butt off to attract to your site. Sure, you want to give readers more than they expect. But not if it’s malware!
In this post, I’ll share some of the experience I’ve had helping folks detox sites. I should warn you up front: Some attacks are so tenacious and the fallout so dangerous, it could put your data in jeopardy. You might completely lose your site. But more often than not, there are ways to get your site back up and running.
Start with Prevention!
It’s a good idea to start with a plan to keep your site from being hacked in the first place. You won’t need to recover from a WordPress hack if you prevent the attack in the first place! There are some simple things you could do, and you’re probably already doing a lot of them! Here are some posts I put together to try to help you stay safe:
- Ani-Blogging Safety Tips: Keep Your Domain Name Safe!
- Ani-Blogging Safety Tips: Very Basics Tips For WordPress
- Ani-Blogging Safety Tips: Keeping Your Readers Safe
- Ani-Blogging Safety Tips: Backups And Testing Major Changes
- Ani-Blogging Safety Tips: Keeping Your Site Yours — No Free Lunch Edition
If any of those topics don’t look familiar to you, please do check them out. I’m a selfish pig. When I go surfing anime sites Friday nights, I want to find cool and amazing anime content! I don’t want to run into indicators of compromise, which is security speak for a proof of a hack! So, please, do your part to keep my Friday nights fun!
Because that also means your site is up and running!
You might notice that this post is part of Blog Shop Talk and not Ani-Blogging Safety. That’s because I see my safety posts as ways to prevent an attack from succeeding. If the attack succeeds, then it’s time to recovery, and that’s certainly not prevention!
Anatomy of How to Recover from a WordPress Hack
How To Know If You Need to Recover from a WordPress Hack
Before you can recover from a WordPress hack, you have to realize you’ve been hacked. So, how can you tell? Here are some real-life examples I’ve discovered not only in my job, but during my Friday night excursions into the ani-blogging sphere:
- Your site prompts readers to install Adobe Flash, which hasn’t been a thing for awhile now
- Your site redirects to some cheesy used tire site
- Your site makes readers’ browsers start blinking with messages saying that their computer’s toast and they need to call a 1-800 number to recover
- Mozilla Firefox or Chrome throw up a message saying you’d be flat out nuts to try to go to your site
Hmmmm…. This looks kinda bad…
Okay, that last one is really short-hand for, “Firefox blocked this page because it may trick you into doing something dangerous like installing software or revealing personal information.” Same idea, but I used fewer words.
Do you notice something about those indicators of compromise (IOC)? As your site’s WordPress admin, you would not have seen any of these. Attacks will very often be invisible to you as the admin. That’s why I try to notify site owners when I see their site showing an IOC. But it suggests that from time to time, you should visit your own site, preferably in incognito mode, so you can see the site as your readers see it.
You’re Hacked — Now What?
Two Potential Paths to Recover from a WordPress Hack
There are two paths forward from here. You can recover the site yourself, using your backups and technical knowledge to rebuild the site. Or, you can reach out to an expert to help you.
You might think I’m being facetious with the first option, but I’m not. If you’re someone like James from Chikorita157’s Anime Blog, you can rebuild your site from scratch. Dude knows his stuff — he even rolls his own servers, as he discussed in his post “Anime Blogging and Hosting – Why You Should Start One On a Virtual Private Server Instead on WordPress.com.” In the event of infection, James would likely backup the web server’s log files. Then he would check his site’s data to see if it was still safe. If it was, he’d probably scape off the operating system, lay it back down from a known-good source, reinstall the database (also from a known-good source), reinstall the web server, reinstall WordPress, and finally restore the data.
Then he’d comb through the log backups and see what the heck happened and change his procedures to make sure it didn’t happen again.
What does Tohka Yatogami have to do with this? Why, in the event a malicious actor… Nah. She has nothing to do with this. I just realized I don’t have enough screen caps of Tohka on my site. Capture from the Crunchyroll stream.
Is Self-Recovery for You?
Self-recovery is a great option if you have the expertise do pull it off — and the time. The elapsed time of your outage will likely be less than if you have to reach out to an expert. But it’ll take a chunk of your time. How long depends on the size of your site and how often you’ve had to do something like this.
I can’t really advise you on exactly what to do. Sure, I’ve had experience doing that sort of thing. I was rebuilding from backups back in the mid-1980s, so it’s not l haven’t done it before. But the possible paths forward depend so much on the type of damage done and the extent of that damage that it would be better if I train you in operating system, web server, and WordPress application support first. Then we’d probably DM about ideas on how to proceed.
And wow, that sounds exhausting, doesn’t it?
Reaching out to an expert is nothing to be ashamed of. At my stage of life, for my peace of mind alone (not to mention my time), I’d likely ask a professional to help me recover from a WordPress hack. Finding a vendor who’s both reasonably priced and trustworthy isn’t trivial. But I’d like to share my experience in the hopes it’ll help you.
Asking for Professional Help to Recover from a WordPress Hack
Find a Vendor Before You Need a Vendor to Recover from a WordPress Hack
You absolutely do not want to be scrambling to look for a vendor after you realize you’ve been hacked. The clock’s ticking, and you don’t have time for an exhaustive search. So, I suggest you start now. This very minute. Or as close to it as you can get and not trash your schedule. Trashing your schedule would suck.
I’m going to share the vendor I’ve used multiple times in the past. Their pricing is not only reasonable. It’s generous. This vendor will run a free checkup on your first site, no questions asked. They don’t even ask for your credit card. Best of all? The results are great. So great they can help you see how bad the problem is before you pull the trigger and ask for their help. Then they’ll offer to help you stay safe — for a reasonable fee.
To me, those are signs that the vendor is serious about good service.
The customer service at mySites.guru might not be quite as good as what you’d get at Wagnaria. But it’s really good. And I promise they won’t hit you nearly as hard as Imani would! Capture from the Crunchyroll stream.
I’ve Had Great Luck with mySites.guru
The vendor I’m talking about is mySites.guru. Their pricing plans go everywhere from free for the initial assessment, to £5.00 a month for a single site’s monitoring, to all the way up to £199.99 a year for unlimited sites. That latter is a bargain if you have a lot of sites to manage. A genius Joomla admin introduced me to the site, and I’ve been impressed ever since. mySites.guru supports both Joomla and WordPress, so either way, they have you covered.
What I’m suggesting is that you look at subscribing to something like this if you’re serious about blogging in the long term. WordPress used to have a poor reputation for security, but it’s solid now. As a security practitioner, I have no concerns about WordPress. Certainly not any more than any web-based application.
But malicious actors are motivated by money. And let me tell you: Ransomware and other malware is a gigantic growth industry. It’s best to try to stay safe and prepare just in case someone’s desire for a new beach home drives them to compromise your site.
A Quick Walkthrough of mySites.guru
Let me give you a quick tour of what mySites.guru will tell you about your site. It’s smart to go through this exercise now so that if you do think you’ve been hacked, you’ll now how a hacked site looks different from a healthy site. The examples I’ll walk you through show what a healthy site looks like.
I hope, anyway. Wouldn’t it be ironic if I find out I’ve been hacked? Well, then I could just write about that then, I guess! Though it would legitimately erode my reputation as a security practitioner!
When you first sign up, mySites.guru walks you through setting up your site for the first scan. When you get to the prompt asking you to install a plug in, it’s terrifying. This is exactly what you’d expect a malicious actor/malware purveyor to do! But that’s why you prepare now. You can investigate mySites.guru and become comfortable that they’re legitimate. Before you’re under pressure to resurrect your site. When you have time to understand that installing this plug in is safe.
Once you install the plugin, two things happen. You get a quick site audit and then later you get an in-depth analysis.
mySites.guru Snapshot
By “quick site audit,” I mean quick. It happened in less than a minute for me. Here’s an example of what I saw:
The Snapshot has a ton of great information. While you’re waiting for the Audit, go through mySite.guru’s suggestions.
As a person who’s built PHP applications, I really liked what the Snapshot showed me. Let’s walk through an example. In the figure above, do you see the “Password Protect WP-Admin” entry? If I click on “Investigate,” I would see this:
This tells me what I need to know about an additional layer of password protection I could place on my WordPress administration functions.
If the idea of .htaccess makes no sense to you, don’t worry about it. It’s a way you can set up IDs and passwords to protect your site in addition to what WordPress gives you. Is it required? No. Is it helpful? Sure! More security is always helpful. But do you need it? I don’t have it — at least not yet. I don’t want to enter two IDs and two passwords to get to WordPress’s admin functions. But I’m taking a calculated calculated risk. If I ever get into a situation where someone hacked into my site because I didn’t have .htaccess setup? I’d change my mind right quick.
You can go through the other red items in the snapshot. It’s unlikely any of them are indications of compromise, but it’s good to have something to do while mySites.guru complete the Audit. That’s where you can really see how badly you’ve been hacked.
mySites.guru Audit
It’s great that mySites.guru gives you the Snapshot feature to keep you busy. Very large sites can take up to an hour to audit.
As I prepared to write this post, I checked mySites.guru’s audit of my site. At first, I was a bit alarmed at the volume of red on the display:
Should I be worried about all that red under “Hacked?”
As a security practitioner, I’ve gotten to the point where I can recognize a security scam a mile away. “Buy our stuff or you’re toast!” is a common refrain. So when I first saw all those red indicators under “Hacked?” the first time I used mySites.guru, I felt a sinking feeling. “Here we go again,” I incorrectly thought.
This is where the site distinguished itself yet again. Notice the “Investigate” button beside the four red or orange items? It lets you drill down to see if that problem is real or not. A bogus site wouldn’t give you more information. They’d just try to get your cash. So it’s a good sign that mySites.guru goes to the effort to help you decide what’s going on.
Malicious Patterns in Files
If I click on the “Investigate” button beside “Check Suspect/Malicious Pattern Matched Content in Files,” I see something like this:
If a site tries to educate you, you can almost always take it as a good sign.
Do you see “A Huge Warning!!!!” That’s a good sign. mySites.guru is very clear on the potential implications of not being disciplined about how you click. Again — a bogus site wouldn’t go to that effort. This is another sign that you can trust mySites.guru.
I paged down to see a list of files on my site. That list shows files that have strings that mySites.guru has seen in files on hacked sites. Those strings aren’t proof, but they are things you need to look at. In effect, that means a lot of the files in this list (all of the files in my case) don’t really belong on the hacked list. Why? Because there’s a lot in common between hacked files and not hacked files. And that’s okay! Here’s something else the same page says above the list of files:
This is probably the strongest sign that you can trust this site. A bogus site would never admit they might be wrong.
Reviewing the Patterns
When I paged down, I saw the list of files mySites.guru thought might be infected. Each file had icons beside it, and those icons would let me:
- Delete the file: Not recommended unless you know what the heck you’re doing. I’ll put it this way: I’ve supported operating systems since the late 1980s, and I wouldn’t click this. I don’t know WordPress well enough.
- Edit File: Same notation as “Delete the file,” but not as urgent. There’s a slight chance I might recognize an attack on a cascading style sheet (CSS) file. But it’s really unlikely.
- Search the file (the magnifying glass): This shows the file with the possible problem highlighted in red.
I chose the magnifying glass for a file called “sabberworm/php-css-parser/lib/Sabberworm/CSS/CSSList/CSSList.php.” First, what the heck? A file named sabberworm? Isn’t that a dead giveaway?
Turns out, it’s a legitimate file. I determined that checking the vendor through Google. But were the contents still okay? Here’s what mySites.guru showed me:
This turned out to be safe. How do I know? Well, I really don’t…
The variable looked okay. But how could I be sure?
How Do You Know If the Pattern is Okay or Not?
Here’s the problem: You don’t. By becoming familiar with your site before a hack, you can see what’s normal and what is not. But after a hack, how can you tell exactly what’s malicious and what is not? Unless you can read the file’s language and know its context within WordPress, you can’t really know. In my case, PHP is one of my strongest programming languages. Looking at this example, I concluded that a simple boolean expression is probably not dangerous. I strongly suspect that’s accurate.
But we might not be sure. We might have no idea. Further, you might not want to care — your interest in WordPress might be in how well it can publicize your writing, not in how it works. And that’s okay. You might drive a car, but not be able to field-strip the transmission. This post’s goal is to acquaint you with one possible vendor — mySites.guru — and get you comfortable with them.
If you look at that screen shot above and feel a thrill of “I don’t know know what that means,” then you are at your decision point. If you’ve been hacked, you should now have a level of confidence in mySites.guru. If you’ve been hacked, you should be ready to click the icon that says “Request Paid Consultancy”:
Honest to goodness, it’s okay to ask for help.
The Rest of mySites.guru Works Like That
I could show you more screen shots, but really, my goal was to give you a way to prepare for a time when some malicious actor might attack your site — and succeed. I can’t tell you the number of times I’ve been on my Friday night tour of anime sites and encountered a site that seems compromised.
By “can’t tell you” I mean that literally. I try to track down the site owner and let them know, and I’ll often update the Massive List of Anime Sites to indicate there’s a problem. But I only give details to the site owner. I keep that conversation private. I ain’t the best person in the world. But if I can help someone recover from a crisis, that makes me happy. The world has enough sharp edges as it is. Maybe the best I can do is let you know that someone’s looking out for you.
But Wait… What Do I Do to Recover from a WordPress Hack?
If you can’t fix the problem yourself, then my goal was to introduce you to a vendor that could. I didn’t just want to try to say, “I am Security Man. Protector of all Things Electronic! Believe Me.” That’s primarily because you would have pointed and laughed if I had done that.
But I wanted do do something to help. So, I introduced you to mySites.guru as a vendor I trust. I tried to show you why you can trust them, too. And I encouraged you to explore that possibility before you needed it.
Does that make sense? I hope it does. You’re smart folks. You write blog posts that share your analysis of anime with the world. You know what you’re doing, but this security stuff can become specialized real fast. If your site gets hacked, I wanted to connect you to professionals who could help. That idea drove the samples I selected. It also drove which screen shots I shared. I wanted to give you the clearest possible idea of what you could do.
I sure hope I succeeded.
I’ve been writing computer programs since the late 1970s. If there’s one thing that experience has taught me, it’s that I should have been a Boy Scout instead of quitting at Cub Scouts. I should have learned “Be Prepared” when I was a kid. Then I would not have had to learn it in a professional environment. When the stakes were higher. When more people could be hurt.
Take a look at mySites.guru. Get comfortable with them. Or choose another vendor. But please: Be prepared.
Have you been hacked? Do these ideas make sense? Is there something you can share to help folks learn from your experience? I’d love to read your thoughts in the Comments!
Thanks for the mention. Yes, there are a good number of solutions out there, which allow the user to do a scan for vulnerabilities and even provide a Web Application Firewall. I personally use Wordfence, which has a firewall and a scanner, although it’s only the free version. I do suggest users to check out the solutions that work best. However, these security plugins or scanners are only good at the application layer as attackers can exploit other aspects such as PHP, web server, database server, operating system, etc.
Shared hosting for the most part tend to be a bit behind on installing up to date versions of things like PHP, Apache, Mysql, etc. It may not be the case with every host, but I prefer setting up my own virtual private server, do the hardening, and manage everything myself. Of course, this is not as user friendly as it requires some knowledge of Linux. But since I do system administration of both Windows and Unix servers at work, it’s a no brainer.
Most VPS services allow you to have automatic backups for a little more per month and hopefully not in the same data center. That won’t help when the disaster hits like a fire that happened at one of the data centers in OVH. I have enabled backups on my VPS that hosts my blog, for the app I develop (and web APIs), which gets taken every day and I can restore up to 7 days of backups. My hosting provider, BuyVM/Frantech will store backups offsite in the near future, so it’s a no-brainer. Regardless, I still download or rsync backups to my 4 hard drive Thunderbolt RAID array on my Mac mini and Jetpack doing backups too.
Still, that reminds me, I need to migrate away from Ubuntu 10.14 LTS during extended support to Red Hat Enterprise Linux 8 for longer support (and I need to support it for my job).
You’re lucky that you can do that work. But think of the time you invested in learning everything that lets you do all this work yourself.
Not everyone can make that investment.
Interesting you’re moving from Ubuntu to RHEL. Personally, I love RHEL. They offer a stable product, and their support for the OpenJDK impresses me. I love JBoss and OpenStack. I even like Fuse! I used it before RedHat bought it.
Recently, I’ve found that LTS versions of Ubuntu give me more recent versions of MySQL, Apache, PHP, and PostreSQL. Not sure if “more recent” translates into more secure, but often, Ubuntu has features I can’t get in RHEL.
Still, it pays to be up to date on both. I think in terms of leading-edge servers, it’s either RHEL or Ubuntu. TBH? It’s both.
I think it’s cool that you download your sites to Thunderbolt RAID with your Mac mini. I download mind to an OWC Softraid-managed Thunderbay. It’s aging; it only has 9Gb usable. But man, it’s been rock-solid!
Thank you for sharing this excellent information. It’s honest folx like you who make it possible for those of us less educated in computer science to still enjoy the internet and the communication and good things it brings, despite a few greedy and dishonest bastids.
Thanks! That’s very kind of you to say!
That’s a lot to absorb. But I do think I’ll check out mySites.guru tomorrow. . .thanks!
I’d love to know what you after checking them out!
Actually, things didn’t go so well. I tried to register my site and got shut down cold: “Your registration has been forbidden as we think you are a bot. Please contact us if you are human. (Code:6)” WTH is this? I don’t even understand what happened, here. . .
I coincidentally got an e-mail from his site, so I took the opportunity to ask about that message. I’ll let you know what I hear!
I got this response already:
“Code 6 is currently stopping HOTMAIL and YAHOO email addresses from registering for the next few weeks as we had 1000s of registrations from bots.
Its scheduled to end this url at the end of the month.
Sorry about that. If he uses a non-hotmail and non-yahoo email address he can sign up ”
So it sounds like he’s come under a bot attack recently.
I hope this helps — and I hope you can get it sorted! In a sense (though a frustrating one), this is good news. It means the vendor identifies and takes action against attacks on their own platform!
Thanks! I’ll try again in May.
Wow thanks . I’ll be bookmarking this for future reference.
I hope you never have to use it!
Yeah same here.