Hacked! – How To Recover From a Hacked Site

I frequently look through the WordPress Goldmine Forum and identify common problems that people are having, on of the things i do is keep a list of keywords and then search for those i.e amazon + disabled , deindexed etc it helps me to get a feel of what the main issue are .

I did a search 2 days ago and noticed that there were a number of members who had had their sites hacked I counted 6 posts that talked about people problems from hacking and hacking attempts

These hacking attempts all seemed to be different, some just replaced the front page with a “you’ve been hacked” message, others changed the admin login and possibly the money links!! Others added links to lots of pharma sites. (Google de-indexing here we come)

One thing they all had in common was that the incomes from the sites dropped that is usually the first indication of an issue.

For 80% of people reading this it’s not a case of If I get hacked but When I get hacked.

There are 2 sides to hacking recovery and prevention.

Recovering from a hacking attack can take time and effort all the time you are losing money.

The first step will be to do a full restore of your site. Does your host have a full restore available and the ability to restore it? Test that as soon as you finish reading this, Pick a small blog that doesn’t earn you much and rename the index.php to something like xindex.php Now ask you host to restore that site from yesterdays backup. I am serious about this I’ve lost count of the times that well known hosts haven’t been doing backups properly.

Now you need to change all your admin passwords and they all need to be different, ensure they are not dictionary words but something like h4dy4j66js!!@5 I use lastpass to generate and store my passwords but there are a number of services and tools that will do that for you. It’s another good idea that after you get your site above restored that you practice changing the admin login and password via the mysql database using phpmyadmin, yes it’s technical but it’s something you need to be able to do.

By now you should have recovered your site the last thing to do is check all your adverts and links and make sure that there are no hidden links , if your backup was successful this should be ok but if you’ve just restored the index.php or changed the admin password and login then you have to do this.

Well done you’ve just recovered 1 site.. only 59 left to go! 🙂

 

Serious Note time: Please consider simulating an attack on one of your sites and then recovering from it, it will test your systems and your hosts systems and if it ever does happen to you you’ll have a plan to follow and you’ll know what to do and not panic!  I used to have to take part in disaster recovery exercises for a major bank and believe me having done it in a testing environment made the real thing a lot easier to handle.

 

See what a nightmare being hacked can be.

The main thing you can do to prevent hacking is to use unique non dictionary passwords to start with. Ensure that wordpress and all your plugins are unto date, delete unused themes and plugins. Know where your themes come from, If i had no scruples I could easily give you a brand new theme that is guaranteed to increase conversions and include a nice little backdoor in it. Only use themes and plugins from reputable sources.

Finally the best cure for hacking is good prevention. I have no qualms about recommending a book from one of our WPG members called Lockdown WordPress it’s good solid information and it tells you exactly how to secure your sites to make sure you don’t get hacked. Not only that it’s cheap!

Lockdown WordPress

About the author

Mark

https://plus.google.com/me/posts

Leave a comment:

CommentLuv badge

12 comments
Maria Redman

Hello Mark,
Really useful information in your article. I have been using WP twin to create clones of my site – I wondered if you could advise if this is this a good way of taking a backup and protecting against hackers? Also does the wordpress login lockdown plugin provide any protection?

[Reply]

Mark
Twitter:
Reply:

Maria, Test your cloned sites they should work but you won’t know until you test it.

I have just told all my members of WPG to thrash one of their sites this weekend and then try to recover it using whatever backup system they have in place. It’s the only way to know for certain.

The Login lockdown plugin will help but the best thing is to use a unique password with random numbers and letters and symbols . It won’t stop someone who has a back door access or has managed to find you password elsewhere

[Reply]

Reply
Mike

Hi Mark,

Intersting post.

I use a script in the root folder of my blog, that protects the wp-login by reading a htaccess file in the wp-admin folder. Anyone attempting to login gets “you do not have access to the server error”

So far this has worked for me and I have had hack attempts but they haven’t got through yet….!!

I suppose I shoulod market the script, but being a lazy git – nough said.

Cheers

Mike

[Reply]

Reply
john

Mark – My host, hostgator, allows me to do a fullback of my entire site (including all add on domains, shared hsoting). It appears as though ai have to backup everything and restore everything – no cherry picking. Is there a better hosting package that would allow single site backup/restore such as reselller or vps? What type of service do you use? Thahks

[Reply]

Mark
Twitter:
Reply:

John, I use VPS.net , I have a tech guy who i pay £40 a month do handle all the tech stuff

[Reply]

Reply
Julie

@Mike – I think putting a ‘block ALL IP’s’ script in the root folder means that your entire website is then blocked from view from all IP’s, (except your own). I also block my log-ins from ALL IP’s by placing the script in the Admin Folder only. Could be wrong but it’s just worth checking that your blog is viewable to others.

[Reply]

Reply
james

Need help!!! I just install a plug in and then view my site its working. And then I change to another theme and activate it but it goes directly to the log in http://sample.com/wp-login.php and I can’t log in and then the site is empty. Is there a solution of this?

[Reply]

Mark
Twitter:
Reply:

Thats one of the weirdest comments I’ve had 🙂

If you are sure it’s the plugin and not just your browser caching the login page then ftp to the site and rename the complete plugin folder something like xplugins, that will deactivate all the plugns. If you are certain it’s just 1 plugin doing it then rename that plugin

[Reply]

Reply
Jim Fortune

Hi!

Thank you for posting this article. All of my blogs that I host at one web host company got hacked. I had back doors on about 2/3 of them but not on several important ones. I’m – Sadder but wiser – now and this post makes me more aware that the problem is worse than just me. Thank you for your tips.

[Reply]

Reply
Mike

I just got hacked! you guys should take Mark’s advice here because it really is a nightmare when your sites are messed with. Such a pain in the butt!

[Reply]

Reply
Anthony Somerset

in 90% of my time working with clients with WP sites, i’ve found the cause to be 1 of 3 things within WP (in order of most common)

1) outdated and insecure themes that use old and insecure versions of timthumb.php (or often just thumb.php) – manually updating this one file often closed most attack vectors
2) outdated and poorly coded plugins – updating plugins regularly and switching to better quality plugins is a good idea – even better minimise your plugin usage to only neccesary plugins, especially if you could do the same thing with a code snippet dropped into theme code
3) out of date wordpress versions – seriously keeping your core code up to date is key – WP is a popular platform so it makes an easy target for malicious users to look for holes keep it updated for latest security fixes

i guess i could make a blog post on this at some point 😛
Anthony Somerset recently posted..WordPress, HTTPS, CDN and W3 Total CacheMy Profile

[Reply]

Reply
Mark

Thanks For The Tips Anthony!
BTW if anyone needs a top Notch tech to look after their servers or VPS’s ..Anthony is your guy.

[Reply]

Reply
Click here to add a comment

Leave a comment:

CommentLuv badge