Malware on WordPress
We recently had a client contact us about a WordPress website they were not able to log into. They said “I think my website was hacked!” and asked us to troubleshoot and repair the site. On our initial inspection we discovered not only could they not log in but the entire site was down.
What exactly is a “Hacked Website“?
A website can get hacked many times. When a site is hacked, the hacker will generally put malware on your website so they or others can access it later. They do this to spread spam, for clicks (if they’re running a CPC or CPM ad network), or for any other reason you can think of. They may even be doing it for fun, just to show off or create mayhem. A hacked website is not always malicious and as such does not have to be repaired immediately, but in our experience we are seeing an increase in hacked websites being looked into by our clients lately.
By definition a “Hacked Website” is one where files on a website have been changed to intentionally interrupt the normal operation of the site or its hosting server. In-depth analysis can suggest whether a hacker was looking to cover up their tracks, or just for fame and for glory.
A hacked website is usually caused by compromised passwords. Once a hacker has your password they will try it out against a few other websites to see if they can gain access. The more complex your password, the harder it is for them to crack; even a shorter password can be secure if it’s complex enough. So make your passwords complex and unique, and change them regularly!
What Does a Hacked Website Look Like?
Here are some common signs of a hacked website:
- A strange domain name in the address bar. This is a sure-fire sign that something isn’t quite right. While you don’t need to know how it got there, you should take immediate action to remove it.
- Unusual messages when accessing your files. These may be phrases such as “404 NOT FOUND”, “this page has moved” or the message could even come from a different website.
- Your files are damaged, or any other unexpected files appear within them. If you aren’t sure what the file is, try to delete it and see if that helps.
- Strange error messages. Again, these may come from a different website or could be generated by your own files. Check to see if this problem persists before undertaking any urgent action.
- Strange files on your website or strange changes to your files. These could be anything from a testing page from the hacker, to malware injected into your pages.
- A lower ranking in search engines for certain terms than you normally expect. If you suddenly find that it takes longer for visitors to reach your site, check if this problem is being caused by a hacked website.
- Your site appears to be “hanging” (stuck in an infinite loop). If it’s taking a long time for your site to respond, this may be the result of a hacker using malicious software or code that freezes your page and prevents visitors from reaching it.
WordPress is very popular and this popularity makes it a prime target for hackers and spammers. Sometimes the efforts of spammers are successful yet not really damaging but sometimes the results are devastating and can cripple your website. Regardless of how invasive the attacks are, they all cause huge problems for the owner of the website. There are some effective modifications you can make on your WordPress website to make it more secure and protect it from the people with bad intentions. Read our Website Protection Tips to learn more about how to lock down your site.
What To Do When You Realize…
My Website Was Hacked
First, don’t panic. Slow down and resist the urge to start trying different things to try and fix the problem. Often you will make things worse.
How We Fixed This Website
After getting access to their hosting provider (whom shall remain nameless) we set up a new FTP account. When we looked at the files there were numerous .PHP files that had been renamed with the suffix .suspected. We tried renaming the plugins folder but that made no difference. We ended up deleting everything on the site except the wp-contents folder and the wp-config.php file. Then we uploaded a fresh WordPress installation.
Next we added the plugins back in 1 at a time with the exception of one folder which was named “normalstiil” that was in the plugins folder. The client didn’t recognize the name and it turned out to contain a file named bouncer that was infected with a virus.
Back In Business
The end result is that we were able to get the site back up and operational without losing any of the clients’ data. If you manage your own WordPress website you should review your site on a regular basis.
This particular website had a ton of spam in the comments which we deleted and then turned comments off.
There were also several posts the client didn’t make. This further emphasizes the need to monitor your site regularly.
If you have any questions or would like additional information, please Contact Us.