This week was pretty busy. One of the non-profits that I know found themselves in quite a predicament – their WordPress site was infected with malware. The site was hacked and scripts were executed on visitors that did two different things:
- Tried to infect Microsoft Windows with malware.
- Redirected all users to a site that utilized JavaScript to harness the visitor’s PC to mine cryptocurrency.
I discovered the site was hacked when I visited it after clicking through on their latest newsletter and I immediately notified them of what was going on. Unfortunately, it was quite an aggressive attack that I was able to remove but immediately reinfected the site upon going live. This is a pretty common practice by malware hackers – they not only hack the site, they also either add an administrative user to the site or alter a core WordPress file that re-injects the hack if removed.
Malware is an ongoing issue on the web. Malware is utilized to inflate click-through rates on ads (ad fraud), inflate site statistics to overcharge advertisers, try and attain access to visitors’ financial and personal data, and most recently – to mine cryptocurrency. Miners get paid well for mining data but the cost to build mining machines and pay the electric bills for them is significant. By secretly harnessing computers, miners can make money without the expense.
WordPress and other common platforms are huge targets for hackers since they are the foundation of so many sites on the web. Additionally, WordPress has a theme and plugin architecture that doesn’t protect core site files from security holes. Additionally, the WordPress community is outstanding at identifying and patching security holes – but site owners are not as vigilant about keeping their site updated with the latest versions.
This particular site was hosted on GoDaddy’s traditional web hosting (not Managed WordPress hosting), which offers zero protection. Of course, they offer a Malware Scanner and removal service, though. Managed WordPress hosting companies such as Flywheel, WP Engine, LiquidWeb, GoDaddy, and Pantheon all offer automated updates to keep your sites up to date when issues are identified and patched. Most have malware scanning and blacklisted themes and plugins to help site owners prevent a hack. Some companies go a step further – Kinsta – a high-performance Managed WordPress host – even offers a security guarantee.
Additionally, the team at Jetpack offers a great service for automatically checking your site for malware and other vulnerabilities on a daily basis. This is an ideal solution if you’re self-hosting WordPress on your own infrastructure.
You can also utilize an affordable third-party malware scanning service like Site Scanners, which will scan your site daily and let you know whether or not you’re blacklisted on active malware monitoring services.
Is Your Site Blacklisted for Malware:
There are a lot of sites online that promote checking your site for malware, but keep in mind that most of them are not actually checking your site at all in real-time. Real-time malware scanning requires a third-party crawling tool that can not instantaneously provide results. The sites that provide an instantaneous check are sites that previously found your site had malware. Some of the malware checking sites on the web are:
- Google Transparency Report – if your site is registered with Webmasters, they’ll immediately alert you when they crawl your site and find malware on it.
- Norton Safe Web – Norton also operates web browser plugins and operating system software that will block users from evening opening your page if they’ve blacklisted it. Website owners can register on the site and request their site be re-evaluated once it’s clean.
- Sucuri – Sucuri maintains a list of malware sites along with a report on where they’ve been blacklisted. If your site is cleaned up, you’ll see a Force a Re-Scan link under the listing (in very small print). Sucuri has an outstanding plugin that detects issues… and then pushes you into an annual contract to remove them.
- Yandex – if you search Yandex for your domain and see “According to Yandex, this site might be dangerous”, you can register for Yandex webmasters, add your site, navigate to Security and Violations, and request your site be cleared.
- Phishtank – Some hackers will put phishing scripts on your site, which can get your domain listed as a phishing domain. If you enter the exact, full URL of the reported malware page in Phishtank, you can register with Phishtank and vote whether or not it’s truly a phishing site.
Unless your site is registered and you have a monitoring account somewhere, you will probably get a report from a user of one of these services. Don’t ignore the alert… while you may not see a problem, false positives rarely happen. These issues can get your site de-indexed from search engines and blocked from browsers. Worse, your potential clients and existing customers may wonder what kind of organization they’re working with.
How do You Check for Malware?
Several of the companies above speak to how difficult it is to find malware but it’s not quite so difficult. The difficulty is actually figuring out how it got into your site! Malicious code is most often located in:
- Maintenance – Before anything, point it to a maintenance page and back up your site. Don’t utilize WordPress’ default maintenance or a maintenance plugin as those will still execute WordPress on the server. You want to ensure no one is executing any PHP file on the site. While you’re at it, check your .htaccess file on the webserver to ensure it doesn’t have rogue code that may be redirecting traffic.
- Search your site’s files via SFTP or FTP and identify the latest file changes in plugins, themes, or core WordPress files. Open those files and look for any edits that add scripts or Base64 commands (used to hide server-script execution).
- Compare the core WordPress files in your root directory, wp-admin directory, and wp-include directories to see if any new files or different size files exist. Troubleshoot each and every file. Even if you find and remove a hack, keep looking since many hackers leave backdoors to re-infect the site. Don’t simply overwrite or re-install WordPress… hackers often add malicious scripts in the root directory and call the script some other way to inject the hack. The less complex malware scripts typically just insert script files in header.php or footer.php. More complex scripts will actually modify every PHP file on the server with re-injection code so that you have a difficult time removing it.
- Remove third-party advertising scripts that may be the source. I’ve refused to apply new ad networks when I’ve read that they’ve been hacked online.
- Check your posts database table for embedded scripts in the page content. You can do this by doing simple searches using PHPMyAdmin and searching for the request URLs or script tags.
Before you put your site live… it’s now time to harden your site to prevent an immediate re-injection or another hack:
How do You Prevent Your Site from Being Hacked and Malware Installed?
- Verify every user on the website. Hackers often inject scripts that add an administrative user. Remove any old or unused accounts and reassign their content to an existing user. If you have a user named admin, add a new administrator with a unique login and remove the admin account altogether.
- Reset every user’s password. Many sites are hacked because a user used a simple password that was guessed in an attack, enabling someone to get into WordPress and do whatever they’d like.
- Disable the ability to edit plugins and themes via WordPress Admin. The ability to edit these files allows any hacker to do the same if they get access. Make the core WordPress files unwriteable so that scripts can’t rewrite core code. All in One has a really great plugin that provides WordPress hardening with a ton of features.
- Manually download and reinstall the latest versions of every plugin you require and remove any other plugins. Absolutely remove administrative plugins that give direct access to site files or the database, these are especially dangerous.
- Remove and replace all files in your root directory with the exception of the wp-content folder (so root, wp-includes, wp-admin) with a fresh installation of WordPress downloaded directly from their site.
- Diff – You may also wish to do a diff between a backup of your site when you didn’t have malware and the current site… this will help you to see which files had been edited and what changes were made. Diff is a development function that compares directories and files and provides you with a comparison between the two. With the number of updates made to WordPress sites, this isn’t always the easiest method – but sometimes the malware code really stands out.
- Maintain your site! The site I worked on this weekend had an old version of WordPress with known security holes, old users that shouldn’t have access anymore, old themes, and old plugins. It could have been any one of these that opened the company up for getting hacked. If you can’t afford to maintain your site, be sure to move it to a managed hosting company that will! Spending a few more bucks on hosting could have saved this company from this embarrassment.
Once you believe you’ve got everything fixed and hardened, you can bring the site back live by removing the .htaccess redirect. As soon as it’s live, look for the same infection that was previously there. I typically utilize a browser’s inspection tools to monitor network requests by the page. I track down every network request to ensure it’s not malware or mysterious… if it is, it’s back to the top and doing the steps all over again.
Remember – once your site is clean, it will not automatically be removed from blacklists. You should contact each and make the request per our list above.
Getting hacked like this is not fun. Companies charge several hundred dollars to remove these threats. I worked no less than 8 hours to help this company clean up their site.
© 2021 DK New Media, LLC, All Rights Reserved
