Simianuprising.com now hopefully UN-hacked.

Posted by jeremyclarke on May 12, 2009 · WordPress

So this site was ironically hacked and hijacked by blackhat SEO spammers who inserted a ton of bullshit viagra/homeloan/sex links into my theme in the hopes that it would illegitimately raise their ranking in Google. Of course that’s not inherently ironic, what’s ironic is that it happened while I was at WordCamp Toronto, a mini-conference about all things WordPress, where I gave a talk that included a long section about how to avoid and deal with being hacked in just this way for just these reasons. Some part of me thinks that someone at WordCamp might have done it to show me who’s boss, but I doubt it, the pattern of spam links is just to depressing and business-like to assume anything but an impersonal bot did the damage.

This has happened to other sites I’ve been managing (specifically to Global Voices over the years, and I’ve learned a lot about hardening your server and WordPress installation to help solve the problem. The #1 piece of advice is of course KEEP YOUR WORDPRESS INSTALLATION UP TO DATE, NO MATTER WHAT. In the case of this my personal site (as opposed to sites I manage professionally, which I deal with much more carefully, because they are more important) I was doing a halfway version of this by keeping my very old but theoretically still secure copy of WP 2.0.x up to date. This is the legacy branch (current actual branch is 2.7.x) that was supposed to offer long-term security support, but it seems that is no longer the case. I loved having the bragging rights of being the only person in a room with even 100 WordPress users who had such an old but still secure version (well, except David Peralty), but obviously staying secure is much more important.

If you’re still running 2.0.11 I strongly recommend you give up and get on the normal upgrade schedule now, it seems to have been compromised.

Full details of how to clean up a hacked site below:

Fixing a hacked WordPress site

In case anyone is curious, here are the main steps I performed to clean up and secure the site:

  • Replace all files with a backup from before the site was hacked (in my Dreamhost.com account this was easy enough as they have an automated ‘domain restore’ feature, normally you should always keep a backup of all plugins, themes and uploads somewhere far away from your actual site for this purpose).
  • Upgrade all WordPress files to the newest version (2.7.1) and upgrade the site. In this case make sure to delete all old WP files first to make sure only clean files are in the WP directories like /wp-admin/ and /wp-includes/.
  • Replace the database with a backed up version (i didn’t have one (idiot!) and had to do extra steps below to secure my dirty database)
  • Test all site functionality (upgrading to a new version usually breaks things)
  • Test all plugins and upgrade them as necessary (same)
  • Go through every folder in my web root and look for any out of place files, anything new or strange is probably a hacker file. Even one of these files can let a hacker back in and let them have full control. Remove any strange files. Sort files by recently updated in FTP, this will usually indicate which ones were added by hackers.

Cleaning up a hacked WordPress database (because you forgot to do automatic backups)

If you didn’t have a clean version of your database from before the backup you’ll need to do some extra steps on your now contaminated DB:

  • Look through all the user accounts in the system and change their passwords.
  • Check that the setting for ‘anyone can register’ in SETTINGS > GENERAL is ‘off’ (on Global Voices the hackers had turned this to ‘on’ and set it so new accounts were administrators, thus allowing themselves a back door whenever I managed to kick them off).
  • Check the setting for ‘upload folder’ in SETTINGS > MISCELANEOUS , mine was set to something insane.

Making sure Google doesn’t punish you for what the hackers did

I actually noticed that my site was hacked not on the site itself but on Google. I know from experience that if you search for my name “Jeremy Clarke” I am always the first result, but when I searched myself (i forget why, I guess I’m vain) I wasn’t even on the first page. This is likely because Google was punishing me for having all those trashy spam links (Google is smart and works all day to avoid these Blackhat SEO Spammers from unfairly altering results). To get things back on track I went through the re-consideration policy using Google Webmaster Tools

  • Go to Google Webmaster Tools and claim my site using their verification method (have to create a html file to prove you control the site)
  • Use the Request reconsideration link in the dashboard and send Google an explanation of what happened (i was hacked and the links were inserted against my will) and asking to have any locks on my site removed.
  • I haven’t gotten a reply or noticed a change yet, but these steps are vital. If you don’t do this Google could continue to block you in results, which will mean less visitors/money/power/whatever you were trying to achieve with a site. I have been in charge of sites that had similar problems before and the reconsideration process is slow but effective at getting you back in the search results.

Once you’ve done this stuff you shouldn’t have any more immediate problems with the hackers but you never know. The only real way to know you’re secure is to have both a complete backup of all files from before the hack AND a full backup of the database. If either of these is still contaminated in any way (remember, just 1 PHP file is enough!) you may be dealing with this more in the near future. Take this time to start automatic backups of both. Good luck!

Posted by jeremyclarke on May 12, 2009 · WordPress

4 Comments

  1. Jim Doran

    Thanks for sharing this.

    May 12th, 2009 at 10:21 pm

  2. Chris Blow

    Thanks for a good scare. I manage probably a dozen wordpress installs and it’s hard to keep them all up to date. For me the key is getting them under version control, so you can just “svn up” to the latest. Thanks especially for the tips on the Google recovery!

    May 18th, 2009 at 9:20 pm

  3. Steve

    I saw your presentation at last years WordcampNewYork and I guess I didn’t take the appropriate steps because a few of my sites have been hacked.

    You mentioned restoring a pre-hacked version of the site. How do you know how far back to go? Couldn’t it have been hacked months ago but abused recently.

    Any help you can provide would be greatly appreciated.

    May 31st, 2009 at 6:04 am

  4. jeremyclarke

    @Steve: I would try to figure out when they first used their power on your site. In my experience they tend to use it right away. Did they edit any posts? In that case you could look at when it was edited. Check the modified dates on any plugin/theme/wp files they tampered with in FTP, that might give you hints about when they first got in (though be careful because they might have edited files then come back, in which case there could be old and new edits).

    Usually though if you have a database backup that’s fairly recent you should try it out with fresh files. If you change the account passwords and check all users then the real risk is really that they have files on your server, not access based on the database.

    If you meant the site files and that you can’t be sure they are clean then you really just need to use whatever copy you have and look through every file. Replace all the wp ones, then go re-download any plugins and go through the recent uploads and make sure everything is what it seems to be (look at the photos).

    May 31st, 2009 at 11:58 am

Add new comment (email only seen by Jeremy)