It Sucks To Be Hacked!
Last week, I noticed that the traffic on one of my sites was considerabily down. Putting it down to my not posting enough, I left it for a few days, but then I noticed that it sank even further. After a little bit of digging and self googling, I noticed that all the titles in my search rankings on Google were completely poked. Suddenly, according to Google, I was selling dodgy pharmaceuticals! I then realised that I had fallen victim to the infamous WordPress Pharma Hack!
The easiest way to determine if your site is infected is to Google it. As you can see in the image above, do a search for site:YOUR-DOMAIN.com e.g. site:themergency.com. If you see anything dodgy, then sorry, but you have been hacked. Another good check to see if your site is “infected” with this hack, is to goto http://www.submitexpress.com/analyzer/. Enter in your site’s URL and see if any weird pharmaceutical related keywords popup.
How the hacker actually gets access to your sites’s file system is a mystery to me. However, they then place rogue files on the server (usually within and around your plugin files). These rogue files write DB entries to the WordPress options table, which in turn, cause your post titles to include info about dodgy pharmaceuticals. The rogue files usually contain obfuscated code, so you cannot see what it is doing. However the guys at securi.net have decoded one such file and posted it for us all to check out. So no visible damage is actually done to your site, as everything looks normal to your visitors and to yourself. But it really messes with your SEO, and I can tell you from experience, that your site’s traffic drops dramatically.
Fixing The Hack
The WordPress codex has some helpful documentation on what to do when your blog gets hacked. I recommend you read that first. I also came across some really helpful articles, some of which, had step by step instructions on how to sort out the issue. You will need a bit of knowledge about WordPress, and access to your DB obviously. Here they are:
- Pearsonfied - http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
- Sucuri - http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
- HelloMelissa.net - http://hellomelissa.net/2011/02/22/my-wordpress-site-was-hacked-yesterday-heres-how-i-fixed-it/
- Digging Into WordPress - http://digwp.com/2010/07/wordpress-security-lockdown/
Preventing The Pharma Hack in 3 Steps
After you have found the root cause and removed it, it’s time to tighten up so it doesn’t happen again. Here is a simple 3 step guide to prevent your site from falling victim:
- Harden your blog the f#%k up!
- Set permissions of all files to 644 and folders to 755.
- Install plugins to alert you (see below).
I installed a couple of plugins, some of which monitor my WordPress files and alert me of any changes, and others that scan my blog for any security holes. Some plugins to check out are:
- WordPress File Monitor - Monitor files under your WordPress installation for changes. When a change occurs, be notified via email.
- WP-MalWatch - WP-MalWatch is a WordPress security plugin that performs a nightly scan of your WordPress blog looking for evidence of malware.
- TAC (Theme Authenticity Checker) - Scan all of your theme files for potentially malicious or unwanted code.
- Audit Trail - Audit Trail is a plugin to keep track of what is going on inside your blog by monitoring administration functions. It does this by recording certain actions (such as who logged in and when) and storing this information in the form of a log.
- WP Secure - WordPress Security Plugin - Perform over 23 Basic Security Activities for your blog and get a free malware scan at the same time!
Time to Recover
Once you have done all the above, and completely removed the hack, you need to get Google to re-crawl your site. You can do this easily enough using Google Webmaster Tools. My hacked site is slowly but surely coming right again, but I can honestly say, this has caused more damage than good Prevention is definitely the best option here!
Backup, Backup, Backup
Please backup regularly, so that if you get hit by this hack, then it is a breeze to restore to a healthy version of your site. I came across a really cool plugin the other day called BackWPup, which allows you to backup the entire contents of your WordPress install, including the database. It also allows you to backup to Dropbox, which is really handy! There are plenty of plugins out there to do WordPress backups, so take your pick.
If you need a hand cleaning out the Pharma hack from your site, or you have managed to get rid of it, please leave a comment below, so we can all learn from this, and hopefully prevent attacks like this in future.