A Blogger's Worst Nightmare - Your site has been hacked by malware!

 

Utter panic overtakes the average blogger when he hears from a reader that his site looks suspicious and browsers are showing the dreaded ‘get me out of here‘ warning!

Recently that happened to one of our clients at WPBlogExperts. We’re WordPress setup, theme customization and dashboard experts, so fixing actual malware infections was not highlighted on our services list. When the client asked us to help we took cleanup actions only to see the ‘virus’ popup somewhere else.

My WPBlogExperts co-founder, Ishan had some experience with fixing his personal site and also another client’s site. He started by deleting some bad files and changing web host passwords. Everything seemed fine until more readers reported the site was redirecting to an unreliable url with a .ru domain name.

We tried a different online scanner to detect other bad files.This time it pointed to the Timthumb file being out of date and vulnerable.  Several themes like Atahualpa and  some plugins use Timthumb software for image cropping, zooming and resizing. About a year ago that software was a throughway in a massive security hole that exposed thousands of WP websites to being hacked. Mark states in his article on how his site  was hacked:

“Timthumb.php simply gets a remote file and places it in a web accessible directory.”

We upgraded the Timthumb file and the client’s site scanned clean, but not for long — the damage had been done and was spreading.

Resources for Removing Malware

We needed a much bigger malware cleanup campaign I suggested that the client use Sucuri’s removal services. In the end they got the job done in a timely and cost-effective manner. The client was able to give a sigh of relief and get on with running his business.  The removal was guaranteed and included ongoing monitoring and malware removal. I was surprised when they alerted him that we had put the site in ‘under construction mode’ a few weeks later!

There are lots of articles on what to do when you suspect your site is hacked. However bloggers aren’t that technical and may get a brain freeze if they read things like

“Edit your wp-config.php and change or create the SECRET_KEY definition.”

That’s why if anyone asks for malware help I recommend Sucuri. WPBlogExperts is now an affiliate so this post has affiliate links to Sucuri for cleanup services. After the removal, we can work with you to take care of any technical work needed in WP or on the host. For example Sucuri might tell you to change your FTP or database password to comply with their scan warnings, or when repeated removal actions don’t work.

For the Do-it-yourselfers try these resources to address hacked sites:

Tips: Things you can do to Prevent Attacks

  1. Limit Login Attempts – a plugin to lock down repeated attempts to break administrator password. Make sure your password is strong by using symbols, letters and numbers. Don’t use the default setup user name of ‘Admin’.
  2. WordPress Firewall 2  – a plugin to identify and stop the most obvious attacks.
  3. Timthumb-vulnerability-scanner  – a WP plugin to check if you have the exposed software. I ran the scanner of a test site and found an exposed earlier version of the active theme. So don’t keep inactive themes and plugins – after upgrading your theme, delete the prior one.
  4. Keep WordPress and plugins up-to-date – new releases often close security gaps.
  5. Don’t ignore signs that your site is being attacked. One client did not respond to a web host warning for several days because he was too busy. By the time he couldn’t even install a new plugin we had a huge cleanup problem.

Share your thoughts

What’s your experience with malware attacks, clean-up or prevention? Feel free to share in the comments below.

11 Comments on A Blogger's Worst Nightmare - Your site has been hacked by malware!

  1. Thanks. Glad you could stop by.

  2. I appreciate your feedback. Just starting to reorganize the blog navigation to make it easier to find relevant topics.

  3. Never going another week without my onlnie data backup- lost everything last year when we had a trojan.

    • Hi Jerry, How did you recover from the virus infection? did you find the source? Good idea to know you have and can use multiple online backups!

  4. Urgh, malware - who needs it.

    • Hello Kelcey,
      Ironically your comment went to spam (may be the word 'malware' and the short statement?). Anyway I see you have a blog so I unspammeed. Thanks for commenting. did you try to use commentluv below the comment box?

  5. Filiberto Balluch // April 20, 2012 at 12:40 pm // Reply

    Hmm Well I was just searching on yahoo and just came across your site, in general I just only visit websites and retrieve my needed info but this time the useful information that you posted in this post urged me to post here and appreciate your diligent work. I just bookmarked your site. Thank you again.

  6. Hi SBA,

    This problem has never happened to my blogs, but yes, it must be a worst nightmare a webmaster can possibly have.

    Your tips are great steps to prevent our blogs to be hacked, however, if we have that malware notification, it would be more complicated.

    Sincerely

    Alan.

  7. Being hacked maybe the most worst thing happen to your site. but in this case they can find ways to survive or fix your site.

4 Trackbacks & Pingbacks

  1. 250 Top Free Wordpress Plugins | Toko Ceban
  2. Rational Survivability » Why Steeling Your Security Is Less Stainless and More Irony…
  3. Windows Azure and Cloud Computing Posts for 3/6/2012+ - Windows Azure Blog
  4. 30K WordPress Blogs Infected With the Latest Malware Scam « Rational Idealist

Leave a comment

Your email address will not be published.

*