Utter panic overtakes the average blogger when he hears from a reader that his site looks suspicious and browsers are showing the dreaded 'get me out of here' warning!
Recently that happened to one of our clients at WPBlogExperts. We're WordPress setup, theme customization and dashboard experts, so fixing actual malware infections was not highlighted on our services list. When the client asked us to help we took cleanup actions only to see the 'virus' popup somewhere else.
My WPBlogExperts co-founder, Ishan had some experience with fixing his personal site and also another client's site. He started by deleting some bad files and changing web host passwords. Everything seemed fine until more readers reported the site was redirecting to an unreliable url with a .ru domain name.
We tried a different online scanner to detect other bad files.This time it pointed to the Timthumb file being out of date and vulnerable. Several themes like Atahualpa and some plugins use Timthumb software for image cropping, zooming and resizing. About a year ago that software was a throughway in a massive security hole that exposed thousands of WP websites to being hacked. Mark states in his article on how his site was hacked:
"Timthumb.php simply gets a remote file and places it in a web accessible directory."
We upgraded the Timthumb file and the client's site scanned clean, but not for long --- the damage had been done and was spreading.
Resources for Removing Malware
We needed a much bigger malware cleanup campaign I suggested that the client use Sucuri's removal services. In the end they got the job done in a timely and cost-effective manner. The client was able to give a sigh of relief and get on with running his business. The removal was guaranteed and included ongoing monitoring and malware removal. I was surprised when they alerted him that we had put the site in 'under construction mode' a few weeks later!
There are lots of articles on what to do when you suspect your site is hacked. However bloggers aren't that technical and may get a brain freeze if they read things like
"Edit your wp-config.php and change or create the SECRET_KEY definition."
That's why if anyone asks for malware help I recommend Sucuri. WPBlogExperts is now an affiliate so this post has affiliate links to Sucuri for cleanup services. After the removal, we can work with you to take care of any technical work needed in WP or on the host. For example Sucuri might tell you to change your FTP or database password to comply with their scan warnings, or when repeated removal actions don't work.
For the Do-it-yourselfers try these resources to address hacked sites:
- FAQ_My site was hacked - a WP document
- Timthumb-vulnerability - another blogger's story of being hacked
- Sucuri Site Check - Get a free thorough scan of your site. They cache the last scan results so be sure to 're-scan' after you take any removal actions.
- Reported malware sites - use this form to request Google to remove you from the list of blacklisted sites.
Tips: Things you can do to Prevent Attacks
- Limit Login Attempts - a plugin to lock down repeated attempts to break administrator password. Make sure your password is strong by using symbols, letters and numbers. Don't use the default setup user name of 'Admin'.
- WordPress Firewall 2 - a plugin to identify and stop the most obvious attacks.
- Timthumb-vulnerability-scanner - a WP plugin to check if you have the exposed software. I ran the scanner of a test site and found an exposed earlier version of the active theme. So don't keep inactive themes and plugins - after upgrading your theme, delete the prior one.
- Keep WordPress and plugins up-to-date - new releases often close security gaps.
- Don't ignore signs that your site is being attacked. One client did not respond to a web host warning for several days because he was too busy. By the time he couldn't even install a new plugin we had a huge cleanup problem.
Share your thoughts
What's your experience with malware attacks, clean-up or prevention? Feel free to share in the comments below.