What I learned when my WordPress site was hacked
Back in 2015 several of my WordPress sites were hacked. It all started when a team member went to the site and there was a white screen with a Parse Syntax error listed in one of the PHP files. I immediately went to that file and saw 30 lines of garble gook junk coding, letters, numbers, symbols.
I had seen this before on clients’ sites when I used to be a web designer. It’s a simple fix, just remove the code and the site will come back up. Change passwords, check and update plugins and WordPress.
Unfortunately this time it was not a simple fix. When I removed the code from that file, there was another file and another file and another file with the junk code in it. I also checked the other three sites that were add on domains on that account. Guess what, they were also all down with the same error. I knew I had a malware issue at this point and that it was going to be a long night ahead trying to find and fix this issue on all 4 sites.
I was very frustrated that I had been hacked. I do my best to use minimal plugins, keep the ones I do use updated and keep WordPress updated. I also use strong passwords and change them frequently. How in the world did I get hacked? (Plus really the sites they hacked are tiny little sites, one of them is a team training site. Do these hackers not have bigger fish to fry or hack? Not that I wish this on anyone…. What did they get from hacking my little sites…)
When just removing junk code in the files didn’t work. I submitted a support ticket to my web host for advice. They suggested I remove plugins, the theme and re-install WordPress and the theme to get started. Time-consuming but simple enough. I did this on all four sites and they did come back up. I also went through and searched files for anything that looked suspicious or out of place. I thought I had taken care of the problem but 24 hours later, all sites were down again.
Thus began a long weekend of re-installing WordPress multiple times and searching through files, databases and media folders. Every time I thought I had it figured out, the sites would go down again. From researching more I found out this was what’s commonly referred to as a base64 hack.
Basically a hacker was able to get in through a vulnerability in a WordPress site, most likely through a plugin or outdated WordPress. They then upload a file or insert a script somewhere that tells your site to put that junk code in ALL .php files on my site ever so often. Removing the code, reinstalling WP does not work as long as script is there, every few hours all your PHP files will be infected again. Until that script is found and the backdoor is closed, this is going to keep happening.
After 3 1/2 days of this, hours of searching for the code myself, I gave up. I just couldn’t lose any more time on this. Not to mention I had to turn down a sponsored content offer.
I ended up signing up for a year’s service with Sucuri and requested they do a malware scan and removal on all four of my sites. They have scanners and systems and tools that I don’t have access to that are able to search and find this hidden & obnoxious malware script.
Within about 20 hours, Sucuri had found the source and cleaned up all my sites! Whew, what a relief!
Considering the stress and frustration and time I spent the past 3 days trying to fix the problem on my own, it was well worth paying Sucuri and having them take care of it. Normally they can have sites cleaned up in 4-6 hours, but depending on the issue it can be up to 24 hours. Which is still a lot less time than I had already spent trying to fix this issue myself.
You might be wondering where the hack came from. It was a vulnerability in a well known and highly used plugin Mail Poet. Here is the funny thing though I did not have this plugin on my sites. I had installed it on ONE, just one of my sites about 6-8 weeks ago to try it out. I used it maybe two days and it did not do what I wanted it to do, so I removed it. Or so I thought… It turns out this plugin left several files and database entries on my site. This is where and how the hackers were able to get in. From there, they were also able to get into my other sites that were on that account.
Sucuri posted about the vulnerability in Mail Poet, along with All in One SEO and WP Touch Mobile just last week. I didn’t pay any attention to the Mail Poet warning because I didn’t have it on my site anymore (or so I thought).
The moral of the story is that any site can get hacked but there are a few things all bloggers can do to help make their WordPress sites less likely to be hacked.
– Use as few plugins as possible. Make sure the ones you do use are up to date and updated regularly. Keep a check on Sucuri’s site for updates on plugin issues.
– Don’t use admin for your username. Use your own name or something unique.
– Use a very strong password and change them occasionally. Use uppercase and lowercase letters, numbers and symbols.
-Keep your WordPress site and all Themes & Plugins up to date. If you see an update available you can do a quick search to make sure the update is safe and then update.
– Install Sucuri’s free plugin to help take care of basic monitoring.
– Use Sucuri‘s paid site monitoring & malware removal service. While it might seem like another cost or expense, honestly the peace of mind you’ll get and time you will save if you do ever get hacked will be more than worth the cost of their service. I have been a customer with them since 2015 & could not be happier with their service.
I also use their external backup service as a 2nd back up for my sites. (I have backups on my server, but it’s always good to have them on a second server.)
If you have multiple sites like I do, they do have packages that are more cost efficient. When I consider the value of all the hours I spent trying to fix this myself and all the downtime for my sites and missed revenue, it would have been better for me to have just purchased their service after my first attempt to find and fix the malware failed.
I had used the free Sucuri plugin before on some of my sites. While it is great for monitoring your site, I’m not sure it would have caught this issue and even if it had, I would have still needed to have the sites cleaned up. With the paid service, you pay for a year’s worth of service so I know I am covered and taken care of in case this should happen again in the future. Thank you Sucuri!
(This is not a sponsored post, but my affiliate link for Sucuri is used in the post.)