
I just wanted to write a quick post about the importance of securing WordPress sites with the appropriate plugins. Plus keeping things up-to-date, including back-ups and themes.
Recently I had gotten lazy recently and neglected the security of some of my sites. Because of this I have just wasted the best part of a day cleaning up ones infected by malware…
One I had identified as being compromised when I found it redirecting traffic from Firefox Google SERPS to spam sites. It had begun to lose its ranking from stable #2 slot to #6 and dropping.
The second was another high traffic site that started doing the same yesterday, but I caught in time before it had an effect on rankings.
The other two sites were much older and more experimental. They had been left alone for almost a year. The damage was much more severe.
Upon closer inspection, one had the WP database completely removed, so was kind of decapitated and the other refused to talk with the db so I couldn’t access the WP-Admin.
Annoyingly, I ignored a Google Webmaster Tool alert saying one of my sites couldn’t be crawled a couple of weeks back.
The Common Theme?
All infected sites were all using very popular themes or frameworks and had exploits that had been found and, er, exploited.
Some were on the older Thesis 1.85 framework and other on the newer Genesis 2.0 framework.
The sites that were not effected were running very uncommon, weird-ass themes.
How To Avoid WordPress Security Issues: Good Habits
- On every install of WordPress, before you do anything else, install the Bulletproof plugin. Make it your first plugin on every fresh install.
- Note that it will overwrite the .htaccess so make sure you save any redirects or custom code and add it back via the Bulletproof options
- Install “Limit Login Attempt” – This will prevent brute force access to the WP-Admin area.
- Take regular back ups of your site
- Keep all plugins, themes and WordPress installs updated. This will minimize exploits.
- Change passwords regularly. Don’t use the same ones for everything (Note to self).
How To Check Your WordPress Sites For Malware
- Use the free scan from Sucuri.net
- If you are clean, good news!
- If not, first block people from accessing the site via the .htaccess and just allow your IP through
- Then install the anti-malware plugin from GOTMLS, register and update it, then perform a full scan.
- Hopefully this will pick up the infected files and clean them up.
- Once done, rerun.
- If still clean install the Sucuri.Net plugin and run their internal scan
- If all clean then run the main Sucuri.net scan again. Note it may be cached.
- If clean, install Bulletproof plugin, update all plugins and breath a sigh of relief.
- Important: Check the site again in a few days using Sucuri.net again. Some malware can hide and repopulate when it thinks the coast is clear.
What To Do If You Cannot Access The Site Anymore
Cry. No, wait, dig out the back up. What backup?! Go ahead, cry.
Sometimes a site is just too far gone to save and you may not have a decent backup to work with (like me). It may have a db issue or the code is so screwed you can’t access the Worpress CMS anymore. Unless you are a good PHP developer or you want to pay someone to fix it, sometimes the quickest thing to do is save what you can and start again.
If the database is still intact, then use PHPMyAdmin via your hosting cPanel or equivalent to export the database from the site before you start the cleanup. Follow this guide.
This database has all the valuable posts and pages and comments in it.
The actual .php WordPress files are not that valuable. The theme, plugins and styling can all be re-installed and the chances are you still have your images saved locally. If not, images are stored in the site files and rarely become infected so you can reuse.
They are found in /wp-content/uploads.
Either way the content is the valuable asset you are trying to save here.
You must remove all the old site files from the server. Use an FTP client like Filezilla. Back up what you want to keep locally like images. Then do a fresh install of WordPress.
If you like me, one of the sites had lost its MySQL database, then the only other thing you can do is resort to WayBackMachine and pray they have some archives of the content.
Once you have a fresh WP install, you can go about rebuilding the site from the content saved in the old database.
Using PHP MyAdmin:
- Import the saved WP database
- Access “Posts”
- Copy the “published” posts and start to paste into the new site posts one by one.
- Use the “Text” Option as their will HTML in there.
There will be a way to marry up the old WP db to the new install. But I don’t know how to do that. This option is worth pursuing if you have a larger site, in which case you should be getting some pro help anyway.
If you have any questions or advice to add let me know.
Been there done that…only with a client’s site. Had to spend a weekend fixing it because of course they only get hacked on Friday nights.