My website go hacked — here’s what I learned

My friend Vignesh alerted me earlier this week that my site has been hacked and is forwarding to some malware site.

At first, I called GoDaddy to ask for help. That was useless. It turns out their tech support consists of sales reps trying to sell you shit — no help for cleaning the site. They could it for me for 200 pounds, which I didn’t feel like paying, especially since they advertise their contact number as support, not sales.

So, I started googling and learning how to fix the site myself.

Here are the lessons I learned

  • Only install plugins and themes you really need and use. Every theme and plugin is a potential security risk. Most likely, hackers utilized one of my plugins to enter the website. I had tons of plugins and themes I didn’t use and although I did update them every now and then, the plugin creators are not necessarily fixing the vulnerabilities that quickly if at all.
  • Keep WordPress core, themes, and plugins updated. As I mentioned, I updated the themes and plugins every now and then. It’s important to do that as frequently as updates roll in. However, my WordPress core is automatically updated by GoDaddy. That’s why I think an outdated plugin was probably the root cause for the hack.
  • Don’t use GoDaddy — in the process, I learned their tech support is useless. In addition, I read WP Engine is safer than GoDaddy – they block some plugins altogether, and actually fix your site for free if it’s been hacked. GoDaddy also doesn’t let you change your database password after being hacked (talking about their Managed WordPress hosting which I’m using), so even though I cleaned the website, it’s still potentially vulnerable.

Here are the steps I did for the cleaning. Also including some useful links to start from in case your WordPress gets hacked.

  • To GoDaddy’s credit, I could find a message where they listed infected files on my website. I started by manually removing these 15 files.
  • .htaccess was infected. I replaced its content with default content (code in [1], also includes additional code that blocks external connections [2])
  • Removed all plugins and themes apart from the theme I’m using and CloudFlare CDN plugin which I need. Everything else could go.
  • Downloaded a fresh copy and reinstalled my theme from scratch (removed the whole folder and replaced with a clean one).
  • Installed the free Anti-Malware Security and Brute-Force Firewall and ran the analysis. It couldn’t find any more infected files, but suggested potentially vulnerable files. I went through these files manually one by one. They contained no suspicious code and their edits dates did not differ from those of clean WP installation, so they were not compromised.
  • Changed WP security tokens to log out every user.
  • Removed a spam user and changed other users’ passwords to new, strong passwords.
  • Manually checked WP core files for malicious code but couldn’t find (also comparing Last Modified times to those in a clean WP directory helps).
  • Set up a .htaccess script that blocks php files in Upload folder [3]
  • Finally, made sure that WP + theme + plugins that remain are up-to-date.

The only things I didn’t do are (1) reinstalling WP core (used a virus scanner + manual check instead) and (2) changing SQL password (GoDaddy doesn’t let you do that — another reason to avoid them). Moreover, (3) raw usage logs could also be viewed via Cpanel in order to find IPs of the hackers but, again, GoDaddy doesn’t give you Cpanel access in the plan I’m using.

Useful links I used

https://sucuri.net/guides/how-to-clean-hacked-wordpress

https://askwpgirl.com/10-steps-remove-malware-wordpress-site/

https://codex.wordpress.org/FAQ_My_site_was_hacked

https://www.killersites.com/community/index.php?/topic/22255-i-think-my-wordpress-site-was-hacked/

Footnotes

[1] # BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

[2]

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from 123.123.123.123

</Files>

</IfModule>

# END WordPress

[3]

<Files *.php>

deny from all

</Files>