Knowledgebase

(WORK IN PROGRESS!)

So you've gotten a few calls, emails, drop-in visits with some frantic current or potential clients saying "my computer said your website is infected!" or something along those lines. This might instill a little panic on your part but one thing you have to remember: you're not alone! Wordpress is a very popular content management system, so when something becomes popular it is often the target of people trying to exploit it (if you think about all the Updates your MAC or Windows computer receive - most of these are security updates because someone decided to look for, find and exploit a security hole).

Disclaimer:

It's that thing that nobody likes to read, but for liability reasons we have to include it: WebPal Cloud Inc. and any agents acting on belahf of WebPal Cloud Inc. are not responsible for lost data and/or loss of functionality of your website by going through this guide/article. While anything we will list here are usually pretty safe bets to do, we cannot place a 100% guarantee that this will work for your website. Also, in many cases if the base wordpress files have been infected (such as the index.php file in the wp-admin folder) will cause things to stop loading when you modify them, so always make a backup before touching base files from Wordpress!

Now that we have that out of the way, let's get on to the real reason you're here.

Symptoms:

Google's Crawlers will periodically check websites for anything found to be out of the ordinary or malicious. Sometimes these are false positives but most of the time they are 100% accurate. How can I fix this you may ask...well the answer is simple yet it's not.

There is no cure all for a hacked or compromised Wordpress installation. Sometimes it's as simple as re-installing the base files for Wordpress, sometimes its as simple as removing a couple of files from the server and updating wordpress. However I am going to outline some of the basic steps we go through to diagnose and fix the issues at home.

Google Search Results Example:



Malware Notification From Google Chrome:



Don't panic though, more often than not this is a simple and fairly easy fix for you, but sometimes it's more indepth than a simple/easy fix. We are here to help if you or your Web Developer can't get this resolved.

What files are infected?

We get this question posed to us on a regular basis. We can run an anti-malware scan on the server level to scan for all of the infected files in your User Directory. We can then provide you a list of the infected files. Most often they will be something that can be removed, sometimes you need to use some tools to fix the files.

Sometimes when we send this report it can be a little overwhelming to read but it's worth your while to ask questions to us or do some Google searches.

Ready to fix your website? Then please read on! If you don't feel up to the challenge our talented Support Staff can work for you on this. We would be required to bill for this work but it's definitely worth it if you don't feel up for the challenge. Most hacks can be backed off in a matter of 1 to 2 hours. Some are more indepth that requires more information or are just harder to get rid of. Our rate for fixing a site or doing custom work is $75 per hour.

1. Can you access your WP-ADMIN Dashboard?

If you can get into this, then you are well on your way to fixing the issue - a lot of times the hack will try to block you from using this Dashboard since they all know that it's crucial to being able to fix your site and lock them out. Continue to the next section to be able to try to recover your website.

If you can't, then it's probably best to re-install Wordpress by following the instructions in this Forum Post on the Wordpress website:

https://wordpress.org/support/topic/reinstall-wordpress-and-not-lose-content

2. Update Wordpress

In many cases the people that compromised the site are using a known exploit on websites running older versions of Wordpress. As of writing this, the current version is 4.3. So if you are running an older version of Wordpress you should upgrade it asap!

3. Update Plugins and Theme

Often times the exploit that is used is because a plugin or two is older and needs updating. As crucial as it is with Wordpress to be up to date, Plugins need to be maintained too. So when you're logged into the WP-ADMIN Section, please update the Plugins (any plugins that need updating will have a numbered "badge" beside the word Plugin (similar to if you have a notification.

4. Wordpress, theme, and plugins are up to date already but the site is still found to be malicious!

This is where it gets tricky. Google will often tell you one or two pages are infected which usually isn't the case. It's usually a section of the page you see in your browser as Themes in Wordpress are comprised of: a header, a footer, a "body", and at least one side bar. Google sees all of this as one page, while in the backend the reality is that it's multiple pages. The fastest way for you to tell the actual file(s) that is/are infected is for you to ask us to run a scan on your directory. We can then tell you "Hello Mr/Mrs Customer, the infected file is in wp-content/themes/name-of-theme/footer.php". The files in the Themes directory can be changed, so if it's a line of code such as: 

<?php
error_reporting(0);
$qw = ('ab') ;$we = ('l') ;$rt = ('k') ;$yu = ('a') ;$de = ('re') ;$rtt =('m');$mu = ('dul') ;$krd = $qw.$mu.$we.$rt.$re.$yu.$de.$rtt ;$muhmad = $krd ;
if(isset($_GET[$muhmad]))

You can usually safely remove this from the file and it will fix the infection for you - even though it's not malicious to your userbase, there's usually something about the code that is relevant to the hacker - i.e. sending spam from your website and this is seen by Google as an Infection.

5. Uh Oh! My website doesn't work after my update...what did I do?

In most cases: nothing. Sometimes the newest version of Wordpress contains updates on the backend that make it incompatible with certain themes or plugins.

The first thing to do here is turn off the theme that you were using. This is usually pretty easy to do without being inside WordPress itself...simply log into your cPanel account, click on File Manager, and then navigate to the Themes folder (usually this will be going to public_html, then wp-content, then going to themes). Find your theme, and rename the folder to originalname-off (where original name is the name of the theme i.e. twentyfourteen would be renamed to twentyfourteen-off) and try to re-load the website. If this does not resolve the issue then you need to rename the theme folder BACK to the original name and continue. Stay in the File Manager though, as it's needed for the next step.

6. So the Theme isn't the problem...let's check plugins

Instead of renaming a folder within theme, click the Up One Level at the top of the screen, and rename the folder called "plugins" to "plugins-off". Reload your website in another browser. If you are seeing a super basic form of your webstie, don't worry you'll get this fix so long as you remember that your data is intact and you just have some digging to figure out the individual plugin that is causing the site not to load.

If the website does NOT load - then it is time to cut your losses as the Wordpress Install needs to be re-done so you'll need to follow the instructions here on re-installing without losing your data:

https://wordpress.org/support/topic/reinstall-wordpress-and-not-lose-content


7. Alright, so we've narrowed down the issue to being Plugin related. This is the easiest part!

Now, rename the plugins folder back to "plugins"....double click the folder to go in and start turning off specific plugins. So if you have SEO by Yaost (seo-yaost), Google Analytics (google-analytics), Wordfence (wordfence) and WooJoo (woojoo) start at the top and then work your way down the list. Rename each folder on its own, so rename woojoo to woojoo-off, and then reload the website. Eventually you will find a plugin that has caused the site not to load - this is usually a compromised plugin or one that needs to be changed out for another one. The Wordpress Forums are a good place to look for other plugins.

Preventative Measures

First: Backup Backup Backup!

As with any sensitive data, be it a static website, or a Wordpress installation, you can never back up too careful with your website, as this is your livelihood Online.