Latest WordPress Hack – Symptoms, Solutions & Resources

It seems there are a lot of WordPress hacks happening recently.

Network Solutions

Some WordPress blogs hosted by Network Solutions experienced a hack that made their websites redirect to a malware site. It specifically attacked the database by changing the site URL filed in the wp_options table. Although Network Solutions blamed WordPress, they ultimately announced it was a hosting problem, not WordPress.

Google Cloacking Hack

The Google Cloaking Hack’s notable symptom is in the search engine results for your site – instead of your title and description, the search results will show an alternate title with some prescription drug name. One example I found while looking for a particular article was “Clomid Prices – We Always Offer Lowest Prices on Internet” instead of the actual title of the post. It’s also referenced as the WordPress Pharma Hack.

My WordPress Hack Experience

So far, I haven’t found an official name for the WordPress hack that affected several of my sites. The following is how I figured out there was a problem and what I did next.

About My Hacked Sites

My sites are all hosted on GoDaddy. One is in its own hosting account, and the other four were hosted under the same account. If the hack hits one site on a hosting account, the injection gets into the PHP files of all sites in that account. All of my sites were on either WordPress version 2.9 or 2.9.1 as I hadn’t quite gotten around to upgrading them.

Hack Symptoms

  1. RSS was not working in WiseStamp signature, CommentLuv comment fields, or Yahoo Pipes.
  2. Stylesheets on admin panels were missing.
  3. Strange error in admin dashboard.
  4. Admin panel on mobile browser redirected to another page.
  5. Sites redirected to a free virus scanner search on Bing (in IE, sometimes Firefox)

What I Found in My Files

There were (thankfully) no modifications to my database, users, or .htaccess files. What I found included the following.

  • Additional PHP file in root directory (on one site it was stranger_rosetta.php, and on another it was page_cersy.php).
  • Encrypted PHP code on almost all .php files (about 5 out of hundreds were unaffected).
  • View Page Source revealed all of the pages and RSS feed for my site had an additional call to a .js script right before the closing tag.

What I Found on My PC

When I did a full scan of my laptop Kaspersky revealed one Trojan virus that hit my system on April 10th and another on April 15th, and Spybot S&D revealed a couple of standard spyware programs / cookies.

Steps Taken to Clean WordPress Hacks

Before I got started in the cleanup process, I decided to redirect my affected sites using a 302 temporary redirect in my .htaccess files to send visitors of my sites to a post on my personal blog explaining what was happening. One interesting result of this was the post I wrote on my name domain was sent to Kikolani’s feed subscribers. It wasn’t deliberate, and I’m still not sure how that happened, but it worked out. Once I had the redirect in place, I did the following.

  • Backed up my databases.
  • Deleted WordPress installation files (primarily the .php files in the root directory except for wp-config.php and the entire wp-admin and wp-includes directories).
  • Deleted the index.php file in the wp-content along with the classic and default WordPress themes.
  • Deleted the .php files in the plugins folder along with plugins.
  • Manually cleaned out ecrypted code from customized theme templates and wp-config.php file.
  • Uploaded the latest WordPress installation files. (My sites were at 2.9, so upgrading to the latest version did not seem to require a database upgrade.)
  • Uploaded fresh plugin files.
  • Removed .htaccess 302 redirect.
  • Checked the site in IE and Firefox plus source code to make sure malicious scripting was gone.
  • Activated plugins.
  • Celebrated victory (or considering how exhausted I was, relaxed for half an hour and watched Cougar Town on ABC online, but I digress).

Special Thanks and Resources

How did I know to do everything listed above? I received support and help from some old and new online friends, including Frank of TechJaws, Gail of GrowMap, and Derek Semmler, James of ATM Multimedia, and StrictlyFitteds. Without their help I would have been stuck.

Resources

If you are experiencing one of the WordPress hacks that are circulating, here are some great resources to help you diagnose the problems and fix your sites. I found that it took multiple resources to really get an understanding of exactly what to do to completely fix the problems.

And of course, once your site is cleaned, be sure to secure it using a variety of the following methods. If you are unsure of how to implement any of these features, consult with your hosting company, WordPress or security consultant.

Your Advice

Have you experienced any of the latest WordPress hacks? Please feel free to add any additional details or resources in the comments below to help other WordPress users find good information and ways to protect themselves from malicious activity.

Enjoyed this post?

Be sure to subscribe to the biweekly Kikolani newsletter and get regular updates about awesome posts just like this one and more! You will also receive my free 8,000+ word guide on guest blogging!


Kikolani Proudly Uses StudioPress

Genesis Framework

Like the new design? Kikolani uses a theme called Magazine Pro on the Genesis Framework from StudioPress. It's great design right out of the box, easy to follow installation instructions, and built-in SEO features makes it perfect for professional bloggers.

If you have several websites and blogs powered by WordPress or design websites for others, then you will want the Pro Plus Package. It gives you lifetime access to all of their current 40+ professional designs plus new themes regularly added to their collection for unlimited use on your own websites and blogs as well as your clients' websites and blogs. Learn more about Pro Plus!

If you already use StudioPress and love it like I do, be sure to sign up for their affiliate program and start making money with your blog today!



Comments are open for one year after the post goes live. If you don't see the comment form below and you'd like to discuss this topic with me, become a fan of my Facebook page and post a comment on my wall!





Comments

    • says

      I would say that you should check out the security resources and make sure you are as secure as possible. You don’t have to implement all of them – just a few will help!

  1. says

    Glad to see you have everything back up and running. I read this post but, to be perfectly honest, have no idea what you just said. I guess I did get the part that you deleted a bunch of stuff and reloaded it somewhere. Hopefully, if I ever get around to my own site and use WordPress, I will not get hacked.
    .-= New from Kidgas I Am a Writing Maniac Thanks to 60 Day Challenge =-.

    • says

      That’s how I felt reading all of the other clean up posts. In the end, it really came down to deleting anything I that wasn’t customized (so just cleaning up the code in the wp_config and theme template files) and then uploading a fresh installation of WordPress and plugins on your server via FTP (or as I did, in the control panel of your hosting site). Sorry if it was a bit confusing, but it was the best I could do to summarize a very long, tedious process.

  2. Ivan Walsh says

    Yes, same problem and the blog is on godaddy.

    Can i ask, after you deleted these, did you need to do a re-install?

    or how/where did you get the clean files from?

    # Deleted WordPress installation files (primarily the .php files in the root directory except for wp-config.php and the entire wp-admin and wp-includes directories).
    # Deleted the index.php file in the wp-content along with the classic and default WordPress themes.
    # Deleted the .php files in the plugins folder along with plugins.
    # Manually cleaned out ecrypted code from customized theme templates and wp-config.php file.

    # Uploaded the latest WordPress installation files.

    did you ftp the latest WP install files? is that how you replaced the files you deleted. I know it sounds dumb, but trying to get my plan of attack ready!

    thx

    Ivan

    • says

      It’s not dumb at all. Since I was already at 2.9, I knew the upgrade to 2.9.2 wouldn’t be too bad. So I deleted all of my files except for the wp_config and theme template files (because I had some customizations) and replaced them with a freshly downloaded set of WordPress 2.9.2 files from the WordPress.org site and the plugins I was using from various sites.

      You can, alternatively, open all of your PHP files and just remove the code. If you run into one that has nothing but encrypted PHP, it is probably a file that was added by the malware, so it needs to be completely deleted. Cleaning the files is a very, very long process though, and if you miss even one, you leave the virus on your site and give it a chance to repopulate on all of your files. Hence the deleting and reinstall is a bit easier.

      • Ivan Walsh says

        You’re a star! Thanks *so* much. I finally got it sorted.
        Out now for a very long walk!

    • Ivan Walsh says

      Hi Guatam,

      One tell-tell sign (for me anyway) is that my RSS feed wouldn’t work in Feedburner and/or Aweber, so I couldn’t send out any newsletters.

  3. says

    I would say the best defense is by applying some of the tips in the security resources I listed, like protecting your wp_config file (which has all of your credentials in it), super secure password (capital letters, numbers, special characters), and keeping your PC secure (virus scanner, spyware detector) as hackers can get your FTP information via malware which is how a lot of these hacks are spreading.

  4. says

    Hello Kristi,

    I am pleased that you got the problem solved. I’ve been hacked on two occasions. On two different servers, firstly, back in 2007, I was hacked when my hosting was with Globat. (I strongly suggest that nobody ever uses Globat). There servers had over filled shared hosting, where a WordPress blog with one page would crawl on its’ knees.

    A good hosting solution is key. Now I am with Heart Internet. Heart Internet is a UK based hosting company that is always improving their service. You mentioned hackers get access with FTP. Well, Heart Internet now has a feature where you’re FTP access is locked. In order to access it you must access your control panel and then unlock it for a period of time. This prevents hackers accessing your sites. The best thing to do is manually add your username and password in your FTP program. A virus can find saved usernames and passwords in applications.

    The only way to restore your WordPress blog is to back it up.

    Thank you for the backlink, I am very grateful. Currently, I have a landing page on my blog, because I’ve been made redundant by my employer and I start working for myself on the 1st May, so I am getting everything ready.

    Many thanks

    • says

      My site has been hit before as well. I think this one was actually a bit easier, as it only affected PHP files, whereas the last one was embedded in every PHP, JS, and HTML file on my server. At the same time, since I had more sites on one hosting account this time around, it took a lot longer to take care of. Security is definitely the best defense.

  5. says

    It’s nice to see that you are back to normal, it just goes to prove that when there is a WP update, it’s best to upgrade as soon as you can, but I do feel for you as been a blogger myself, I know how much hard work it goes in to building up a blog and it’s reputation only to have it pulled away from you by some complete and utter ….. I’m not going to swear ;)
    .-= New from Karen @ Blazing Minds How To Vet Your Twitter Followers =-.

    • says

      It’s funny, I don’t notice the updates often, but I saw that sites running 2.9.2 were being hit as well, so I figured I stood the same odds not updating. Actually, the last time this happened, I was hit right after I updated to the latest version. It’s about a combination of upgrading and taking other security measures.

      Don’t worry about swearing… I did a lot of that for the two days I was working on this!

  6. says

    Glad you got things sorted out, I would say this, I’d never host a site at godaddy…especially if the domain is registered there too, I have one registered there, never had any issues with godaddy, but I have seen lots of people who have had issues there, even forced into paying out to get the problem solved.
    They dropped the persons site, for “alleged spam”, which never happened, yet then godaddy squeezed money out of them to get the site back up, needless to say, they moved the site sharpish.

    My advice never host with the same domain registrar.
    .-= New from rob sellen@portland bill Google a mass of contradictions? =-.

    • says

      I have heard of a few sites that lost their hosting due to spamming, or being on the same account as a site that was spamming. Of course, in their case, I knew how the site got reported for spam, and it was legit so it was understandable. I chose them since they are located in Scottsdale, same as I am, so I figured if there were any problems, at least it was a company I could find the office for and give them an in person piece of mind. Fortunately, they have been very good for me – support especially has been pretty excellent.

  7. says

    I start to worry about the security of my WordPress blog now after knowing the hacking issue for your blog recently. I think i really need to do something to protect my blog. Thanks for telling us about the symptoms of hacking. :)

    • says

      Yeah, they were kind of random and I didn’t think much of them (feed problems, mobile redirect), but little signs can warn you of a major problem.

  8. says

    I had this happen three weeks in a row. Last weekend was the worst with a full scale attack on Thursday that lasted until Monday.

    I was up at 5 am and my site was cool this morning. At 9 am it had been hacked.

    https://sucuri.net is helping me. Weird how easy it is for the hackers to get past a so called hardened site.

    • says

      That’s a major problem with the hacks – if you don’t find the “back door” file, they can get right back in after you clean up everything.

  9. says

    I had a problem with “Google Cloaking Hack’s “. I had a week until everything bother corrections. It’s horrible. And again, the backups are very important!
    Thanks for a useful links from techjaws.com!
    .-= New from Stas@Buy Vitamins Online A Day to Act- World Malaria Day =-.

    • says

      You’re welcome. Yes, backups can mean the difference between having all of the files to upload easily vs. having to clean everything manually.

  10. says

    Incidents like these often reminds me of my triumphant ordeal with the hackers of my site back in June 2009 but never had a problem since then even I’ve already transferred hosting four time within 12 months.

    I’ve learned my lesson the hard way and it was scary because during that time, I was still new with web hosting and WordPress and got nothing to ask since my host then don’t take responsibility for the issue.

    The best solution is a clean install. An XML exported file from wp-admin without reusing any database. I don’t host images on the server anyway so it goes with the XML file as attachments.

    Stronger passwords, updating antivirus and regular PC scanning are a way to go.
    .-= New from Mathdelane @Software Critics Security Alert: “Biet tin gi chua, vao day coi di” Virus on Yahoo Messenger =-.

    • says

      That’s not a bad idea. I have so much in my database, I don’t think the export would work. I know I have tried to export a lot of posts, or import them, and I think there is a file size limit.

    • says

      The first rule of thumb is not to freak out if anything happens. Getting upset just clouds your ability to take care of the problem. The calmer you are, the easier it will be to get to a solution.

  11. says

    I constantly change my password. And at any of my blog’s birth, I really see to it that it is secure. Security is topmost priority. Thanks for sharing your experience. We definitely learned something form it and also a big thanks for the great and useful resources.
    .-= New from Andrew@BloggingGuide How to Ask to Get Ahead =-.

    • says

      Very true. I had my site pretty well locked down, and I think I just forgot to put some of those measures back in place after the last upgrade. Definitely a not so friendly reminder to do so!

  12. says

    Hi Kristi,
    I got a similar issue on one WordPress site few days ago.
    I have cleaned up the site as you did, and posted an article (in French :-)) about it.

    I’m still searching about the entry point on this attack, and I have two leads : a virus on the PC which could have used my ftp client, or a weak file system security on my hosting provider (as Matt suggested http://wordpress.org/development/2010/04/file-permissions/).

    For the prevention, I use the services of http://sucuri.net/ to monitor any unwanted changes on the code of my sites.

    Thanks for the sharing of your experience.

    .-= New from fanta78 De l’utilisation de Facebook par un social hacker… =-.

    • says

      Thanks for the link back to my article. I still am unsure of the entry point to mine, because I don’t think I had any of my FTP credentials saved on my machine. My config file was not well protected, so I’m guessing it must have been through that.

  13. says

    My goodness. I cant believe that even renowned brands like these have so many security vulnerabilities. Its tough to stay secure. There are phishers everywhere, trying to exploit every single glitches. WordPress self hosted blogs. There is a large scale infection of wordpress websites and new reports are popping up daily in huge volumes. Hosting providers should deploy some tough security measures to avoid fiasco’s like this in the future. I guess your story can be used as a checklist to identify whether one’s website is hacked or not. Thanks for this informative writing.

    • says

      I think the fact that it is open source makes it super simple for people to see how everything works and then build something to attack it. Plus, since many of the security features have to be implemented on a user level and many require some advanced technical skill, it makes it easy to find unsecured sites all throughout the web.

  14. says

    Just fixed the same problem for couple clients. And they were hosted on Godaddy.
    I also had to edit every theme file and also replace all the php files in the home directory except for the config.php.

    • says

      Interesting… I think what I had was different from the Network Solutions issue, and similar to one I had in the past, so it must be universal to any hosting company.

    • says

      You’re welcome. I hoped to make this post easy to find for anyone looking for solutions to any of the latest hacks out there.

    • says

      My PC seemed pretty secure… I have two machines using different antivirus programs (Kaspersky and McAfee) and it seemed like they were realizing infected sites before they downloaded something harmful to my PC. I guess one of them must have missed something though.

  15. says

    Hi Kristi,

    Did you inform godaddy about the hack? If yes, what is their response? I mean are they helpful or just pushing around?

    I’m concerned because my site is hosted on godaddy as well. I’m proposing to a client to use blog as company website, looks like I need to got this security threat clear up before proceed.

    • says

      I meant to call them, but once I figured out the solution, I just went for it. I figured it was more of something on my end, and I really wanted a hands on approach at figuring out the solution in case something happened again later. I’m sure they would have been helpful, but at the same time, I was able to troubleshoot it immediately on my own.

      • another one says

        I also host on GoDaddy, and I had this SAME thing happen. My wordpress installation was up to date, as well as my plugins. I use strong anti-virus protection and also have hardened passwords that are changed a few times a year.

        My trojan was a keylogger that took my FTP details and used them to inject obfuscated PHP code in almost every file in my hosting.

        While I realize that all hosts have their security problems, this is more than a coincidence. Even our timing is the same.

        I will be calling GoDaddy, and I think you should too. I’ve been on the phone with them many times throughout this ordeal and they have never accepted any blame.

        Thank you for posting about this so that the rest of us can learn (and in my case find support).

  16. says

    Hi Kristi,

    Great site.

    I have this exact hack on my site at the moment. And yes I am hosted by GoDaddy as well.

    I cleaned up all the code in the php files but about this point you made:

    “View Page Source revealed all of the pages and RSS feed for my site had an additional call to a .js script right before the closing tag.”

    How did you remove this? I can’t find what file is responsible for this and it is still causing the redirects to spyware sites.

    Thanks,

    Mark

    • says

      Basically, the script will not go away until every PHP file on your site has been cleaned. I missed a few files on my site, and even just leaving one meant the code stayed behind in my site and RSS feed. So if you have multiple sites on one account, those sites need to be cleaned as well. Plus, you have to check every folder on your site (plugins, themes, subdirectories, etc.) – there could also be an additional PHP file somewhere strange that was added to make sure the code stayed on the site (like in an images folder). It’s tedious, but every page has to be cleaned before it will go away. Also, if you have a plugin like WP Super Cache, you will need to delete the cache. It could be clean but still serving older pages. And it wouldn’t hurt once your site’s Page Source is clean to ping Feedburner so your feed will update to a cleaner version as well.

    • says

      @Mark In my case the infection was quite large.

      Some standard WordPress php file :
      * /index.php
      * /wp-includes/default-widgets.php
      * /wp-includes/default-filters.php
      * /wp-includes/default-embeds.php
      * /wp-admin/index.php
      * /wp-admin/index-extra.php

      All wordpress javascript files located here:
      * /wp-includes/js/*.js
      * /wp-admin/js/*.js

      To clean up I have simply reloaded a fresh installation of wordpress .

      On top of that, there was in the folder /wp-admin/js/ a NEW file ‘user.js’, which is not a Worpdress file. I had to delete it.
      .-= New from fanta78 WordPress: au secours, on attaque mon blog ! =-.

  17. says

    Thanks for the info Kristi! Even though the Daily Axioms blog I write for is on Blogger, we are currently working on a WordPress site as well (but it looks like we were able to avoid any issues so far).

  18. says

    I’ve a long story on this. My 2 years of hard work was brought down by hackers from Russia last month! The guy did insanely awesome hacking and edited few of my posts blaming wordpress security. I was angry. Sad.

    Have written about it on my blog as well. However, learnt a lot during the course and have been actively maintaining the website. Had a lil chit chat with the hacker too.. WordPress is targeted, no doubt! :)
    .-= New from Rockstar Sid Weird Gadgets you never knew Existed. Awesome Gadget Products! =-.

    • says

      You chat with the hacker as well? Guess he wasn’t going all out to mess up your blog, maybe he just wanted to send some messages out.

  19. says

    Thanks for such a great list of tips and advice Kristi! yes, always backup your files regularly and upgrade to the newest WP version ASAP.

    I was recently php-hacked on my WordPress blog and had to do a complete refresh. Like you, I had help from a fellow developer who walked me through the refresh process. And thankfully I was able to recover all my content and make use of the fresh, albeit frustrating, re-start. ; )
    .-= New from Chris Catania It’s Time To See Phish 3D Tonight! =-.

  20. says

    Hi Christi, I want to thank you for your information here. I was hacked a few weeks ago, but I was too afraid to try and fix it myself. I just don’t understand all the code talk and such, so I had to seek help from the people at WPSecurity.com. They did a great job getting everything straightened out for me. I guess I really should start learning a little bit more about code, php files and all that other stuff ya’ll are talking about so that I can keep a closer eye on my site as well.

  21. says

    Thanks for the detailed instructions and tips, getting my sites / blogs hacked is really top of my list of personal nightmares! I am not an overly techie person, but I am religiously in updating themes, plugins and wordpress itself. Additionally I signed up for a service that sends you an email as soon as the content of the websites you want to monitor changes. For the rest, I have to rely on my hosting provider, SY
    .-= New from hospitalera@Irish Home Garden Improvements on Ceramic Sinks =-.

  22. says

    About Cloak, most of the time, the hack is already in the template you downloaded or a plugin. The hack is hidden in the code and often upon making changes to the blog – adding post, category, tag, etc – the hack is activated.

    Also it may be that it is only revealed when the page is called via a particular user_agent, or only when not logged in (you are often looking at your blog when logged in), etc. or non javascript enabled browser. You can often detect them by looking for obfuscated code (strange series of characters that are unreadable. There is(was?) a plugin also that will detected encoded/obfuscated code in your wp-content dir (where plugins and themes live).

    Till then,

    Jean

  23. says

    Hey Kristi,
    I had no idea you went through this huge headache. I’m so glad you got it solved! What a nightmare. I’ve been reading up on blog security and know that there’s so much to do to get secure. Keeping a backup is the first thing for sure. Bookmarking your page as part of my research on blog security.
    All the best,
    Eren
    .-= New from Eren Mckay Inspirational Parenting Quotes – How I See My Calling =-.

  24. says

    Yikes, I guess we were not the only ones. We had a site hacked but fortunately we back up everything every day. We simply reinstalled a fresh copy of WordPress (plus a new database), then imported our back up. We lost a day’s posting, but we had that still saved anyway. Thank goodness for backups.
    .-= New from Colleen 16th Annual Safe Kids Saturday =-.