WordPress Sites Hacked!
The Setup
Just imagine coming to your site one day to see the whole thing in italics… Wait… why is it in italics? That doesn’t make any sense… There must be a plugin that is out of line or something. You check out the source code and find there is some bad code that doesn’t have a properly closed italic or emphasis tag. But then you notice that in the terribly written code is a link to a payday loan site. You didn’t put that there. What’s going on? You’ve been hacked.
This has happened to two sites that I created for clients, and one site that I’ve worked on, but didn’t create. What gives? Did I do some bad coding and/or use lax security? I quickly checked my other sites that I worked on around the same time… nothing. How strange… Why would some sites get hacked and the others not?
I checked the passwords, and sure, they weren’t very strong like they should have been (guess I should have pushed for harder passwords with my clients…), but why would someone hack a site and put that code in the header and then not touch anything else? Also, how would the seemingly same person hack ANOTHER one of my sites, and do something similar when the site login and passwords are different? This seems like something else.
I looked at some plugins that may have caused the problem, even asked the owners if they had been doing anything strange with different plugins, but came up with no clear answers.
I did, however, notice one similarity: both of these sites were hosted on what I consider sub-par hosting… GoDaddy.
Quick side note…
I hate GoDaddy. I’ll probably write a post one day about why I don’t like it. A few reasons are the terrible UI, the constant up-sell routine, and also because of the support of the SOPA bill (serious negative points, forever).
Also, I’m not trying to say that it’s GoDaddy’s fault (though it may be, and it could just be that they’re sadly so large they make for an obvious target), but all of the sites that have been hacked like this so far are hosted by GoDaddy.
How can I tell if my site is hacked? I see no italics…
To test for this specific hack, view the source of your website (or right click and inspect element for most modern browsers). Now do a quick text search (CMD + F / CTRL + F) for “payday”… Did you find any bad links that are hidden and not supposed to be there? You’re hacked…
The Fix
So a quick Google of “WordPress” + “GoDaddy” + “PayDay Loans” and you get some interesting results. I’d seen enough. Time to fix these sites. But how?
Well, at first I tried going into the header.php file of one of the sites and deleting the malicious code. Next I changed the passwords to the account on all aspects: GoDaddy, FTP and WordPress.
I kind of figured this would happen, but the code came back within an hour or two. That’s okay. I was already guessing that it was set up with WordPress to run a cron job to make sure the code was always there.
After some digging, I found the problem file in the wp-includes folder. Deleted it, and all was well. Felt like champ after a couple of hours. Easy.
The other site wasn’t as easy, and the problem wasn’t easy to find in the wp-includes folder, so I quickly developed a method that has worked pretty well… As with most things, there is an easy way and a hard way.
The Easy Way
The Re-install Now Button makes things easy.
There is a great and awesome button that can be found in the WordPress Admin section, under the dashboard, then updates. Find the Re-install Now button (as seen on the right), and click it. Oh, you may want to make a backup first and all that. That’s pretty important. But it’s more than likely okay to just re-install the core. Nah… just kidding. Make a backup first. I don’t want any of you blaming me for a failed site, ha.
After that, click on Appearances, then Editor. Find the header.php file. For most people, this is where it will be. If not, send me an email at hello@randyanderson.org and I’ll be glad to take a look.
Scroll down till you find a div tag with an id called “hideMe” or something similar. It should be one of the first things after the body tag. Delete the whole thing, till you see the corresponding ending tag for the div. This is some sample code taken from one of the sites:
<div id="hideMe" style="visibility: hidden; display: none;">
<p><i>Payday Loans Online <a href="http://13minpaydayloans.com/">Payday Loans Online</a></i></p>
</div>
Notice the i tags in there? That’s what was causing the italics all over the site. Anyway delete that stuff. In the above code, the i tag is fixed, but in the header file, I found the closing i tag was missing, causing the whole site to be italic.
Save. You’re finished!
The Hard Way
Why in the world would you want to do it the hard way?? Well, maybe you don’t have the cool Re-install Now button. If you don’t, try upgrading to the latest version of WordPress. That alone should kill the hack, but afterwards, just go ahead and re-install the latest version so you can be sure. Remember, back up first!
What? Your update failed or your Re-install Now button failed? Bah, here’s the longer way:
- Go ahead and back up your whole site, especially your specific files found in the wp-content folder, and the wp-config.php file in the root install of WordPress.
- Download a fresh install of WordPress from here (if this fails for some reason, check WordPress.org for the download).
- Open the newly downloaded files, and replace the wp-content folder with the files you backed up from your site and replace the wp-config.php (if there is one, usually there isn’t…).
- Upload your site to your server! Hopefully all goes well and you’ll be back up and running in no time.
Did I miss anything? Let me know in the comments below!
Why oh why? I thought WordPress was safe?
It is safe. But thing can always go wrong. This is why you should make timely backups of your site and always always always keep it updated with the latest and greatest from WordPress.org.
Did you have the latest version before you got hacked?
If not, that could have been the cause. When Automattic (the company who releases updates to the core and maintains the whole thing)* the WordPress core team releases an update, and you choose not to update, you are asking hackers to take advantage of you. How? The release notes for the updates tell what was fixed, and sometimes can give hackers clues on vulnerabilities of past versions, which they will use to their advantage.
Are you using a terrible hosting company?
Ummm, GoDaddy anyone? Yeah, you heard me. Opinions aside, I’ve only found this on GoDaddy. That alone is enough reason to suspect it’s something on their end, or possibly that one of their WordPress servers got hacked recently.
When one site gets hacked (maybe not even through WordPress), or when the server itself gets hacked, it can scan and find all of the different sites on that server, and install whatever type of terrible code it wants, including the code to mess up your WordPress installs. Just be thankful it didn’t do more!
Insert some other reasons that escape the writer at the moment!
Well, that could be. But if you keep WordPress updated, watch what plugins you install (check the authors out first), and do not have terrible hosting, you’ll be fine. If not, just use the Re-install Now button!
My site is still broken / I have no clue how to do any of this
Feel free to comment below and I will try my best to help. Also, feel free to send me an email at hello@randyanderson.org with some specifics and I’ll be in touch.
* I incorrectly said that Automattic releases and maintains WordPress and updates to WordPress, but thankfully Brian Krogsgard educated me on how that was incorrect. Thanks Brian!
—- UPDATE on 1/19/13 —-
You may also want to check your wp-config.php file, which is found the root directory of your WordPress installation, for any signs of malicious code. This one file that does not get replaced when you re-install WordPress through the use of the updater or the magically Re-install Now button. If you did re-install WordPress, and this malicious code was still in your wp-config.php file, the hack would repeat itself.
It isn’t just GoDaddy servers that this is happening on.
We have 4 installs of wordpress on our county servers that also have similar code injected into the header.php file of the active template. It is sort of cool how they know which theme is active and only updates that one.
Our code looks like this:
payday loans
* added to address so as not to promote anymore than we have to.
Rob, sorry to hear that your servers were hacked! Have you guys had them properly taken care of or do you need any help getting rid of the payday loan links?
We have over 300 sites hosted on Godaddy servers and as of this month, we are restoring at least 1 site and sometimes 5 sites per day from hacks. It’s to the point where we have a team allocated nearly full time to checking for hacked sites and restoring them. This is no exaggeration. I think it’s time to migrate to a better host.
Wow Charles. That is crazy. I agree with you and think it is definitely time to find a new provider. If they sites are mainly under 100k pageviews per month, I would try BlueHost. Hope that you guys wrap up your GoDaddy woes soon!