How Not To Recover A Hacked Website

I have just spent the best part of 3 days recovering a hacked website. Read this so you don’t have to…

Last week I received 2 emails from software publisher Adobe informing me their products were being sold on my website without their permission.

Screen Shot 10-30-15 at 11.17 AM

The link went through to a page on full of nonsensical spam, however the same url in Google took visitors to a more sinister destination:

Screen Shot 10-30-15 at 11.14 AM 001

The page was redirecting through an iFrame (see bottom of below image).

Screen Shot 10-30-15 at 11.34 AM

A quick Google search of revealed 44 pages of results with around 40 pages being spam!

Screen Shot 10-30-15 at 11.06 AM

Luckily, despite the pages of spam results the site had not felt the full wrath of Google. I had to act quickly to make sure no further harm was done and avoid possible blacklisting.

Here is a step by step account of what I did… and what I should have done

Step 1: Installed anti malware plugins

What I did

If you are a WordPress user you will know there is a plugin for every occasion. I read good things about a couple of plugins. With a simple scan and following instructions I would detect the malware, delete it and the affected pages in short order, job done. I downloaded Wordfence and Sucuri and scanned for Malware, both drew a blank… Wordfence did show that the site was currently experiencing a ‘brute force’ attack from bots!

What I should have done

Found the last uninfected backup copy of my website and restored it.

Step 2: Restored the oldest backup available from my hosting company

When I found out my hosting company kept regular backups of my websites I thought brilliant, that’s that taken care of. I then turned off and deleted my backup plugins. Smart move I thought, no more bulky backups slowing down my website, one less plugin to update. The oldest backup on the server was 2 months old. I restored it, the problem remained, I believe the expression is Doh.

What I should have done

Remembered I had historic backups on the website. The plugins had been deleted but the backups remained in my uploads folder. I should have tried the oldest update which would not affect the content of my site and see if that worked.

Step 3: Began working through this post:

I deleted themes and files as directed but the malware and spam posts were still there. The next step is to delete your whole website, files, database, the lot. So I did, with the aim being to reinstall the themes and re-upload content.

This worked. However, looking at my domain, bare of content, bereft of life, 2011 theme, that I thought, is there another way?…

What I should have done

Restored and updated the oldest clean copy and by this point I could have been enjoying a milky tea and Mcvities caramel digestive.

Step 4: Re-uploaded the latest backup of the site

Faced with the prospect of having to modify my theme and reupload all the content I balked. Visions of blank images, incorrect fonts and missized headers began turning through my mind… so I pressed reset and reuploaded the infected version of the site. Soon I had the comfort of looking at my website again as it should be, even if it was infected with malware with hundreds of extra pages of spam content.

What I should have done

Site restored and functioning fully I could have made another brew, maybe had some soup and see if there were any amusing felines on Youtube..

Step 5: Uploaded a clean backup

The chances of me finding anything remotely malware looking seemed unlikely. The worlds foremost malware scanners, processing thousands of bytes per second hadn’t thrown anything up, however I remained undeterred. While manually searching for malicious files I found some backups, would one be clean? I dared to dream… I checked the most recent backup available. The whole website seemed to be there, posts, images. I uploaded it. Using ftp this took quite a while. When it was done I visited a spam page – 404, boom! Back of the net!

What I should have done

With the malware a distant memory I should have given myself the morning off, maybe gone to a matinee of Spectre.

Step 6: Updated everything to latest versions, deleted unnecessary content, changed passwords

I could now see that the site was clean. The spam pages were gone and the Iframes waere no longer loading. I immediately updated to the latest version of WordPress. I updated and deleted themes and plugins. Then I changed the password.

Step 7: Repair and prevention

With hundreds of spam urls showing in Google I have begun submitting them for removal in Webmaster tools. The first 20 or so were removed the following day, a promising start.

I have installed a new backup plugin, Updraft Plus. It seems very good. I have started taking my own backups again.

Wordfence and Sucuri have both been installed and set to protect my site from malicious bots.

Lesson learnt


Fingers crossed that’s the end of it… I hope if you were struggling with a hack this helped!

About Joe

Joe White. Owner, Think Genial