How Not To Recover A Hacked Website

I have just spent the best part of 3 days recovering a hacked website. Read this so you don’t have to…

Last week I received 2 emails from software publisher Adobe informing me their products were being sold on my website without their permission.

Screen Shot 10-30-15 at 11.17 AM

The link went through to a page on thinkgenial.com full of nonsensical spam, however the same url in Google took visitors to a more sinister destination:

Screen Shot 10-30-15 at 11.14 AM 001

The page was redirecting through an iFrame (see bottom of below image).

Screen Shot 10-30-15 at 11.34 AM

A quick Google search of site:thinkgenial.com revealed 44 pages of results with around 40 pages being spam!

Screen Shot 10-30-15 at 11.06 AM

Luckily, despite the pages of spam results the site had not felt the full wrath of Google. I had to act quickly to make sure no further harm was done and avoid possible blacklisting.

Here is a step by step account of what I did… and what I should have done

Step 1: Installed anti malware plugins

What I did

If you are a WordPress user you will know there is a plugin for every occasion. I read good things about a couple of plugins. With a simple scan and following instructions I would detect the malware, delete it and the affected pages in short order, job done. I downloaded Wordfence and Sucuri and scanned for Malware, both drew a blank… Wordfence did show that the site was currently experiencing a ‘brute force’ attack from bots!

What I should have done

Found the last uninfected backup copy of my website and restored it.

Step 2: Restored the oldest backup available from my hosting company

When I found out my hosting company kept regular backups of my websites I thought brilliant, that’s that taken care of. I then turned off and deleted my backup plugins. Smart move I thought, no more bulky backups slowing down my website, one less plugin to update. The oldest backup on the server was 2 months old. I restored it, the problem remained, I believe the expression is Doh.

What I should have done

Remembered I had historic backups on the website. The plugins had been deleted but the backups remained in my uploads folder. I should have tried the oldest update which would not affect the content of my site and see if that worked.

Step 3: Began working through this post: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

I deleted themes and files as directed but the malware and spam posts were still there. The next step is to delete your whole website, files, database, the lot. So I did, with the aim being to reinstall the themes and re-upload content.

This worked. However, looking at my domain, bare of content, bereft of life, 2011 theme, that I thought, is there another way?…

What I should have done

Restored and updated the oldest clean copy and by this point I could have been enjoying a milky tea and Mcvities caramel digestive.

Step 4: Re-uploaded the latest backup of the site

Faced with the prospect of having to modify my theme and reupload all the content I balked. Visions of blank images, incorrect fonts and missized headers began turning through my mind… so I pressed reset and reuploaded the infected version of the site. Soon I had the comfort of looking at my website again as it should be, even if it was infected with malware with hundreds of extra pages of spam content.

What I should have done

Site restored and functioning fully I could have made another brew, maybe had some soup and see if there were any amusing felines on Youtube..

Step 5: Uploaded a clean backup

The chances of me finding anything remotely malware looking seemed unlikely. The worlds foremost malware scanners, processing thousands of bytes per second hadn’t thrown anything up, however I remained undeterred. While manually searching for malicious files I found some backups, would one be clean? I dared to dream… I checked the most recent backup available. The whole website seemed to be there, posts, images. I uploaded it. Using ftp this took quite a while. When it was done I visited a spam page – 404, boom! Back of the net!

What I should have done

With the malware a distant memory I should have given myself the morning off, maybe gone to a matinee of Spectre.

Step 6: Updated everything to latest versions, deleted unnecessary content, changed passwords

I could now see that the site was clean. The spam pages were gone and the Iframes waere no longer loading. I immediately updated to the latest version of WordPress. I updated and deleted themes and plugins. Then I changed the password.

Step 7: Repair and prevention

With hundreds of spam urls showing in Google I have begun submitting them for removal in Webmaster tools. The first 20 or so were removed the following day, a promising start.

I have installed a new backup plugin, Updraft Plus. It seems very good. I have started taking my own backups again.

Wordfence and Sucuri have both been installed and set to protect my site from malicious bots.

Lesson learnt

DON’T UNDERESTIMATE REPAIRING A HACKED WEBSITE AND TAKE BACKUPS!

Fingers crossed that’s the end of it… I hope if you were struggling with a hack this helped!

About Joe

Joe White. Owner, Think Genial

Google+