What have I been up to? I’ve been helping a good friend rescue his hacked small business website. He has a WordPress website with the Thesis theme. Early this week he realized the site had been hacked and called me in a bit of a panic. Since I know this happens all of the time, I wanted to pass on what we learned in the process. His site is now back up to par and we’ve added additional security measures.
Our first lesson was “RELIGIOUSLY back up your site!” If we’d had a recent complete backup of the site, the re-install would have taken minutes instead of hours. There are a couple of ways you can back up a WordPress site:
1) Use the Export Function from the Dashboard of your WordPress Site.
2) Using FTP, download everything in the WP-Contents folder of your site to your hard drive or to an external hard drive.
Here is a link to a great tutorial on how to create a complete backup of your site and even run a local copy of WordPress on your computer:
http://www.geeksaresexy.net/2008/01/29/how-to-backup-and-restore-your-WordPress-blog/
So, back to what we did to get this site back up and running:
1) Made a complete backup of the entire site as it was currently, in case we needed to pull information from the files.
2) Created a complete list of plugins and widgets utilized within the site. We even took screen shots of each plugin’s and widget’s settings.
3) Uninstalled WordPress from our site completely by using Fantastico De Luxe on our Cpanel Dashboard.
4) Reinstalled WordPress using Fantastico De Luxe. At this point, we checked to see if the site still re-directed to the hacker’s website. Yeah, we had our site back! Now to add the content.
5) Reviewed the entire database of blog posts to see if we could find any unusual external references or content. In our case, we could not find any malicious text in our blog post database so we imported the post database back into the site.
6) Re-installed all of the previously utilized plugins.
7) Re-activated and setup each plugin.
8) Setup all of the Widgets exactly as they were previously using our screen shots.
At this point, we had a running site with our content included. There were still a couple of tweaks to get the site back to its original glory, but we were almost there!
9) Added the CSS code to include a header image, a footer image, a hit counter, and some additional text in the footer.
What a relief to have the site back up and running and looking like it did prior to this malicious attack! One thing to mention, a lot of people recommend taking your site down completely as soon as you’ve discovered an attack. This can be done by renaming your index.php file in the root directory of your blog. You can then upload a text file with information about the site being down for maintenance. The main reason this is suggested is because most of these hacks are not done by hand they are done through malicious scripts. These scripts attach to each writable file in your directory. If someone visits an internal page of your blog after you’ve started the recreation process, your new files can be re-infected.
Now to secure the site! Our second lesson was “Don’t make Passwords Easy to Figure Out!”
Our first step was to go through and update all passwords and confirm all users information. Sometimes hackers add themselves as a hidden user, so make sure to check all users.
Next we went through and added a few additional plugins to the site that are setup to help you monitor the site and its vulnerability.
Here the additional plugins we installed to help keep this site secure:
1) WP Security Scan – Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
2) AntiVirus for WordPress – Is a smart and effective solution to protect your blog against exploits and spam injections. AntiVirus protection for your blog.
3) Login Lockdown – Records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
4) Secure WordPress – Removes Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
5) WordPress File Monitor – Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
So, there you have it! A completely new install and the additional security needed to keep the site safe in the future!
Jodi Crosby, Smart Virtual Assistant for You, is a mom and an entrepreneur committed to working with small business owners. My goal is to enable you to accomplish your goals while leaving the administrative tasks to a professional. I understand that being in business for yourself, while very rewarding is also very challenging. Smart Virtual Assistant for You can help. Visit http://smartvaforu.com. Follow Jodi on Twitter @SmartVAforU
Leave a Reply