Malware, you will not bring me down

You learn the hard way when your site is actually shut down, blocking your users’ access, or the softer way when your host informs you that they’ve detected something potentially harmful. You’ve been hacked. Now what? You need to find the source of the trouble, but how? Where to begin getting things back to normal?

Step 1: Identify the culprit.
Step 2: Squash it like a bug.

If you’re running WordPress, there are plugins that say they can help, but my experience with them has proven fruitless. I tried Anti-Malware (Get Off Malicious Scripts), and it alerted me to a number of potentially harmful files, but was completely inaccurate. Then it didn’t actually offer me a way to deal with the problem – isn’t that really what people want? Help?

A good web host should also help, and have monitors in place to detect these kinds of attacks, as well as provide at least useful information about it if not an actual intervention. Sadly, with a lot of the “cheap” hosts used by the masses (myself included), the information comes too late and is often not even helpful. Can’t get a live human on the phone? Consider changing hosts…

My advice? Google Wemaster Tools. It’s free, it’s fast, and it’s accurate. It won’t do the work for you, but it will tell you what to look for and let you know if you’ve got it all after cleaning house.

Tips to prevent malware and getting hacked:

  • Make sure your software is up to date at all times. That includes your CMS if you’re running open source like WordPress or Prestashop, as well as any external modules. If a plugin hasn’t been updated by its author in a long time (a year is a long time), you might consider replacing it with something else.
  • Change your passwords every few months, and use passwords that include a combination of upper and lower case letters, a number or two, and the odd character if it’s allowed. Change passwords on your WordPress or other CMS admin login, your FTP user account(s), and even your host panel login.
  • Purge your spam comments regularly.
  • Sign up for Google Webmaster Tools (or ask your webmaster to)! It’s free, and it’s a fabulous service for both optimizing and protecting your site . I just received an email from them this morning informing me of a new service: now they will send you an email immediately should they detect anything shady going on with your site.

Ok, you got hacked:

  • Identify what code has been used. It’s easier to find what you’re looking for if you can call it by name. Google Webmaster Tools has proven the most effective for this (neither the web host nor the malware plugin was able to correctly identify the source of the problem in a recent case I worked on).
  • Look, via FTP (either with an FTP client like Fetch, or through your host’s admin panel if they offer one), for any files that have been updated recently. This will mean going into folders as the folder itself won’t tell you when files within have been modified. Replace any you find with the original files when possible. Otherwise, open them up and look for that nasty code, and delete. Common places are among plugin files and theme files.
  • Look also for any files that shouldn’t be there. This could include php files or even images. Compare what’s on your server with a fresh copy of the latest WordPress, and delete any core files that may now be obsolete, or any files that simply look dubious (satan.php? yeah, that probably shouldn’t be there).
  • And finally, if Google is still showing a red flag, then you have to get your hands dirty and comb through the database. There’s no way around it. It’s not rocket science, but should be done by a knowledgeable person. No sense in breaking things even more! I’ve found malware embedded directly into blog posts, and even in past revisions of blog posts! Now that’s sneaky…
  • When you think you’ve eradicated all the bogus code, you can ask Google to review the site. Red flag? Comb back through it again, you’ve missed something. Green flag? You’re good to go!