Couple of days earlier, a team member pointed out to a discussion in a WP community on Facebook. The lady in question had suspicious files in her site due to a broken plugin. She poured out her doubts, feelings as well as queries for the fix she needed through multiple posts. That underlying feeling of being trapped, of being cheated was unmistakable. It was akin to having someone break into your house whilst you are still there and enjoy your property at your expense, unknown to you. She admitted to feeling bad and understandably so. Since the only alerts that she was used to, were plugin updates, the shock of it all was only too imaginable.
What had happened, in brief was, that on logging in, she noticed a security alert, which she verified with another security check. One can only imagine that she was sincerely hoping and praying that the worst was not true and it was just some overlooking on her part.
That was however not the case. She quickly started posting on what she thought were the options open to her.
The first option was to review logs for which each entry would have to be checked from the back-end so as to find the issue at hand. This could be impossible if there is too much data to go through or limited information at hand. There are cases where the logs are lost or may be difficult to decipher.
Secondly, she could backup, do away with the contents of the problem site and restore. However, what if the backup also had the hack? How does one be sure that all contents of the backup are clean? The only way to do this, would be to run a security check after restoring.
It was only too obvious that she was thinking loudly through her posts and that these were the multiple thoughts running through her mind. The community reached out to her. Common solutions given were:
a) to back up everything- this is useful especially since a backup can save much time and effort in restoring a site.
b) update all plugins – Often older versions of plugins contain vulnerabilities which are exploited by hackers. Hence it is advised to update the plugins to their latest versions.
c) clear cache.
d) look in Temp folder – Hackers at times upload malware in the temp folders and hence cleaning them is advisable.
e) Look for files with suspicious code. Malware at times contain certain strings like base64_decode or eval. Searching for files with such code can help identify malware too.
The above mentioned are good points to follow. Read up to know more on what to do when your WordPress site gets hacked.
The lady got back shortly with a second post wanting to know if she should access files through FTP or SFTP or take backup and restore her site. One suspected malware and she double checked every move she made. Loss of faith would be the natural thing in such cases, it is after all a breach of security.
She was unsure whether she should access the WP admin or not. One needs to be wary of logging into the admin when hacked since the hacker might have left some code to track the password used to login. The above is a possibility. For safety in such cases, the password can be changed using phpMyAdmin or FTP before logging into the WP Admin.
She got helpful responses for her second post as well. It was really heartening to see so many people reach out to someone, eager to help out. That set the ball rolling. She posted each step of action taken, waited to hear back on comments so that she could gauge her way out of the mess her site had become.
She was not only somehow wanting to fix the issue but also keen to find out where the issue started first. She seemed to be taking notes on what to do and what not to do going forward. The nomenclature of the diseased plugin seemingly added to the confusion and frustration. The site appeared to have been affected by the Slider Revolution hack
At the end of the week, when it was thought that an issue had been solved, lessons had been learnt, she posted again. She had received an alert about the installation of a plugin that her host had added to her freshly cleaned site. Clearly, she had hit the panic button hard. Help was at hand, so was empathy. The community member who had suggested she check changes on her site with her host, also posted that he imagined being in her shoes and it was not a good feeling. She stated that her host provider was frequently updating plugins without permission. While that may be part of the problem, it is not the core issue.
Though she had zeroed in on the folder with the malware, the key concern would be to find out how the break in happened and fix it accordingly. Frequent security checks and identifying possible hacks can save you from a lot of grief.
All in all, a scare, though very unpleasant to recount, does keep us on our toes. So, how do you protect your site?