Warning! Your site has been infected with malware...

[James Watt]

Time for another quick tool question.

I don't do a ton of actual website work anymore, but after a recent client (whose site was managed by someone else) got hacked, I decided it's time to revamp my 'best practices' to make sure clients are safe.

What I'm wondering... are there big holes I'm leaving out in my ignorance? My one tool I've been recommending is for wordpress, what if they're using Weebly or something? If they lock down one site, but have another on the same server that gets hit, does that open a door into their business site? I honestly don't have all that clear of a sense of what hackers in 2016 even do, so if this is something you know about, by all means point me to some good reading material to get up to speed.

Currently, aside from a quick conversation about password safety, I make sure they install wordfence (if they're using wordpress) to block brute force attacks and get an alert with their malware scanner if anything does get through. That's about it, and I haven't had any problems with clients I've done that with. What do you do, and what would you add?

 

[Linda Buquet]

I don't know much about hacking either.

All I know is David my forum admin, keeps up Wordpress for me too and I know he uses WordFence because he got alerts a couple weeks ago and we had to have host block some IP ranges.

He may have other suggestions too? Or anyone else?

 

[Eric Rohrback]

Run the site through sucuri's tool - https://sitecheck.sucuri.net/

You can sign up for automatic monitoring with them as well. The other thing is to just keep an eye out where the site is hosted. Cheaper hosts are more lax on security, so you just need to do your homework. Another basic is to make sure plugins are updated, and make sure you're not using anything too outdated on your site. If the plugin developer decides to forget about the plugin, you should probably dump it too.

 

[Greg Schueler]

The most important thing is to just keep up to date and monitor the site.

Make sure all installed plugins and themes are always up to date even if not activated. Also make sure that themes/plugins are not "abandoned". I have seen installed plugins that show as 'last update: 5 years ago', so you won't see an update notification, but the plugin is severely outdated and vulnerable.

WordFence (even the free version) is a must and does a great job of preventing attacks and helps notify you if anything changes or needs updated.

BackupBuddy (or any good backup system) - keep regular backups even if your server/host claims to also have backups. That way if you are ever hacked you can restore quickly instead of cleaning the entire server.

GOTMLS is a great plugin and will pick up many site infections beyond what the other scanners can find. I recommend scanning with this once a month. The Sucuri scan is decent, but misses a lot since it is an external/public side scanner.

If you have multiple sites on one server (add-ons with same cpanel logins) any infection can (and will) bounce from site to site. One bad folder on your server could be an access point to attack all sites. If you have a "reseller/whm" type server and each site has it's own separated cpanel access, it's won't be an issue.

When you clean an infected site, it's important to look at the site files, other files on the server and the database for infected files. Look for additional WP Users and different emails attached to your users.

Once you clean a server/site, change all the passwords.

To remove the Google Warning (This site has been hacked), once clean, use Google Search Console (Webmaster Tools) to submit a review. They usually reply in less than 12-24 hours.

If you ever need help cleaning a site, let me know. As dirty as it can be, I like doing this service.

 

[theitsage]

Eric and Greg got most of the technical points covered. I would add the human element which is the least discussed yet most penetrable part of the equation.

My approach is to start with whom and how the site was built. You'll be surprised by the number of people and companies involved. The second step is user permissions to the backend. Delete names you don't recognize or should no longer need to access the site.

Plugins are most vulnerable when they're not up to date. Therefore, it's best to limit the amount of plugins a site uses to improve both security and performance.

 

[Kristen]

To remove the Google Warning (This site has been hacked), once clean, use Google Search Console (Webmaster Tools) to submit a review. They usually reply in less than 12-24 hours.

Also, once a site has been cleaned, be sure to contact major security services so they update the website's rating accordingly: https://sitecheck.sucuri.net/ to ensure it doesn't stay blacklisted.

You'll need to notify Google and possibly McAfee, Norton and others as well.

 

[James Watt]

Thanks for weighing in everyone! There's some great stuff here I'll be adding to the mix. Unfortunately the 'multiple sites on the same server' vulnerability is one I'm currently working through. A client's got their website managed with the owner's sister, and all her sites got hacked. I got access recently to the client site and cleaned it up, but it just got reinfected a day or two later. Suggesting they let me migrate it to it's own server account somewhere better, we'll see what they say.

Gotta love those family web developers. Thanks again everyone!

@Greg - depending on how things go with this client, if the sister can't get it cleaned up and migrating it doesn't close the backdoor, I might just be hitting you up in the near future, thanks for the offer.

 

[Eric Rohrback]

I have a website hack i'm dealing with now for a client, and I can clean the files up OK but my concern is the MySQL database. How can I check for hacks there? Anyone have suggestions?

 

[Scott Rawlins]

Following as we have had several hacks over the last week to 10 days. My tech team fixes it and then some are getting re-hacked. It's crazy!

 

[Eric Rohrback]

Greg jumped in and answered a private message I sent him. The biggest things he mentioned were changing the UN/PW for the database users, update the wp-config.php file, and looking for patterns (hacked URLs/hacked content) within the database.

@scott - Who were you running hosting through? Mine was Godaddy (another reason why I don't recommend them for hosting... ever).

 

[Greg Schueler]

Glad I could assist, Eric!

Following as we have had several hacks over the last week to 10 days. My tech team fixes it and then some are getting re-hacked. It's crazy!

Scott, If your "tech team" doesn't fully eliminate all the corrupted files/scripts, the hack will keep coming back. And if you happen to have multiple sites (non isolated )on the same cpanel/server, all need to be cleaned or the hack will just keep bouncing back and forth.

 

[Eric Rohrback]

Well... after looking through the database and file manager, it the database wasn't compromised (in my situation at least). Basically every level of the file structure was though. I was moving to a new server anyway, so all I did was clean up the child theme I created, and reinstalled everything else brand new.

What the hacker did once they were in was swap the contact page over to a file upload screen and that allowed direct upload to the server. Nasty stuff. This was the same thing that happened with the old site, so I don't think this is a WordPress issue (client had a static HTML site before). I wonder if this is a Godaddy hosting-specific vulnerability.

 

[djbaxter]

The most important thing is to just keep up to date and monitor the site.

Make sure all installed plugins and themes are always up to date even if not activated. Also make sure that themes/plugins are not "abandoned". I have seen installed plugins that show as 'last update: 5 years ago', so you won't see an update notification, but the plugin is severely outdated and vulnerable.

WordFence (even the free version) is a must and does a great job of preventing attacks and helps notify you if anything changes or needs updated.

BackupBuddy (or any good backup system) - keep regular backups even if your server/host claims to also have backups. That way if you are ever hacked you can restore quickly instead of cleaning the entire server.

GOTMLS is a great plugin and will pick up many site infections beyond what the other scanners can find. I recommend scanning with this once a month. The Sucuri scan is decent, but misses a lot since it is an external/public side scanner.

If you have multiple sites on one server (add-ons with same cpanel logins) any infection can (and will) bounce from site to site. One bad folder on your server could be an access point to attack all sites. If you have a "reseller/whm" type server and each site has it's own separated cpanel access, it's won't be an issue.

When you clean an infected site, it's important to look at the site files, other files on the server and the database for infected files. Look for additional WP Users and different emails attached to your users.

Once you clean a server/site, change all the passwords.

The second step is user permissions to the backend. Delete names you don't recognize or should no longer need to access the site.

Plugins are most vulnerable when they're not up to date. Therefore, it's best to limit the amount of plugins a site uses to improve both security and performance.

All good points.

You need to protect both the server and the site. Here are the basics I use:

Server:

• ConfigServer Security & Firewall
• ClamAV Scanner

WordPress Plugins:

• Advanced Automatic Updates
• Plugin Vulnerabilities
• Wordfence Security

As has already been pointed out, make sure you update themes and plugins as well as the core WordPress files, and that includes inactive plugins and unused themes. If a file exists on the server, whether you are using it or not, it can be hacked and and the malware will spread.

A good security conscious host is essential these days.

 

[Conor Treacy]

One other item to address on here since it was mentioned to change the username and passwords for the accounts in the database - if possible, do this from the database level and not your CMS (WordPress, Drupal, Magento, etc).

Often times in the hack the configuration files (or database records) can be modified to BCC a copy of the password change request to a 3rd party. So while you may have modified the password, you've also notified the hacker

If you modify from the database level (you can use phpmyadmin with most sites, or NaviCat etc), then you're modifying without notification. You will need to ensure you're using the MD5 encryption or whatever levels your software uses, but you get the idea.

Having run a web hosting company for 15+ years, I've seen it all, and cleaned much of it up. It still amazes me how much web hosting companies could do to help their users, but they don't do it.

We worked with a client a couple of weeks ago that were hit, their host wanted $700 to review the site. Instead, I downloaded a backup, pulled their apache log files, parsed everything and ran a simple script (they wouldn't allow the script to run on the server). Within about 15 minutes, we had a full list of all infected files, and it didn't cost $700!

For those running VPS servers, check out "maldet" - it will parse through all files in a users directory and hilight suspicious lines.

We ran this for ALL clients every night on every server, and notified users of potential issues. So much can be done in security, but web hosts don't do it, they just suspend the user then leave it up to client to fix it (with no instructions).