How I got my website back.

After I realized that my website was hacked I had to fix it. I decided on the following course of action:

1. Identify the problem
2. Identify all instances of the problem
3. Fix all instances of the problem
4. Make sure it doesn’t happen again

SIDE NOTE: Before I did anything I backed up all my data in my database. In case anything got really messed up I could always do a clean install of WP and reinstall my data. Here is a great page on how to backup your database.

I determined that the first thing I needed to do was to identify the problem. I knew from my anti-virus warning that something bad was happening when my homepage was loading. So I decided to start my search there.

I don’t know if this part was necessary but I decided to do all fixing and testing on an old laptop that was just laying around the house. It made me feel more comfortable knowing that if some nasty malware got unleashed, I could just reformat the whole computer and not lose anything.

I downloaded all the files from my web server onto a flash drive using my old laptop and I also downloaded the newest version of WordPress on my good computer. This was so that I could use the clean files as a reference.

As soon as I opened my index.php file in my favorite text editor (Notepad++) I noticed a suspicious line of code on line one. It was a PHP command that looked like this:

<?php eval(base64_decode('aWXXXXXXXXXXXXXXXXXXXXX')); ?>

Where the ‘XXXXX’ garbage was a long string of alphanumeric characters.

A quick reference to the “clean” WP files confirmed that the garbage code should not have been there. So I decoded it with an online Base 64 Decoder (in Safe Decode mode), confirmed that it was a virus and deleted it from the file.

Not convinced that the hackers would only inject one line of code in my files and be happy with it, I needed to look for more instances of that code elsewhere on my site. Sure enough, I found it again in the next PHP file I looked at, and then again in the next.

I have over 1,000 files on my site and I needed a quick way to scan all the files on my site for instances of that malicious PHP command. I found Windows Grep online and it did the job fantastically. I just searched the entire directory where my site files were stored and I found another 21 instances of the malware code in 21 different PHP files.

I cleaned all the files, FTP’d them to my web server and my site was back to normal and back under my control. I also found something suspicious inside a PNG file in one of my plugins. I didn’t know what it was but I trashed it anyway. Removed the whole plugin and deleted it’s directory from my web server (I wasn’t using it anyway).

After my site was cleaned back up I went in and changed all my passwords. I changed the FTP password, the WP password and also the database password (I had to access and use phpMyAdmin to do this). If you change your database password using phpMyAdmin, be sure to also update your database password in the wp-config file or else you will have an error connecting to your database.

So that was my fix. I’m still combing through the site files looking for a possible backdoor but I’m confident at this point the site poses no threat. Vigilance is at an all time high.

I learned a lot of valuable lessons from this experience and I will share them with you soon.