Hacked

Friday night, while browsing through an old article on my blog I stumbled onto a post that had a strange formatting issue.

This isn’t the first time I’ve noticed formatting issues on my blog, back in 2009 I had an issue with strange characters showing up. After investigating that particular problem, it ended up being a character encoding issue with MySQL. I fixed the character encoding issue, edited all of the posts that had the strange characters in them and the problem didn’t reappear.

What I noticed on Friday night was a little different, it looked as if I had mistakenly pressed <enter> half way through a paragraph. Initially I thought it might have just slipped through the cracks while writing or editing an old post, I fixed the issue and moved right along.

Half an hour later I ran into another post with the same sort of problem, very odd. This time when I went to edit the post, I switched from the WYSIWYG editor into the text editor and low and behold, I found something like the following within the post:

<div style="display: none"><a href='http://buy-cialisshop.com/' title='buy cheap generic cialis online'>buy cheap generic cialis online</a></div>

At which point I realised that my blog had been hacked. Once the hackers got in, they edited old blog posts, inserted links off to their favourite cheap pharmaceutical websites and moved onto the next website to hack trying to boost the rankings of their low quality, crap websites in Google search.

How To Fix A Hacked WordPress Website

My first plan of attack was to understand how broad the problem was throughout my blog. I obviously couldn’t go through all of my blog posts manually, as I’ve got literally hundreds of published items over the years.

To expedite that part of the process, I used a website analyser by Microsoft named IIS7 SEO Toolkit. It can crawl a website, a lot like how Google crawls the entire internet, just on a much smaller scale. Once it finishes crawling through hundreds of pages, it then analyses all the pages and provides a reporting interface that made it easy to identify all of the websites I’ve linked to over the years, including the newly inserted irrelevant spam links. I worked through that list manually, and then edited each relevant blog post to remove the spam links.

Next up I reviewed what users existed within WordPress. When you install WordPress for the first time, it will create an administrator named ‘admin’ by default or a name of your choosing. I don’t recall why but I let it create the default ‘admin’ user and I subsequently created an additional account for myself. The default admin user has a randomly generated password, so I don’t think it was the cause of the hacking but the account was removed anyway as it isn’t needed.

I suspect that the hackers got into my blog using a brute force attack. In these scenarios the attacker will attempt to login thousands of different times using a known set of passwords, often starting with dictionary words. This was an obvious problem for my site, as I was using a dictionary word for a password; I should and do know better. I’ve updated my account password to a unique, long, randomly generated one with every type of character under the sun in an attempt to avoid this happening in the future.

Not knowing for sure how the hackers breached my WordPress website, it is possible that they have edited the physical WordPress files on the web server since they may have known my account password. Just to be sure, I downloaded a fresh copy of WordPress and re-installed it to remove any possibility that they hackers had a backdoor into the site for future reference.

Like most WordPress website owners, I utilise plugins from around the internet to augment the default behaviour of WordPress. There is nothing inherently wrong with installing plugins, however the quality of the software varies plugin to plugin, as does their attention to security details. As such, each time a plugin is installed – there is an increase, albeit small, that the plugin might have some sort of security exploit within it that could potentially allow a hacker to get into a website. To reduce the likelihood of that happening, all of the plugins that are installed but not active have been deleted from the server.

To help monitor my website on an ongoing basis moving forward, I have setup a series of Google Alerts which will notify me via email/RSS if they find certain keywords within the content on my blog such as viagra, cialis, porn, poker and so forth.

In the next week or so I am going to review a bunch of different WordPress security focused plugins  and best practices as well, see what other security improvements I can make to my blog so this doesn’t happen again in the future.

Frustrating.