Ah, irony: a site with “hacks” in its name gets hacked; what I did when my WordPress blog was compromised

Nine days ago one of my subscribers emailed me and said he was getting malware warnings when attempting to visit this site.  I responded with something insightful like, “aarrggghhhh.  Hope it’s a fluke.”   I wasn’t seeing any such warnings with either IE or Firefox and hoped (forgive me, Michael) it was just a problem with his browser.

It wasn’t.

Two days later I attempted to log on (using Firefox) only to see something like this:

“That can’t be good,” I thought, once again demonstrating my typical extraordinary mental acuity.  Thus began a very frustrating week.

I switched to Internet Explorer and could access the site, but there was a small warning icon in the status bar.  When I double clicked on it, it indicated that my site was somehow linked with a certain IP address associated with malicious software;  I tracked the IP to the Netherlands.  Wonderful.

Understand:  I’m no geek.  I’m just a guy who started blogging on Wordpress.com and eventually migrated to WP.org   That I was able to move the content from the .com blog to this one without frying my computer or shutting off all the power in our town still amazes me.  I don’t walk around talking about SQL databases, COBOL (whatever that is), and XHTML (ditto).  To me, Python is a snake and Boo is what you say to frighten people.  I’m not a technophile.

So, I was essentially lost.  I contacted Support at DreamHost and they were very polite in their response, but said I was basically on my own.  They did have a few suggestions including changing all my passwords, updating to the latest software (I was already running WP 2.7.1), and checking the database, looking for new users, plugins or any recently changed files.

These are, more or less in order, the steps I took:

1. I logged onto DreamHost with my FTP client and began inspecting all the files in the database, looking for anything that had been changed in the last couple of weeks.
2. It was at this point that I discovered a fundamental truth:  if you don’t know code, if you don’t write code, if in fact you don’t know anything about code, examining code to find “bad code” is like inviting Gary Busey over to your house to troubleshoot the computer on your $80,000 Porsche:  it’s sorta pointless and you may end up with a broken car.  Nevertheless, I went back and looked at these files perhaps 10 times over the next several days…
3. …looking for anything that had been changed recently and somehow appeared as though it didn’t belong.  I saw a lot of stuff that looked weird – but most of what I saw looked weird.  I didn’t see many files that had been changed in the last several days and those I did find were associated with me (not another user) and didn’t seem to contain any really odd looking stuff.  Sigh.
4. I logged into the WP admin panel and looked at all the files associated with the theme I use on the blog – the CSS file, index.php, header.php, footer.php  – the whole lot.  Again, I wasn’t able to see anything that looked completely out of place.   (When I finally cleaned things up, I copied all of these files so I’d have a reference for the future.)
5. I of course changed all my passwords – my DreamHost logon, my FTP client, my admin password in Wordpress – and used robust passwords to replace all, mixing letters, numbers and special characters randomly.
6. Sunday was the day I got the Attack Site warning from Google.  That night, I was nowhere.  I told my wife, “I’m not sure I can figure this out….”
7. Sometime on Monday I emailed blogger and Wordpress consultant Eric Hamm. Eric was sympathetic and tried to help, but his expertise lies more in web design – he’d never faced what I was going through.  Lucky guy!  Eric suggested Googling the warning message I was getting, and I did that and it provided a few ideas.
8. I logged back onto DreamHost and restored the database to where it was 5 days prior, thinking that might bring it back to a state prior to the attack.  This did two things:  a) it confirmed that whatever code was creating the problem had been there for more than 5 days, and b) it wiped out several hours’ worth of work I’d put into a post I’d been working on.  This created what is technically called an “Oh shit!” moment.  I quickly re-restored the database to a backup from a few hours prior and recovered my work
9. Frustrated, I tried to think of someone else who might help, and emailed J.D. Roth of the popular personal finance blog Get Rich Slowly.  I don’t know J.D. and he doesn’t know me, but he quickly wrote back with a few suggestions and after I responded he wrote again, saying that he’d scanned the code on my homepage and it appeared that the footer was where the malignant code was.  While I was thinking, “How in hell did he figure that out??” I remembered that you can view the source code of any web page by clicking on View/Page Source in Firefox (View/Source in IE).  When I did this, I immediately saw what he was referring to (coder or not, it stood out!).  At the bottom of the page, beneath the code related to the footer of the page you’re viewing, there were 2 to 3 lines of code that just looked….   different.
10. But where was the code actually located?  J.D. thought it might actually be in the header.  I searched the Wordpress forum for “site compromised,” “footer hacked,” “header hacked,” and the like and did find someone who does consulting on this sort of thing, which might be handy in the future (I hope not!!)
11. Try as I may, I could not locate the code.  In frustration, I logged on to DreamHost and thought, “What the hell, I’ll reinstall Wordpress!”  Utilizing DreamHost’s “One Click Install,” I did just that (I backed up the database before doing this, just for good measure.)
12. Then I went to the site, did the View/Page Source thing, and lo and behold, the mysterious code at the bottom of the page had vanished!
13. Seeing that, I:

• Backed up the database again
• Changed every password again
• Added another user to my Wordpress account, gave that user Admin privileges, and then deleted the “Admin” user.  (When you delete the Admin, the software asks if you want to transfer all the content associated with the Admin to the new user.  Answer “YES”!)  Hackers, knowing that when you set up your Wordpress.org account you’re automatically using “admin” as your user ID, frequently try to hack into accounts using admin as the user – they just have to get lucky and hack your password (thanks to J.D.’s blogging partner Mac of Get Fit Slowly for this suggestion!)
• Deleted every inactive plugin I’d installed.  Googled the names of the plugins I use along with the word “vulnerability” to make sure none of them was vulnerable to attack
• Deleted every unused theme other than WP-default theme (Wordpress gets wacky if it can’t find the default theme – don’t delete it)
  
• Switched FTP clients, switching to a client that works with SFTP (I had been using FTP, which is less secure)  Adjusted the settings at my host accordingly
• Logged on via SFTP and deleted the entire “old” version of the database that was left after reinstalling Wordpress (I don’t know how wise this was, but I wasn’t taking any chances)
• I was using a Popular Posts plugin that utilized data from Wordpress.com; I deleted the plugin after finding a new one that performs the same function
• I also was using the Wordpress.com Stats plugin.  Although I use Google Analytics on the site, the Stats plugin is handy for tracking traffic and which posts are getting the most page views right in the WP admin panel.  Using this requires that I maintain a Wordpress.com account.  I went to that account, set up a new User, promoted that user to Admin, and dumped the old (admin) user.  The new user has a tough-to-hack user name and a robust password

The IE warning went away immediately; Google removed the “Attack Site” warning about a day or so later (you have to request that they do this.)

Thus far the site is fine.  That’s the good news.  The bad news is I’m not certain how this all happened.  Was it lax security at DreamHost?  No idea.  Did I logon to the blog while traveling (connecting wirelessly) and have someone capture my password?  Possible, but when traveling with my laptop I use a password manager which logs me in without keystrokes.

In all of this I did realize that one of my passwords was not especially strong.  Perhaps that was the culprit; I’m just not sure.

If you’re a Wordpress.org blogger, I’d suggest you dump the admin user if you’re still using it and make certain that all of your user ID’s and passwords are as bulletproof as possible.  If you’re using an FTP client to access your host server and database, switch to SFTP.

If any of you, reading this, have any suggestions or further ideas on how the site might have been compromised, I’d love to hear from you.

And finally, I need to thank a few people.  Thanks to J.D., Mac, Eric Hamm, Michael Webber, and Vladimir Prelovac.  I appreciate your reaching out when I needed help! 

And a special thank you to my subscribers. As you can imagine, seeing 14 months’ worth of work in jeopardy was not a lot of fun.  Traffic dwindled to a trickle during this experience, but through it all I didn’t lose any subscribers.  Thank you for your patience, and for hanging in there.   Many of you could have unsubsribed; you didn’t.  You have no idea how much that means to me; thank you.