Lessons from a WordPress hack

This is a blog post about the lessons I learned from a client’s experience with a WordPress hack. Having one of your client’s websites get hacked is a harsh reminder that every website is under the thread of a cyberattack and how important it is to take the necessary security steps when running anything on the Internet.

This post aims to share a brief overview of what happened, the lessons I learned from this hack and to highlight the steps, lots of steps, I took to remedy the vulnerability, implement monitoring and how to climb out of the hole that is having your website labeled as spam online.

What Happened?

The website that was hacked is a WordPress site that relies on a custom developed theme and utilizes a lot of third party plug-ins. The first thing I noticed was users visiting the site were not being able to access the site  due to their requests being blocked by their internal virus detection software. At first this was only happening for enterprise users who have a policy running on their machines that monitors what websites they are visiting.

Because I’m not running a URL monitoring tool on my machine & neither does the client, none of us were getting the error thus making it pretty difficult to reproduce. To be safe I ran the website through a variety of highly reputable virus detection websites and all the scans came back clean. I did not however, run any of our website files through a deep virus scan.‌

‌

The next thing to happen – seemingly overnight – was Google labeled the website as having malware, or possibly having malware. Having Google label the site as having malware had a measurable impact on the site traffic which was very obvious by looking at visits in Google Analytics. Naturally we kicked it into overdrive as suddenly instead of having a couple of users not be able to access the site anyone coming into from Google or using Chrome would not get this warning.

Identify the Problem

The first step in dealing with this hack was to figure out what the problem was and to get it remedied ASAP. All of our WordPress sites are hosted on WP Engine. I opened a ticket with them to do a scan and remove any malware or infected files. I was under the impression that this was already in place and part of our hosting with their platform. I was wrong, virus monitoring and protection are not part of their hosting plan. It was my own mistake to wrongly assume something so vital was already taken care of without first verifying that was the case.

WP Engine uses Sucuri for their virus scans. After about 10 hours I received word  from Sucuri via WP Engine that the infected files had been cleared. The easy part was now solved. Now came the hard part, getting the site’s name cleared from all the different websites and software that were now listing this website as having malware. Just removing the infected files from the website is only the first step in the process.Once Google had declared the site as having potential malware a cascade of virus definitions and malware detection services were now listing the website as having malware. This includes anyone running Avast, FortiGuard and Norton to name a few. All these users were still seeing a malware notification when visiting the website.

Remedy the Problem

The first step was to resubmit the site to Google to have them clear the website from their malware index. This was relatively quick as I was able to resubmit the website using the Google Search Console. Search Console also sent us the notification when the site was listed as having malware. With a click of a button the site was reindex and after an hour or two we were notified that the site malware warning had been lifted.

After the site was cleared form Google there was a little relief. One major hurdle was down. We needed to make sure that this wasn’t going to happen again. I needed to get this site under a security scan to always be on the lookout for infected files. Part of the hosting package we offer is uptime monitoring. We did not include virus scans as part of the included package before this. This was because we incorrectly thought we got this protection from WP Engine. I was wrong in assuming something without verifying it first. I immediately signed the site up for security scanning and monitoring from Sucuri which offers WordPress monitoring in two flavors:

1. From a plugin. I don’t recommend this way because if you have a large website the process of scanning from the website plugin will slow down the site or possibly crash the site if the process is big enough. I’m speaking from experience because this is what happened to us. In an effort to protect the website we set up scanning from the plugin and eventually crashed our own site in an effort to protect it.
2. Set up a server side scan where Sucuri connects remotely to your file share and performs the scan. This is what we do now and there is no performance hit with this method. You can schedule when and how you want the scan to run. The service will email an alert when it finds a security concern. The service will then also try to clear the vulnerability if possible. The service also comes with a nice and easy to use dashboard for each website you have enlisted in their service.‌

‌

With the virus scan complete and in place it was now time to get our website’s name and url cleared from the list of virus sites.

I’m not entirely sure what the source of the virus scan of the world are but I’d be willing to bet Google is a top contender. Our client site was labeled by Google as having malware, then a bunch of virus scan software providers picked up the site as malware as well. There are a lot of sites that will report if a site is infected. One of the best sites and the one that I use is VirusTotal. This site lists all the sites and virus scan providers that are reporting a website as malicious. Overtime these lists will get updated on their won, but there is no telling how long that takes.

I started off going through each of the items one by one that were listed as infected and resubmitted the urls via each providers website. Most of them were cleared after resubmitting but some, like FortiGuard, took me emailing multiple people and addresses in the organization to get the website cleared from their virus definition. Avast was another that I needed to message directly and they responded quickly and removed the classifications almost immediately. Most sites will have a contact that you can message to get your site cleared if the website submission does not work. But they’re all a little different. ‌

‌

One by one I jumped through the hoops of each provider and slowely the site started falling off their lists. Eventually after two or thee weeks of submissions and resubmitting I was able to get all the virus scan sites to return a clean report for our client’s website.

In the end going responding to a WordPress hacked website was a headache on multiple fronts. Our customer looked bad and we looked bad plus we ended up spending days working to everything back to normal. To protect us and our clients against this soft of thing in the future, we offer security and virus scans out of the box at no additional cost with all our hosting plans. If you host with us or if we manage your hosting we will set up a virus scan and protection out of the box. It’s no longer a special up charge feature. All sites get this protection straight away.

To recap, if you find yourself in the middle of a WordPress hack or any website hack for that matter, follow these steps to fix the situation as soon as possible. Hopefully you do not experience any downtime, blocked sites or malware labels.

1. Clear the virus using Sucuri
2. Set up a server side scan immediately
3. Install WP Fence or other firewall/Wordpress monitoring plug ins
4. Resubmit the website to Google for re-indexing
5. Tell your hosting provider
6. Work through VirusTotal to resubmit each site listed as infected and get it cleared
7. Set up a system scan to watch for future threats