What to do when your hacked... how to fix it... here is a quick checklist

by LMC
8 replies
Hey Guys,

So this post is getting written because, despite my best efforts for a secure system, I had a handful of sites hacked this morning.

All Wordpress.

IF you wake up and you see something different on your site, claiming to be from:

E404 -- Most common with new timthumb hack

these are larger groups that will steal more then your site:
Masters of Deception
Legion of Doom
Chaos Computer Club
milW0rm
Red hacker alliance
Anonymous
Lulzsec

DON'T FREAK OUT.

In most cases, only a handful of things have been changed.

Most of them are not getting to your theme files, but to the core files of the Wordpress framework, they either will inset a index.html file that overrides the index.php file of Wordpress thus displaying their page.

A simple deletion of this file... and your all good.

Sometimes they get more indepth and will actually switch out your index.php file, in this case, download the latest version of WP and upload the new index.php file to your site.

-------

Where things get tricky...

Sometimes, they may touch your .htaccess file and completely override and change the way your domain acts, thus not even pointing to Wordpress.

Again, just download the latest version of the WP htacess file which should read something like this:


# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

And your all good.


++++++++++++++++++++++++++++++++++++

Be sure to contact your host, to let him know that your site was hacked, tell them which group, and what they did.

Most of the time they can't do much, but... the more they know, the more protection they can give.
#checklist #fix #hacked #quick
  • Profile picture of the author Nick Lotter
    Thanks for putting this up, its good to know. Touch wood, none of my sites have been hacked before. At least now I have something to refer to if something like this happens to me Nice one.
    Signature
    "Do not wait to strike until the iron is hot; but make it hot by striking."
    William Butler Yeats
    {{ DiscussionBoard.errors[4400063].message }}
  • {{ DiscussionBoard.errors[4400119].message }}
    • Profile picture of the author Kai Kennedy
      Along with what LMC already said, I'd also install and run one of the various Wordpress Security plugins and also a Wordpress backup plugin.

      I use BackWPup and my backup is zipped and sent to Amazon S3.

      I also run rootkit detection scripts. Dont want to be on the receiving end of Lulzsec or Anonymous attack.

      I also spend a few extra bucks and run all of my niche sites in the cloud on ec2, which is also backed up to S3. So I can completely recover from a hack or outage no matter how severe.
      {{ DiscussionBoard.errors[4409390].message }}
      • Profile picture of the author MitchF
        There's a lot more to protecting a Wordpress site than just changing the htaccess file.

        I suggest you contact the WP security pros at WPSecurity.com if you're having problems.

        They cleaned up a bunch of my sites last year and I haven;t had any problems since. Plus the pages are now loading fast as can be.
        {{ DiscussionBoard.errors[4436570].message }}
  • Profile picture of the author Super Warrior
    Good, thanks for posting this stuff!


    - Steve
    Signature
    WARNING:: Wasting time on Facebook? Make $500 in just 24 Hours with this simple strategy!
    Get Free PDF (Direct download, no opt-in required)-->> Read It Now
    {{ DiscussionBoard.errors[4436692].message }}
  • Profile picture of the author imdomination
    Thanks for posting. Have saved it in case I ever get hacked. Hopefully I'll never have to use it though...
    {{ DiscussionBoard.errors[4437001].message }}
  • Profile picture of the author Targeted Traffic
    Some people are simply wackos...hacking will never stop, so there are some basic methods you can do...

    Choose highly secure passwords
    Regualrly update your software
    Use encrypted services and secure 3rd party sripts and add-ons
    Make sure you have your own back-ups.

    As a website owner you are responsible for keeping your password secure and your scripts bug-free. You must safeguard your data with routine maintenance and awareness of the protection that is available to you through your web hosting provider. Using virus scans, securing your passwords, clearing browser history, and being aware of general protection and security issues is the best way to prevent your website from being hacked.
    {{ DiscussionBoard.errors[4437061].message }}
  • Profile picture of the author Speedyapoc
    Although you remove the file, there is still the vulnerability. Protecting against hacking attempts isn't as easy as this.

    Make sure to keep upgraded on your Wordpress, and or other framework versions - as security vulnerabilities are patched everyday. Also, make sure that you do validate and check file integrity when doing uploading - the c99.php shell can be disguised as an image. Most importantly, never have important passwords saved in the database without being salted and hashed. When hacked, think back to the most recent thing that you changed, or where there might have been a vulnerability. My advice is to take down your site for a couple days, to make sure the whole situation cools down.
    {{ DiscussionBoard.errors[4437073].message }}

Trending Topics