Tag: security

What to do if your blog has been hacked

I’ve recently worked on a couple of blog sites that had been victim to malicious activity. The evidence was different in both cases and for one consisted of search results that promoted drugs that enhance performance. And we’re not talking about blog performance ­čÖé For both sites there was hidden text and html code in all the posts containing offsite links to seeming random and unrelated websites. The job I had was to remove any sign of malicious code and sanitize the sites. Additionally I was getting browser warnings indicating malware was present on the page I was navigating to. The warnings suggested I don’t continue lest my PC be infected further.

Investigating a hacked WordPress site

With WordPress there are a few good ways to speed up the job of troubleshooting a hacked site and speed may be of essence with something like this. I asked the client when there were first signs of the malicious content or behavior – believe me it’s actually very useful to know the exact date & time you first experience the issue as you’ll see later. So, if that time information is not available or cannot be remembered viewing the server error logs promptly could give you some more information. Armed with that information and presuming you can get into the site’s admin dashboard you try the following fairly standard actions to help uncover the culprit and mitigate further issues:

  • Disable all plugins
  • Switch to default theme
  • Use Theme Authenticity Checker

The Theme Authenticity Checker plugin does a quick scan of all installed themes for unnecessary code – typically this code consists of statements or functions like “eval( blah blah);” code injected somewhere in any of a themes files. Pay attention to anything TAC highlights – perhaps removing un-needed themes. For any theme that is highlighted as containing potentially malicious code you’ll need to edit the affected file or remove and re-install the theme files from the originals. That’s a drag if you’ve made theme modifications but it means you can revert to being back online. In one of the cases here I was re-enabling the plugins one at a time and I found that a plugin was causing one issue (preventing the blog from displaying) and by removing it from the plugins folder I could continue.

However, perhaps your blog site is non-functioning and you can’t get into your site’s admin dashboard? Well, now’s the time you use FTP or SSH connect to the server hosting the website. Remember I said how useful it is to remember the date & time you first noticed the hacking / issue? Well, here’s where you can navigate to the following folders and look for files that have been changed around the same date/time:

  • wp-content
  • wp-admin
  • wp-includes
  • wp-content/themes/*
  • wp-content/plugins/*
  • the folder above wp-content – sometimes public_html or public

* The above folder list is not exhaustive but typically this is where the malicious code is to reside

In each of these folders look for other folders or files that have recently been created. These are sure indications that modifications have been made and you need to target those files or folders.

Fixing a hacked site

After searching in the above folders on the clients sites here’s what I found:

  • A folder called “backup” and in there was malicious file ┬á“backup-loader” that had code to display an authentic looking message on the WordPress dashboard.
  • An include statement at the top or within the index.php
  • A file/folder combination called “__notes/notes” that was included in index.php
  • Malicious code in wp-includes/theme.php
  • Malicious code in functions.php – an eval statement that referred to a setting in the wp_options database
  • Malicious javascript code in the wp_options database

With FTP you can download, use a code editor, and then upload fixed files. With SSH using a code editor directly to removing the malicious code in the php files. Identifying the code to remove was pretty easy as often the code segments looked out of place and therefore easy to remove and test. The wp_options code required the use of a MySQL database client like PHPMyAdmin to manually edit the table and remove the code and the related entry / record to prevent re-infection.

Cleanse and Sanitize

I said before that one of the effects of this hacking was that all the posts and pages had been injected with additional HTML code. Again with a MySQL client I looked through the blog database tables and found that also infected were the “revision” records for each affected post or page. Each malicious link was hidden from view with a CSS “style display:none” command and each link was injected in random locations within the post content. This made cleansing a labor intensive job (I could have possibly written some code to scan and remove but time didn’t permit) as I had to manually edit each post in the database – copying and pasting to a code editor and then pasting it back into the database, view the page or post, view the source to ensure the malicious code was gone.

Check in with Google Webmaster Tools as well to see if Google has identified malware on your site. If it has then follow it’s suggestions as to how to get the information Google stores about the site updated to reflect the current, non-malware, site.

WordPress Security Review

Once your site is cleansed and working you might take a look at further locking down access to reduce the chances of this happening again. Changing your admin and FTP passwords regularly is always good practice but there are more hints and tips in my WordPress Security post.

I successfully managed to fix these sites using the techniques described above – if you ever experience similar incidents then this short guide will help you. I do recommend now after all of this, taking a database backup and upgrading to the latest version of plugins and WordPress as soon as possible.

Thoughts, ideas always welcome in the comments.

*Update* After I completed this project I came across an updated version of Exploit Scanner – more information here. A useful tool to assist in fixing a compromised WordPress installation.

What is the best way to speed up my blog?

There are times when you see your blog fly and other times it seems like it’s taking to an age to load. In your email you’ve got mail from users saying that the blog performance is degrading and not as good as it used to be. You keep checking that your blog cache program is enabled and wonder what else you can do. Well, you can wonder no more as I’ve collected the best tips on how to review your site configuration and restore the performance you and your users are used to.

Let’s take a look at the options you can explore to better improve the performance of your blog.

Blog performance break the speed limit

Blog performance break the speed limit

Blog Theme

Review your theme options, widgets and settings. Use firebug to see if all your theme images are loading correctly especially if you’ve experienced issues during a theme upgrade. Review your themes CSS files to see if there are references to images or other files that are no longer required or perhaps are missing. Disable any unnecessary widgets in your blogs dashboard. You may also check out your theme is generating valid code using the W3C Markup Validation Service or check with your theme developer or the support forum for your theme.

Blog Plugins

Simply put – do you need all the plugins activated on your site? Perform a quick plugin audit, comparing what you see on your home page and blog pages with your active plugins. If there are plugins that are active but not used then deactivate them one by one and refresh your blog page to see that it’s still all working. Sometimes going back to basics and deactivating all plugins is the only way to go. Also make sure you have the latest versions of the plugins you decide on keeping.

Blog Hosting

This can play a big part in the performance of your blog. With the big shift from shared (cheap) hosting to still cost effective and high performance VPS offerings like Slicehost (the host I use) and many others, there are more opportunities to gain improved performance by picking the right host. Look at your hosting package and compare the next one up with your existing host.

Blog Optimization

This can offer up some simple and not so simple tips to help you speed up the responsiveness of your blog. There are many tools you can use – Firebug add on in Firefox, Pingdom, YSlow another addon for Firefox and even Google has a performance tool for Firefox. You can even try Is My Blog Working which, along with Pingdom can give you an idea of the time it takes to load your site. You can compare the load time before and after any of the changes you make.

View the server log

This is probably the most technical tip in this post and varies wildly from host to host. I have found that sometimes it can lead you straight to a bottleneck because you see lots of errors being reported and at other times you are swimming through the log struggling to find what’s occurring. Perhaps with this one work with your hosting tech support or a WordPress consultant if you feel you are still struggling with blog speed.

Blog Caching

This is typically performed by a plugin but there are lower level server options available if you’re running on a VPS or non-shared server. Such options include APC – Alternative PHP Cache – and these can improve the server performance and that blends through to your WordPress performance.

Within WordPress there are a number of caching plugins that you can choose to use – WP-Super-Cache and W3-Total Cache. I’ve used both and both can benefit from tuning of their options so be sure to review the options carefully. The basis of these WordPress caching tools is that they generate a single html page of your posts / home page that the web server can deliver to a browser much more efficiently than processing the page on each request. Most of the caching plugins have multiple options for tuning how it should work on your blog – try changing the available options to see if the performance improves.

Blog Security

Blog Security

Blog Security

Securing your blog is important and there are many options that will help you. Now, there’s no substitute for good security but you might not want to put too many locks on the blog such that it takes too much time to do something simple. And each security layer can add a level of performance sapping complexity. Review your blogs security options and pare them down to the minimum necessary or within your security comfort level.

Blog Advertising

Advertising makes the blog world go around (along with B2B opportunities of course) and I’ve worked on one or two sites that have multiple advertising sections and there have been times where the site won’t completely load because it’s waiting for a piece of advertising to load. Review with your advertising contacts/services to see that you have the most optimal code for your advertising sections on your blog.

So, you can see there are many ways you can speed up your blog or at least tweak it for performance in some areas. If there’s a tip I’ve missed but you’ve used and benefited from then please leave a comment!

WordPress Security

There’s nothing like starting out the New Year securing your WordPress blog. We all know that WordPress is really quick and easy to install but out of box it’s not necessarily configured to be fully secure or as secure as it could be. Keeping WordPress secure is not a full time job but a few simple tips and “hacks” implemented at any time post install will reduce the chances of your blog being the victim of ┬áremote malicious activity. Continue reading

Keeping WordPress secure

Over the past few months we’ve seen multitude of point releases of WordPress. We’re all in favour of new features and performance improvements but sometimes we overlook the important security aspects these updates bring. Recently WordPress was the subject of an attack by a worm that had a negative impact on the performance and security of the software. (More details here). Continue reading