Build Your Own Business Website header image

How to Identify and Repair a Hacked WordPress Site – How to Prevent your Site from Being Hacked

Difficulty Level -

Filed Under Topics -

Listed Under Lesson Subjects -

Applies to -

Whoops, you've found some premium content!

Watch the opening clip of this video to preview it,
the full video is available to paid members.

Now I want to talk about things to do to prevent your site from being hacked into in the future because I have no idea why this happened to you, Leah. It’s very clearly a hack of Genesis because the hack files only existed in the Genesis functions file and in the Agency Theme functions file and so somewhere there’s been an exploit of Genesis.

Where We Found the Hacked Files

Leah: In the beginning?

Rick: Yeah. This stuff was at the beginning of the files. So if you come over and look at Appearance and Editor, I can show where it was but I can’t show you what it looks like because it’s not there anymore. But if we go the Theme Functions file, it was right up here at the top. There was a whole bunch of base64 code that was in front of all of the rest of the stuff and it was the case in both the Agency Child Theme and in the Genesis Parent Theme. If you look at functions.php, it showed up at the top here.

Why We Deleted Everything

Now, it didn’t exist though in Twenty Fourteen which led me to believe then that what happened here was that that base64 code which then altered other files. So even if you deleted it from the theme file, it still would be able to replicate which is why we threw everything away. We threw all the old files away because we didn’t have any way of knowing which files were contaminated so we just threw them all out.

Somebody might be tempted to say, “Oh, look I’ve got this problem in my Functions File, I can just delete that and the problem will go away”. That’s not the case because we were able to observe the problem when Twenty Fourteen was active which means that the actual problem was caused by a corruption outside of the theme files since the Twenty Fourteen theme didn’t have that hacked code.

Every reported instance of this I’ve seen has been in a Genesis site and if you switch themes as Shlomo did, and I’m going to let him on here in just a minute. You’re apparently familiar with him on a Facebook group.

Leah: Yes.

Rick: Shlomo is a member of the site and I was trying to figure out what the problem was. I figured well, somebody reported it last night in the live Q&A which made me go, “Oh, oh, my planned on fix may not fix the problem”.

So then I went to the StudioPress forums and searched and found Shlomo’s post and looked at his site. It had exactly the same symptoms but he was using the Pro’s Child Theme and I knew we had some other kind of issue and that I was working my way through other troubleshooting, I saw in the Functions File that there was this base64 code then I checked it in Succuri nd I knew we had an issue there.

Ways to Prevent Hacking

Well, who knows how it got in, right? But you want to use non-standard usernames and strong passwords and from what I can tell you do that already. Certainly your admin username was not the standard one and the username and password that you gave me were good. So if you did that consistently then you’re just fine.

Your username, your customer number at GoDaddy is fine obviously, that’s the way they expect you to do it. And your username on GoDaddy is good enough although you may want to change it now just in case the hacking came in through GoDaddy.

The hacking could have come in through a plugin. I suspect well, I don’t know this for sure, but the 3 of you may share the same plugins and maybe the opt-in skin plugin for example, may have a vulnerability that allowed you to be hacked.

Actually, I’m going to bring on the other participants here who have the same problem because I have Lewis. Hey, Lewis I just unmuted your microphone.

Lewis: Hey, Rick how are you doing?

Rick: And Shlomo I just unmuted your microphone. Shlomo Skinner?

Shlomo: Right.

Rick: Hello. Okay well anyway, I’m going to leave his microphone unmuted here if case he can get on. Lewis, do you use that opt-in skin plugin?

Lewis: Can you show me which one again?

Rick: Well, they’re no longer installed anymore but the name of it is opt-in skin.

Another Example Hacked Site

Lewis: Let me go to my plugin area real quick and I’m going to scan and check it out. Yeah, I just checked the Appearance and Editor that you were just describing and yeah, I see a whole bunch of coding before the PHP thing there.

Rick: Actually, I’m just going to make you the presenter for a moment so that we can see your screen because that’s something I would like to show. So there you go, you’ve got all this stuff in advance of…now if you scroll down you’ll see the normal PHP.

Lewis: Yeah it starts here and then when I scroll down you see all this stuff here that absolutely you can tell that does not belong in this text editor.

Rick: And if you keep on scrolling down now you’ll get down to the regular stuff.

Lewis: That’s a lot and then supposedly it should start there and then from here is the other stuff. All this is the hacked, yeah it’s crazy.

Rick: Now switch from Agency to Genesis up there and select the theme to edit. No, no up at the top here at the right hand side.

Lewis: Say it again?

Rick: Oh no, okay go back to where you were to the editor and see under there up on the top right it says, “Select theme to edit”. Choose Genesis and go to its functions file, it says “Theme Functions”. Look at that, it has not been hacked, hers was. Select the different child theme.

Lewis: In the actual theme area?

Rick: No, in the same place we did before under Genesis, select that Lifestyle.

Lewis: It comes up, yeah.

Rick: That one has been hacked so this is a hack that is exploiting Genesis. If you go look at the Twenty Fourteen theme there it’s not going to exist there.

Lewis: No, it exists here too.

Rick: Oh boy it does, doesn’t it? Look at that. Okay, well it didn’t exist on hers but there you go. So it’s finding itself able to propagate.

Lewis: The plugin that you were referring to, what was it called again?

Rick: It’s called opt-in skin, let’s just look at your plugins for a second. No.

Lewis: No.

Rick: Okay, so the plugins that you share in common with here were the Google XML Sitemaps, scroll down a little further, Genesis Simple Sidebars, Genesis Responsive Slider and then she had a Genesis Simple Edit or something like that.

Leah: If I can interrupt for a minute, the Genesis Simple Edit was the most recent installed plugin on my website, probably last week or this week.

Rick: Okay.

Lewis: I had this plugin installed in this website for about a year and a half and it was yesterday morning that I encountered my website’s layout looking real crazy. So based on what you’ve just said, since I had this for about a year and a half and I never had an issue but yesterday morning was one of my website looked like this.

Rick: Well, we’re just trying to see what you have in common with Leah.

Lewis: Yes. I’m just saying when she said that we can fall on the impression that this could be something but…

Rick: It could be something.

Lewis: Yeah.

Rick: Just because it hasn’t been a problem for you for a year and a half doesn’t mean that the guy didn’t write this hack a couple of days ago.

Lewis: I see your point.

Rick: And worked to exploit it. I’m not saying that Genesis Simple Edit is the problem, I’m just looking at your plugins and saying, “What plugins do you have in common with hers?”. If you had no plugins in common then it wouldn’t be the plugin, right?

Lewis: No, I understand what you’re saying, we’re fine tuning the scope, narrowing it down or what could be the possibilities for these kind of hacks.

Rick: Right. So it could be Google XML Sitemaps, it could be either of those Genesis plugins, it could be something entirely unrelated and different than that.

Lewis: So if these plugins can create a possibility for them to enter, plugins such as limited login attempts and all that would not work then?

Rick: No, it would not work because it’s not a question of them walking in, they’re not logging in. They’re exploiting a programming vulnerability and they’re essentially pretending to be you or they’re pretending to be WordPress and doing normal WordPress functions inside of the server, they’re not pretending to be a user.

Lewis: Yeah, that’s crazy. I get what you’re saying.

Rick: So I’m not saying that those actually cause a problem, I’m just saying that those are the only plugins I see that the two of you have in common.

Lewis: No.

Rick: Now, the other commonality you have is that you are using the Agency Child Theme and you’re using the current version of Genesis, right?

Lewis: Yeah and this happened right after the upgrade to Genesis to 2.02.

Rick: Well, not for her though. Not for Leah because Leah upgraded to 2.2 earlier and Leah was in 3.7 when we diagnosed the problem and you were in 3.8 so it’s not going to be the version of WordPress. I don’t really know why and it may not mean anything, I mean since you’re both using Genesis it’s very common to use similar plugins especially for the simple things like these. I’m not saying it has anything to do with those plugins, I’m just saying that that’s what you have in common.

So in a lot of ways I suspect these plugins that are designed to help you make money. I always suspect them of being poorly written and full of exploits and so that max opt-in skin is an example of that. Not that I have any reason to believe that it was the source of vulnerability, it just kind of falls into that category of suspect plugin sources in my mind.

Lewis: Yeah and I understand, so independent plugin creators can usually throw in a cold rag, can give him a back end to enter somewhere else and no longer know.

Keep WordPress and Plugins Up to Date

Rick: Absolutely. In a heartbeat. So in terms of my prevention standards, one of them is make sure your usernames and passwords are very strong both for your WordPress, admin and also for your hosting account. But then also you need to keep WordPress up to date and keep your plugins up to date. The next rule is avoid plugins from sources you don’t trust and you know, it can be very difficult to know who to trust.

Lewis: Yeah, especially in the internet.

Have Regular Backup Routines

Rick: The next thing is to have a regular backup routine. And actually, that is something that Leah had and if it’d met my instructional objective, we have just restored Leah’s backup because it probably didn’t have the problem but it didn’t meet my instructional objective. I really wanted to show you how to clean up a site like this rather than had to restore backup but Leah did have sufficient backups. She had a sufficiently current backup system in place and automated and we could’ve just restored her backup.

Lewis: Yeah, that’s where I lack, I didn’t do that so I’m in a worse situation now.

Use Sucuri or other Virus Protector

Rick: And then the next thing to do I guess is to protect your site was Sucuri because they’ll not only clean your site up but they will protect and keep that from happening again.

Lewis: Yeah.

Rick: And if somebody beats Sucuri then they’ll guarantee that they’ll clean it up again even if the stuff gotten from a virus from your computer, right? Because it can get in a variety of ways. You could have a virus on your computer that waits for you to log in to a WordPress website and then exploit it that way.

Lewis: Well, now that you said that, can I ask you a quick question that may be a little bit out of topic but in many ways based on what you just mentioned sort of reminds me to ask you?

Rick: Go ahead.

Lewis: Yesterday after I signed up in your Q&A, I was using Chrome and now my Chrome doesn’t open at all and it’s important for me to have Chrome opened because I have all my passwords and everything in the browser and all that stuff for my website.

Rick: Have you restarted your computer since then?

Lewis: Yes, yes I turned it off yesterday and I let my computer relax and when I woke up this morning to get ready for today’s session with you, again it’s not opening.

Rick: I have absolutely no idea why that’s the case.

Lewis: Yeah.

Rick: If you’re using a virus software you probably want to do the scan. You may need to just go reinstall Google Chrome to see if that fixes it.

Lewis: Yeah, I tried that yesterday before I turned off my computer and it still wasn’t up.

Rick: Then I would delete it and install it from scratch.

Lewis: Okay. Already, these little things they create a headache.

Rick: They certainly can. So Leah do you have any questions?

Leah: Not for right now. Thank you so much, you don’t understand how much I appreciate this. This is like just a major burden relieved. Thank you.

Rick: Well, you’re welcome. I’m happy to have helped you and I’m happy we got the site back and working properly.

Leah: Actually, I do have a quick question. I’m running a number of other websites on Genesis. Other than the Sucuri backup, what do you recommend, how can I protect those other sites from being infected like this?

ReCap of Ways to Prevent Your Site from being Hacked

Rick: Well, so what I was suggesting was again, the strong passwords, strong usernames and passwords, keeping everything up to date. So that means really every week or so you need to check your site for updates and automatically do the updates. Also be selective about where you get your plugins from. You already have a regular backup routine. So it seems to me like you’re already doing most of the things right. Maybe you didn’t update soon enough, right> Because you were in 3.7 and WordPress 3.8 has been around for a month or something like that but besides that it seems to me like you have the kind of behavior that should protect you.

Leah: I mean the only thing that I can think of that I’ve done recently is I had someone go in and touch some of the code. I was trying to get some edits done but I thought it was a pretty reputable company so I don’t think they would have done anything purposely.

Rick: No, this was not done purposely by somebody who knew you or you had personal contact with. This was something that was done automatically by a hacker bot that’s essentially trolling the internet for vulnerabilities and when it finds the vulnerability it exploits it. So it won’t have had anything to do with that.

Fast Way to Restore After being Hacked

Had we just wanted to fix it as quickly as possible, you would’ve just restored the backup right, all you’d have to do is go back to BackupBuddy and use the restore function. Have you ever done that before?

Leah: I did that yesterday morning before I joined your Q&A and it didn’t change anything and honestly the stuff you did today was way over my head. So it’s a combination of I don’t know what to do and I don’t fully understand what’s going on.

Rick: Well, so…

Leah: I mean conceptually I get it but the physical you know, step A, step B, I’m not confident with that.

Rick: Right. Well, so I would say that some kind of real time monitoring and malware protection is what you need then because most otherwise you’re doing everything right.

Leah: Sucuri will provide that?

Rick: And that’s what Sucuri does, yeah.

Leah: So can I sign up and then just breath easy knowing that the site’s in good hands?

Rick: Absolutely. Especially because you’ve already got your backup system in place, it’s automated, you really do have everything in place to prevent catastrophe.

Leah: Okay. I mean this is not the part of my business that I want to focus on so if I can put this in someone else’s hands, knowing they’re doing a good job then I’ll work on what I like to do.

Rick: Well and they’re cheap, right? I mean if you’ve got it at several sites I don’t know it’s a hundred and something for 5 sites or something like that. I mean relative to the potential time lost and anxiety and that sort of thing.

Leah: This caused me 2 days of work so yeah, definitely it’s something I’m going to do.

Rick: Well and for them, they guarantee to fix it, right? So you’ll never really have to know how to fix it because they just guarantee to fix it.

Leah: Absolutely.

Rick: They’ll fix it and it will have nothing to do with you, you’ll give them login credentials so that they can fix it and they have all their automated tools to fix it and they’ll fix it.

Leah: I’ll do that, thank you.

Rick: You’re welcome.

0 Comments… add one
0 comments… add one

Leave a Comment