Remember the optimism I had on Friday when I posted this statement?:
#Fitblog is under attack, but I have some heavy artillery and I hope to have the site malware-free and back in business soon.
Ahhh, how naive and innocent I was.
It turns out that the original artillery I brought in may have been enough to stop the enemies from bringing in new troops, but it did nothing to clear out the bad guys who had already invaded. And the longer I waited, the more nasty they got.
There’s a happy ending to this. The #Fitblog Chats on Twitter website is back up and running, squeaky clean and malware free. Google has given me the green light and you should once again feel awesome about checking it out. Like, right now. I’ll be here when you get back.
But I thought it was worth sharing how it happened, what I did to get the bad stuff out, what you can do to prevent an attack on your own site, and a few lessons that I learned along the way.
(NOTE: Everything that I learned happened on the FBC site. Here on KW, I am the queen of backups and can’t say enough about VaultPress — the $15/month service I use to do constant database and file backups. Launched by the people behind WordPress itself, VaultPress can get your site back within minutes, should something bad happen. I make no money from them. But I urge you to consider using it if you don’t currently back up your system. I also offer some free tips here.)
My first steps:
1. Recognized there was a problem when visiting the website on Chrome (I was greeted by the above malware message and began to get emails from people who had buttons and badges from the FBC website embedded on their own sites — Google had sent them a warning)
2. Contacted Eleven2, the host of the FBC website. Eleven2 did a scan of the website and found about ten lines of malware/phishing content. Eleven2 told me that it had removed the infected files from the website and that I needed to ping Google and ask for a review so the malware warning could be taken down.
3. Assuming that the site was, in fact, clean, I headed to the Google Webmasters page to file the review request. However, I had not yet claimed and verified the site (a dumb move, since all of my other sites are verified), so I had to add a piece of code to the website to let Google know that it is, in fact, my site.
4. After verifying the website, I then filed a review request with Google. I waited. And waited. And refreshed and refreshed. I fretted. I talked to Rita from Blog Genie, who let me know that they have been inundated with requests for help (the cause in many cases is a vulnerability in the TimThumb.php file) and that the review process can take as few as 2 hours and as many as 48. I stressed.
Then, I went on with my day. I assumed it was all in Google’s hands and that I just had to be patient.
THEN, my blogging buddy and master of FBC Ryan sent me an update on the situation.
The infected files had not actually been cleaned out, were more pervasive than I’d thought, and Ryan was rolling up his sleeves and helping a sister out.
A few hours later? Ryan had saved the day…FBC was back in business…and I had this wonderful blog post to share.
Since Ryan did ALL of the hard work (seriously, y’all — check out Revive My Blog for some big, exciting plans), I asked him to break down the technical mumbo jumbo.
BIG HUGE RED FLAG FLASHY STOP IN YOUR TRACKS NOTE: The following steps are relatively advanced, and they involve making changes to your blog files — one misstep: a tag that you forget to close. Overwriting something when you’re accessing the files through FTP. A drop in your Internet connection. THEY CAN KILL YOUR BLOG. KILL IT DEAD.
So please please please do not attempt this work unless you are extremely confident in your abilities, have a complete backup of your database and files and would be OK if you lost everything forever and ever.
I can’t stress it enough, and I don’t want to be held responsible if you tackle this on your own and make a mistake. There are people that can help, including Ryan, Rita, the people at Sucuri. Contact them NOW to take steps to make sure you’re protected before you get hit, and if you have been affected, please consider reaching out to professionals so you don’t make a bad situation worse.
Back to how Ryan saved FBC.
1. Scanned fitblogchats using the security scanner at Sucuri.net http://sitecheck.sucuri.net/scanner/
2. Backed up all the site files and the WordPress database via PHPMyAdmin (found at the dashboard of your webhost). VERY IMPORTANT STEP.
3. Updated the WooThemes framework to the latest version and updated the site theme to the latest version. (This is the step that fixed the timthumb vulnerability).
4. Replaced all of the WordPress core files with a clean download except for WP-Config. I did inspect WP-Config to ensure there wasn’t any malicious code there as well. Overwriting WP-Config.php will crash your site.
5. Did a database search in PHPMyAdmin to for strings of malicious code that may need to be deleted.
6. Did a follow up scan to verify no bad code was lingering anywhere.
RYAN’S TIPS: Quick and easy security enhancements to help prevent attacks.
- Always make sure all themes, plugins, and wordpress core files are up to date!
- Delete readme.html from the root of your WordPress installation. It’s readable and displays the WordPress version of your site which can aid hackers.
- Delete wp-admin/install.php Deleting the installation script will make it so hackers can’t take advantage of it.
- Move wp-config up one folder. Right now you’ll see wp-config.php in a folder with three other folders wp-admin, wp-includes, and wp-content. Move the wp-config.php file to the folder one step higher than the folder it’s in.
- Delete the account named ‘admin.” You’ll have to create a new account with administrator privileges, then you can delete admin and attribute all the posts to the new user you created.
Note from Ryan: I like the plugin WP-Security Scan. It does some of the above steps for you, and then recommends other things you can do to improve the security of your site like change the database prefix of your wordpress installation. Secure WordPress is pretty good too and takes care of some of the same things and a few different ones as well.
OK, back to me. I got very, very lucky that my mistakes (letting updates go unupdated; having files be ripe for hacking, etc.) were not worse. I could have lost my website. I could have infected other blogs. I could have seen years of work go down the drain.
So please, let my lesson be your lesson. Do an audit of your security now, and if you don’t know how? Ask for help. Scan your site. If there are issues, take care of them.
Think of how much you’d pay to have someone save your site after an attack, and pay that RIGHT NOW to prevent one. Back up your database, and back up your files. Both of them. Now.
(If you are not self-hosted, you may well be protected by your blogging platform…but take these words as advice for what to do if you ever do move to self-hosting!)