Saturday, October 23rd, 2010

Fixing WordPress after a Malware Attack

A Good few weeks back now a number of my sites (all hosted on the same server) suffered from a Malware attack. It’s been a while now and hopefully ‘touch wood‘ things are fixed for good!

With fingers and toes crossed I wanted to put a quick post together that might help others in the same unfortunate situation.

What is a malware attack?

Horrible. Dirty. In short it means your website / server has some how been compromised and this ‘malware’ manages to insert links and other unwanted non-sense into your pages. This will eventually result in your website(s) being flagged by search engines and browsers as being dangerous to visit and potentially not allow users access to your site at all. Not something that will do any business or website any favours.

Fixing / recovering from an attack.

I was fortunate in the first instance to have a good host on my side.. I contacted mediatemple who kindly scanned and cleaned my sites for me, repairing the affected code and removing suspicious users from any wordpress sites.

(In theory this was a wordpress problem, not a hosting problem so media temple were not obligated to help – but I would say its worth contacting your host first off as if they can’t/won’t help fix it with you they may at least offer some advice).

How do you find affected code?
Viewing the source of your files and even your template files may not help as this malicious code will largely rely on javascript (ahem.. yeah we can begin to see where js got a bad name here..).  I’d advise to use firebug (a plugin for firefox) to inspect your pages as this will show any code or elements inserted to the page via javascript.

Media Temple recommended a company called called Sucuri for (paid) support should I continue to encounter problems, on their blog I found a very useful clean up script – by this point my sites we’re already clean but from the comments on the post it seems to work.

Log in to your wordpress sites and ensure you have no unknown users. The likely hood is, if your site has been effected you will have! Remove these and change your admin passwords! I would also recommend changing any FTP passwords etc to be on the safe side.

Protecting your sites

This is perhaps where this post should have started, although, if you’re reading this the likely hood is you already had a problem that needed fixing.

#1 Keep WordPress and your plugins updated!

#2 Make regular backups.

#3 Use Perishable Press’ plugin to Protect against malicious url requests

#4 Use htaccess to Blacklist bad ip addresses 

#5 Keep WordPress and your plugins updated! + Make regular backups! (yeap I know this is a duplicate it’s that important!).

There’s plenty of other more general wordpress security measures you should hopefully have in place but the above are additional measures I took after this… if you have any advice of your own please feel free to share in the comments!

Leave a Reply