Every day hackers sit out there an pray on good sites for no good reason. Some days they are even successful. In the past few months I’ve worked with a few blogs to detect and remove hidden code that was causing various unwanted issues. It happens to the best of blogs, and knowing how to find and remove it is just as important as trying to prevent it.
Blog #1 – The iFrame – The first indicator that something was wrong here was the time it took the blog to load. It seemed abnormally long. I popped open Safari’s activity window and noticed it was connecting out to an IP address that I didn’t recognize.
When the did finally load, it then asked me if I wanted to run a Java applet. Huge red flag there. It took some digging but I found a lot of files contained some iFrame code that was loading badware from an external site.
To fix, I deleted and re-uploaded all the files I could, and walked though each theme and plugin file to find any traces of code that should not be there. Once cleaned out, the site ran much smoother.
Blog #2 – Hidden Random Links – With this blog, Google actually caught the issue first. They put a lovely note on search results that said the site may be unsafe to visit. Even when someone did click on the search result, Google sent them to a warning page. So not cool, but understandable.
I immediately looked though the theme files and re-uploaded any admin files with no luck. Oddly enough, the issue presented itself only on a few posts, not all pages. This means that the issue was not part of the theme or any other main files. The badware was actually embedded in individual posts.
Using Google Webmaster Tools, they listed out a number of infected pages. I then viewed the sources of those pages and was able to see an empty link that went out to a known badware site.
To fix, I edited each post with WYSIWYG editing turned off. This allowed me to see the raw HTML and it was easy to see the infected posts. Within a day or two of cleaning up the code, Google cleared the warning message.
Blog 3 – Spam Links – If you’re not running the most recent version of WordPress, you may become affected by old security issues. With blog #3, someone added a couple hundred invisible spam links to the footer of the site. We were lucky with this one as a visitor tipped us off early. The fix was simple, remove the links from the footer file and update to the latest version of WordPress.
Hack Attack Tips
If you do find your blog has become infected, here are a few things you should always do.
- Clean up any infected files as soon as possible. It’s your reputation and your visitors safety at stake.
- Delete any blog and plugin files you can and re-upload new ones. Don’t get rid of your configuration or theme files though.
- For those files that you can’t just delete (like config and theme files) open each one and check for issues.
- Update your blog software and plugins to the most recent version. The newer the files the safer they probably are.
- Change your passwords. Your blog user, your ftp and any others you can. You never know how hackers get in.
- Backup everything. In the three cases above, no files or information was deleted by the hackers, but that doesn’t mean they will always be as nice.
Hackers are out there every day doing what they can to harm innocent sites. You can take steps to protect yourself by keeping your blog software and plugins up to date and creating good, strong passwords along with frequent backups.
Do you have any words of wisdom to share about keeping blogs safe?