Managing Hacked Client WordPress Sites: Prevention, Reaction and Investigation

As project managers, web designers, and freelancers, we deal with a multitude of issues, especially when it comes to content management systems. For me, most of the issues arise in WordPress as it’s my choice CMS for clients. The most serious of these issues is dealing with hacked client sites where either spam has been placed, or more detrimental, malware.

So as project managers, web designers, and freelancers, we must by default become quasi experts in security. No problem. It adds more fun to the challenge.

Combating security breaches should fall into two camps (which are obvious if you’re a long-time reader of this blog): proactive and reactive. Proactive is preventing the problem before it occurs while reactive is after the fact and how to perform damage control.

How to prevent malware and spam from harming your clients’ WordPress sites

First, never underestimate the damage a spam or malware link can do to your client’s website. A strategically placed barrage of spam links can reflect in search engine listings, which could take days, if not weeks, to reverse. Malware links, which are usually script or iframe calls, can cause the ire of Google and Mozilla, both of which subscribe to an internet malware watchdog group. Under this coalition, you could find a client’s site tagged in Google searches as being unsafe due to malware and inaccessible via Firefox and Chrome among other browsers, with a big red warning to greet visitors.

That’s not good, especially if your client relies on their site for income. Unfortunately, I’ve been on the receiving end of a malware attack, and the results aren’t pretty.

With that preface in mind, prevention is the obvious course. Here’s what you can do to sleep better at night:

  • Perform basic security operations on the WordPress install. This includes changing the admin account to a subscriber access level, ensuring passwords are strong, and closing some of the loopholes in WordPress (see the plugin below to help manage this).
  • Consider installing a plugin to help manage some of those basic security loopholes. Secure WordPress is among the more popular ones.
  • Always install the latest version of WordPress since many security holes are patched in the updates.
  • Read through WordPress’s preventative guide.
  • Stay informed of the latest security methods and concerns. For example, Noupe has a good article (and comments) on some preventions.
  • Routinely check the client’s website rankings in search engines to identify any possible spam links.
  • Maintain backups of the WordPress database. In the event of an attack, you may have to perform a restoration. WP-DBManager is one of the best plugins for automated database backups.
  • Install a gatekeeper plugin to prevent robots from delivering link spam. Bad Behavior is a good plugin to consider.
  • Finally, and most important, setup a Google Webmaster account to tie in with the client’s site. Not only will this service provide valuable insight into search engine rankings, it will also notify you the instant a malware attack has been flagged by Google. And yes, it’s free.

The hack has happened, what to do now

A WordPress hacking incident will more than likely occur at some point in your life. It sucks and the ensuing mess is no fun to deal with. Fortunately, it’s not the end of the world, and there are some pretty solid ways of cleaning it up.

Remember that there’s a difference between a spam attack and a malware attack. A spam attack is the infusion of junk links in the code (or worse, in rogue plugin files, which are harder to find) so that search engine results will pick them up. This may not necessarily be flagged by Google as malware, making detection a bit fuzzy.

A malware attack, on the other hand, is usually a simple case of an illegal login into the site and the placement of a script or iframe tag. Google routinely scans sites for calls to malware files such as these and will subsequently raise the warning flag. Hopefully, you’ll have had Google Webmaster setup so that notification can be sent if that flag is raised, though Google makes an earnest attempt to email the site owners regardless.

Once the attack has occurred and you awake to the nightmare, here are some ways to deal with it:

  • Identify the location of the malware or spam, and remove it. If it’s a more intricate spam attack, you may need to consult a guide such as Pearsonified’s WordPress Pharma Hack post.
  • Scan the WordPress install for any other problems. I recommend the WordPress Exploit Scanner plugin for this job.
  • If you haven’t done so already, setup Google Webmaster immediately. After linking the site with the service, you’ll see a red bar warning you of malware on the site if that’s the problem. After you’ve removed the malware, make sure you notify Google using the malware diagnostic tool. This will instruct a robot to scan through your client’s website, and if the malware is gone, remove the warnings within 12 – 24 hours. The sooner you do this, the sooner the warnings will be removed, which is the ultimate goal.
  • Notify the client that the problem occurred and what you’ve done to resolve the situation. This is the hardest part because a Google malware warning can make a site appear like death. Nevertheless, if the client is hosting with you or under a maintenance contract, you should help them out of this situation. A confident tone and action-oriented plan will typically calm the client’s understandably stretched nerves.
  • Now that damage control has been completed and Google notified (if there was a malware attack), it’s time to toughen up the WordPress install. I highly recommend reading through the hacked FAQ on WordPress’s website. This guide will provide some basic and advanced methods for fixing and preventing the problems that brought about the attack.
  • Review the preventative measures outlined in the section above.
  • Of the WordPress hacked FAQ already mentioned, the most important takeaways are to change the passwords of user accounts and implement new secret keys in the wp-config file, which can be generated here. This will establish new cookies so that hackers cannot remain logged in.
  • It may also be prudent to scan your computer and the client’s using antivirus software. The malware may have either originated from one of those computers or infected one or more of them if the problem site was opened.
  • Lastly, notify the client what steps you have taken as well as a timeline for the impact on Google search results to reverse.

Perform an investigation

Many people advise performing an after-the-fact investigation into what happened post-attack. This is a good move in that it can provide a unique analysis of the flaws in your client’s site, the hosting operation, database software, or some other area of potential weakness.

The best place to start is by executing a simple search in Google for any recent issues regarding the web host and security problems. For examples, in the attacks I recently experienced, there were a couple of articles pertaining to my provider, Rackspace:

These resources can provide valuable analysis on a specific attack as well as a means to stop and remove them. In addition to these resources, you should also consider reviewing logs, if available, to see if you can pinpoint where the attack originated. This might not always be possible, but the more information you can gather, the better. It may even be prudent to contact the web hosting company to see if they’re aware of the problem, and if they’re at fault, what’s being done to rectify the situation.

WordPress hacking sucks; there’s no doubt about that. Remain vigilant and help protect your clients from the dreaded malware warnings slapped down by Google and others. Otherwise, your client could lose confidence in their website as well as visitors and revenue.

See more posts