On Saturday morning I received an email that no blogger wants to receive.
Here’s the subject line:
“IMPORTANT: Websites hacked – Immediate attention required”.
The email said that malware was found on one of my smaller websites and all of my websites had been shut down as a precaution.
Sounds bad right?!
But, by Sunday afternoon all of my websites were turned back on and completely free of malware.
In this post I’ll show you the steps I took to get my website cleaned so you know what to do in case it happens to you.
I’d like to think that you don’t have to go through this yourself but it helps to be prepared.
A closer look at what exactly happened
My web host (WPX Hosting) run regular anti-virus scans so they can quickly help customers get on top of any security issue – like any web host should.
They found some malicious PHP files on a smaller site that I run.
That wasn’t just bad news for the infected site, it was bad news for the other sites in my account too, here’s why…
When a hacker has access to one site, they can use it to access the rest so my host took action fast to ensure that the malicious files were contained.
That means disabling access to all of my sites on the server, including Blogging Wizard.
It’s true that I do have a security plugin installed but it’s also true that no security plugin will be able to offer complete protection.
There are a number of reasons why this could have happened but is usually because of a vulnerable or outdated plugin. Sometimes all it takes is to forget to update a single plugin.
How I got the malware removed
Since I got the malware removed, WPX Hosting has added a new offering: malware cleanup.
So, if you use WPX Hosting, they’ll get rid of malware without you having to pay any extra.
There are so many horror stories about people having their blog’s hacked but it turned out to be straight forward.
I’m not a WordPress security expert so there might a better way to do this but the following steps show how easy it was to get my site cleaned up.
Step 1 – Scan your computer
I started off scanning my computer just in case there was any nasty malware using Malwarebytes (there’s a free version).
This was just a precaution and all was fine.
Step 2 – Confirm administrator details
Sometimes hackers add new admin accounts or change the emails of existing admin accounts.
I checked all existing accounts using PHPmyAdmin which allows me to check/modify database entries.
There were no new accounts and existing account info was correct.
If you need to do this, chances are you’ll have PHPmyAdmin but exactly how you access it will vary depending on your web host.
They should have some documentation on this.
Step 3 – Get the pro’s in to help
I did some quick research to see who could help me with this problem and I saw a lot of good things about the team at Sucuri.
I’d used their free malware scanner in the past and I follow their blog because they do a great job at finding plugin vulnerabilities.
Sucuri offer straight forward annual plans so I purchased a plan which set me back $299.99/year.
Which includes (but isn’t limited to):
- Unlimited malware clean up
- Website blacklist removal
- Malware detection for unlimited pages
- Firewall & CDN for added security + speed
$299.99 seems a lot considering how rare it is for this to happen but I feel it’s worth it to ensure my site is kept safe.
It would be nice if I could have got this resolved for free but it’s not worth taking any chances.
Step 4 – Submit malware removal request
To get the ball rolling, I submitted my malware removal request along with FTP details.
It took till Sunday morning for Sucuri to get to my ticket due to heavy workload at the weekend.
Once one of the Sucuri team started work, my site was cleaned up within 30 minutes.
They also hardened the security for some of my blog’s directories.
Step 5 – My host flicks the switch back on
Now the site had been cleaned I was able to ask my host to switch my sites on.
They ran another anti-virus scan to confirm my sites were clean and then switched everything on again.
Within 30 minutes everything was working as it should be.
This is why I love hosting my sites with WPX Hosting – they respond to email support tickets fast.
Most tend to be within 20 minutes.
Which is amazing in comparison to other hosts I’ve used. Most of them don’t respond to support tickets for 1-2 days.
Since first publishing this post in 2014, WPX Hosting has rolled out free malware clean ups. If you host your site with them, they’ll remove malware at no extra cost. Pretty amazing. They also have enterprise level DDoS protection from Incapsula on their servers.
Important next steps
Even though the infected site was cleaned and all sites on the server were checked, there were steps I still needed to take.
Step 6 – Update passwords
I set about changing passwords including:
- WordPress admin
This also required me to update the wp-config.php file on each site to make sure my sites kept working after FTP and database details were changed.
Step 7 – Activate server side scanning
One of the other helpful features that comes with a Sucuri plan is the server side scanning.
It’s similar to their regular website monitor but it can scan much deeper making it far more accurate.
Due to my websites being disabled, I had to wait until everything was working so I could activate this.
I was able to upload a file to each of my domains, click enable and we were ready to go.
Step 8 – Run backups
My web host takes regular backups but one thing I’ve learned over the years is that you need multiple redundancies.
I use BackupBuddy for this, it’s a paid plugin but there are plenty of other great alternatives like BackWPup which you can use for free. This post has more details on alternatives and the features of both BackupBuddy and BackWPup.
Step 9 – Update WordPress, themes and plugins
Now that I had my sites backed up, it was time to start updating themes, plugins and the WordPress core files for each site.
This is just a security precaution but it’s important to do just in case.
There have been times when I’ve updated plugins and sites have collapsed.
This is why taking regular backups is so important – it’s rare but you should never take the chance.
Fortunately updates didn’t cause any issues.
Now that I’ve got Sucuri monitoring setup and access to their team, I can rest easier but the truth is that there are always other ways to improve WordPress security.
Sucuri have a tool called SiteCheck which is a free malware scanner, it’s not as good as the server side scanner you get with the paid plan but it’s great for a free tool.
Security plugins help but they can’t cover every angle.
Below are some additional resources that will help you:
- Hardening WordPress (WordPress.org)
- WordPress Security: The Ultimate Guide (WPMU DEV)
- 8 Quick Tips To Secure Your WordPress Website (WP Superstars)
- How To Scan Your WordPress Website For Hidden Malware (Elegant Themes)
Over to you
You don’t have to be an expert, there are plenty of resources like those listed above which you can use to secure your blog and rest easier.
Nothing will ever be 100% secure but you need to be as prepared as possible. If anything happens there are great folks that do this work freelance or the awesome teams at companies like Sucuri who you can go to.