You must be prepared for anything when it comes to WordPress hacking

I’ve had a challenging few days.  Six clients had their websites hacked.  All within a couple days of each other.  All so badly that I literally had to rebuild from old back ups.  And I mean REALLY OLD BACKS UP.  If I didn’t know how to work with MySQL, I don’t know what I would have done to get the situation corrected.  I even signed up for the hosting to clean the site and they failed just as I had done on the first try.

Let’s just talk about the worst case scenario (this is a true story).  You’ve done everything right.  You have your clients in a care plan and have 90 days of back ups stored off site.   You virus scan everyday and update plugins, theme and core files on a regular basis.  Everything is fine.  No virus alerts.

The first warning is a client that calls and says a customer told her her site was hacked.  Virus scan shows nothing from Sucuri, but a scan on Wordfence shows malware.  You revert the site back a couple of weeks with your back ups.  All clear for a couple of hours, then files appear again.  You go back 90 days, this is serious stuff.  And a few hours later, there are more malicious files. You remove all the malware, scan the site again.  All good.  The next morning, more files reappear on the server.  You SFTP in to look.  Now a couple of sites won’t connect to your care plan program and sure enough, they have similar files.  By the end of the week, it’s five websites total and you throw in the towel and pay for the Sucuri clean up your hosting offers since they say it’s going to be really tough for you to clean the database.  They pronounce the site cleaned, you change all passwords and the next morning, BOOM.  More malware.  Randomly, a client that passed on your care plan calls with the question, “Do you have a back up of my site?”.  Now, the total is six hacked sites.

Nightmare, right?

Well, you have to great creative.  There is always hope if you have a back up.  What did I resort to? Old BackupBuddy backups I stored on my computer long ago.  I used to create a back up with BackupBuddy each time I moved a site, but with GoDaddy’s migration tool, I stopped doing it a couple years ago.  Luckily, all the clients I had an old back up.  Next, I used the WordPress exporter to grab the content I needed to add.  In one case, I had to surgically remove tables from the hacked database and import them into the new database (moving a Time.ly calendar is a bitch).  The quickest “RESTORE” was 2 hours, the longest 8 (that was the Time.ly calendar).

Skills I needed:

  • Upload tables and rename them in MySQL
  • Change the site url in MySQL
  • SFTP and transfer files with the ability to recognize suspicious ones
  • An “I’m not stopping until I get this done” attitude

What I learned:

  • Never trust one system
  • Have a backup to your back ups. I will now be making that brand new site back up using BackupBuddy routinely.
  • If the hosting company is having issues cleaning up, think about a rebuild

I have several questions now about the restore mechanism I use to restore a site to a previous version.  If it’s not replacing the files on the server completely, it could be leaving in suspicious files and just overwriting the good ones. I’ll be sure to follow up with what I find!

RESOURCES:  WordPress.org – Hardening WordPress

 

About WebCami

Cami MacNamara has been designing websites since 2002 from her home office in Seattle, Washington. Her career started as a way to be a stay-at-home mom. Certification soon followed and persistence paid off. Cami has designed 500+ websites and wants to share what she learned along the way. Look for her at WordCamp Seattle. Follow: WebCami.com / Twitter / Instagram