Here’s the thing. Two weeks ago (more or less) my site – newInternetOrder.com – got infected by some nice malware (the threat is gone now, it’s totally safe to pay me a visit).
Okay, the malware was not nice at all. But as an engineer I do have to appreciate the cleverness of the code, so to speak. (More on which in a minute).
Anyway, this post describes my adventure with malware and at the same time provides some how-to advice that you can use to either prevent your site from getting infected in the first place or to fight the infection if it happens.
How malware happens?
Malware is actually a pretty cool piece of programing engineering. I’m sure that people writing malware are educated and experienced programmers. Otherwise they wouldn’t be able to develop such well thought through creations.
However, setting all this aside, what’s actually interesting for us now is how your site can get infected by malware.
Some of the following scenarios are pretty obvious, but let me list everything I can think of to make the message complete:
- Your FTP/cPanel/database/WordPress passwords getting hijacked. Basically, if you use a complex password, this shouldn’t happen.
- Your browser’s session getting hijacked (and all other cookie-related issues).
- Using outdated installation of WordPress. The platform gets frequent updates for a reason…
- Using outdated plugins. Same story.
- Using low-quality plugins.
- Not having good .htaccess protection.
- Having a crappy web host.
To be honest, I’m not the biggest authority on malware, so there’s probably a dozen other ways of getting infected. But this set kind of covers the most frequent issues.
Some of the above scenarios can be prevented easily, but you don’t have control over everything (mainly the last item on the list – your web host and their condition). I will explain how to handle them in a minute.
How do you find out that you have malware?
Someone will simply let you know … usually Google.
(And I’m not actually sure if you need to have a Google Webmaster Tools account for this or not. It’s best to sign up for one anyway.)
So one beautiful day I got an email from Google that kindly informed me that:
“We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.”
Google has their methods of discovering malware. I suppose that they rely on every possible metric they can get. There’s actually a number of companies that take care of monitoring the web in search for malware. They all have their directories, which Google frequently checks to find any suspicious entries.
Among others, the companies are: Norton Safe Web, Phish tank, SiteAdvisor, Sucuri, Yandex, and of course Google Safe Browsing.
If you have a fairly popular domain and some malware on it, one of these companies is sure to find it, and if they do, Google finds it too.
What can malware do to you?
First of all, what it did to me was that anyone who tried to visit my site got presented with a message that it is an attack site or something. In the end, it dramatically lowered my traffic.
Google also did one more thing they forgot to mention in their email …completely erased me from their rankings. Which was soon confirmed by my SEOmoz monitors (for my main keywords).
And there’s also the actual negative aspect of your site having malware on it … you’re infecting other people’s computers, which is never cool.
How to prevent malware
I published a post on WordPress security some time ago at ProBlogger (feel free to check it out).
And here’s the simplified version:
- Don’t use free themes!
- Secure your own machine. Updated antivirus software.
- Update your WordPress whenever new release gets launched.
- Update the plugins.
- Back up your site regularly.
- Delete plugins you don’t use.
- Get additional security plugins.
About those additional security plugins:
AntiVirus. Scans your site against exploits, malware, spam injections and other cool stuff.
Secure WordPress. Performs a number of security tweaks. Actually a lot of things. Check the official plugin site to get the full list.
BulletProof Security. Great plugin for .htaccess protection. Essentially, it blocks everything malicious from accessing your site.
So why did my site got infected? Why wasn’t I able to protect it? In my case, the problem was the web host. The exact scenario that happened to me is described here: Malicious Apache Module Injects Iframes (great post).
In short, I got hit by a server-side infection. The malware was only visible on one single page: http://newinternetorder.com/tag/business/ and not even on every visit (clever code).
Actually, the malware that settled on my site was even trying to avoid getting detected by online scanners. Even Sucuri couldn’t detect it on every run.
The code banned every IP that accessed the site more than X times and performed some kind of activity resembling a scan. Quality engineering work if you ask me. Anyways. Back on topic.
What to do if you get hit?
Start with the site scanner at Sucuri. It will let you know what’s going on (kind of).
Make sure to scan your site multiple times, so you get the most accurate result possible. Don’t get distracted by all the positive scans (the ones not detecting anything). It only takes one scan do return a negative result (remember that malware can try to act smart and avoid detection through multiple different means).
For instance, here’s what the scan for my site looks like now:
Here’s what it looked like a week ago:
Once you get a sample of the infected code (like I did on the image above) you should start looking for it in your WordPress files.
The easiest way to do this is to create a full backup of your site, download it to your desktop, and then open the files in Notepad++ or something similar.
Depending on the nature of your infection, you can start searching for things like:
- iframes you didn’t put in place manually,
- in line <script> tags,
- <div> tags that are either outside of the visible area (position:absolute; top:-1250px; or something), or are set to display:none;
- base64_decode() PHP function calls,
- eval() PHP function calls.
- str_rev() PHP function calls.
The last three threats are usually what most malware utilizes.
- The base64_decode() function is commonly used to decode malicious source code that would have otherwise been detected easily.
- The eval() function is used to execute that decrypted code.
- The str_rev() function is used to make the thing even more difficult to find.
If you find any of the above in any of your WordPress files (not only your theme files) then simply delete it, change your FTP, admin, and database passwords and re-upload the files.
Also, if the problem was sitting in the core files (not in any of the plugins or your theme), download a fresh set of WordPress install files and upload them in place of your old ones (remember about the wp-config.php).
If you didn’t find any malware in the files, contact your hosting provider as it’s probably their fault (what happened in my case).
When you have the problem finally taken care of (or at least you think that’s the case), go to the service that blacklisted you as the first one, and ask them for another review.
In my case, it was Yandex and their Yandex.Webmaster platform. I signed up to their service, rechecked my site, and eventually got my domain un-blacklisted.
(Also, chances are that the company that blacklisted you first will have some more insights about the nature of the problem. Make sure to check it out.)
Next go to Google Webmaster Tools, section: Health > Malware. And request a review there as well.
Once all reviews return a positive result, your site will get taken down from the blacklist. Unfortunately, this will take several days to be done completely.
What you can do to make your site malware-proof
If you feel that malware and security is more than important to you, you can take some additional steps.
A good starting place is at your web host. Most quality companies offer some kind of malware protection (HostGator does). This means that they will scan your site and inform you about any suspicious behavior.
Another solution is Sucuri and their premium malware protection service. You can consider it a bit costly because it will set you back $89.99 per year to protect just a single website. And if you want to protect 10, it’s $289.99. … If your site is the way you make your money then it’s probably a worthy investment anyway.
However, the absolute first place where you need to start is to buy a good hosting plan from a quality web host.
I for example, had to switch hosting providers after this malware incident. Essentially, there was the thing with malware, some email problems, and other uninteresting issues. In the end, I decided to move on and sign up to HostGator.
That’s the end of my story. Right now, my site is safe and no longer has a malware problem. I hope it stays this way.
Feel free to ask me anything. Also, did you have any adventures with malware on your WordPress site?