What To Do When Your WordPress (or not) Site Is Infected By Malware

Malware infected website

So you woke up to day and found your website like this?

Yeah… it can be a pain. Not only your website is not working. It is also being blacklisted by Google.

Basically your website has been tempered with and now contains malicious snippet of codes for your website visitor. Because of that, Google blacklists your website and also browsers prevent users from opening them.

How did it get to this?

Well, there are many ways. First, maybe there are PHP scripts in your website that is not secure and provides opportunity to attacker to come and temper with your website. I have heard of cases where people download PHP scripts from “alternative” sources, avoiding payments. This maybe PHP scripts, WordPress plugin or themes, and many more.

And the guy that provided the download actually added some of his code in there which will allow him to do things on your website. What could this be? Well, maybe capture visitors’ information, replace your page with a different one, send spam emails from your servers… the possibilities are endless once they have access.

It could also be that your website was actually hacked. How, well, again… numerous ways.

Another way that I discovered on how this could’ve happened is with a technique among hackers called “domain jumping”. You see, normally each website on a server has its own folders. A malicious script on the server could potentially trigger a command to see what are the available folders and start going into them one by one and infecting websites. When something like that happens, it is the web hosting company’s responsibility to fix them. But then again, you can’t really rely too much on them. It is better you take your own steps to fix this.

Sow What Do I Do Now?

I got this problem some time ago. And it was really a pain. I cleaned it all up myself. I downloaded EVERYTHING from the server. It was almost 1GB in size for everything. That took a long time. And then, I had to go through every PHP file to check what’s inside. There were thousands of files, over 10,000.

After a few files, I could see a pattern. And it is not one pattern. There are several. From what I can gather, I am not infected once, but by many types of malware. The goal is to remove the malicious codes from your PHP files. Seeing the pattern, I wrote a simple script that would crawl my downloaded website, open PHP files and check the content, trying to find codes that match the pattern for malicious codes that I found earlier.

The huge pain was when I found new patterns. And when I do, I would have a to update my script, or write a new script to crawl and fix all PHP files again. I think I ran my script maybe like 10 times through all the PHP files that I download.

You would also have to find “newly” create PHP script, that was created by the infected PHP script. These new PHP files are actually backdoors created for the attacker. Sometimes it is hard to find these backdoors as their name looks very much similar to your normal php script. For example, it could be like config.php or settings.php, or it would be mimicking an actual important file. So you can’t simply just delete it. You would need to check them, find out and be really sure before deleting them.

When you are done, of course, there uploading work again. Just how you download them, it would take just as much time to upload them back again. Most internet has different upload and download speed, where upload speed is much lesser than download. That is what my ISP has for me. So this time, uploading takes a lot longer than download.

At first, I thought I did a good job after almost a week, day and night, fixing it. But then, the problem reoccurs. And all that my web hosting knows is to shut down my website. It appears I missed a few things. So I did this process all over again. Download, fix, scan, find, delete, upload …

At times, I think perhaps the web hosting is the problem. It could be that domain-jumping thing… maybe other people’s website on that same server was infected. And the script can scan and crawl from folder to folder infecting other websites in the server. But of course, the web hosting would deny this.

Don’t Forget Submitting a Review for Google Webmaster

Oh yeah … after all that, your website may still be blacklisted by Google. What you need have your website added to the Google Webmaster panel. And then you need to submit for a review by Google. They will deploy their bots to check your website. And if everything is OK and clean, they will remove you from the blacklist.

More on Google Review here

In the end, I moved my website to another web hosting. But now, I found out about a service that can take care of this much faster, easier — just that you would have to pay for it. But even so, it wouldn’t have take much painstaking time on my hand. The service is Sucuri.

$299 To Fix Your Malware Infected Website, With Active Monitoring And Re-occurrence Clean Up For One Whole Year. Your Website is Already Infected? No Problem! No Extra Charge.

At first I thought Sucuri acts like an insurance — They don’t cover pre-existing conditions. But no! They take it all in. Whether you are already infected or not, the price is the same. And even if your website is not infected with malware, Sucuri will proactively monitors and prevents it.

How does it work?

If you are already infected, just subscribe and follow their guide on how to submit for a cleanup.

After that, for active prevention and monitoring, you have to update your DNS to divert traffic via their network and servers before going to your website. This will act like a firewall for your website where Sucuri will prevent attacks, such as DDoS, hack attempts and more.

If the firewall fails to prevent it, and your website is infected with malware, just submit a ticket to get your website cleaned up.

I think Sucuri is definitely a friend you want on your side, if you want to avoid wasting time and money fixing it, submitting for Google Review and also not to mention the amount of money you’ve lost due to downtime. If you run an e-commerce, that could mean thousands of dollars of lost sales. Or if you run a blog, that is also advertising revenue lost.

Anyway, I hope you will check out Sucuri. Setting up Sucuri may get slightly technical with DNS, FTP and what not. If you get Sucuri via my affiliate link, and you need help setting up your Sucuri, just get in touch with me via the comments. I will do my best to help you with it.

Dino

Dino

Leave a Reply

Your email address will not be published.

Sign up for our Newsletter

I share tips & tricks on Affiliate Marketing, WordPress and making your way around the Internet to make money.

%d bloggers like this: