I had a client contact me recently because her host had said she was hacked. I set to work on her site, cleaning it and transferring it to a new hosting account. In the meantime, she received another notice from her host. This one said:
The compromised files detected are:
The malicious code detected is similar to:
Files with the following contents or MD5SUMs, which contain malicious code:
Of course, she had no idea what that meant, so she passed it on to me. Although I had alredy moved what I needed off the server, I was curious to see what was going on. So I logged into her original hosting account and found these:
These directories and files are a clear indication of being hacked. Each directory had a list of files like the image above, or a single xml sitemap file that linked to those files. Inspecting one of the files told me this is the content it was displaying:
Being the scientist that I am, I ran a scan on the site with 2 different popular site scanners out of curiosity. Both only mentioned 3 outdated plugins and not a single word about all the spam html files. All of the notices from the hosting company didn’t mention them either. In fact, there was no real indicators to tip the client of that there was a problem, and this had been silently building for some time.
Why are these files harmful?
In addition to being a symptom of the hosting account being compromised, this is what comes up for my client’s results on Google site search:
About half of the links going to her domain on Google were for these junk links. What does that mean for her and her legitimate web site?
- She could have her hosting account suspended for exceeding resources or bandwidth with the unintentional traffic.
- She could have her search listings restricted or removed from Google.
- She could be blocked from Google traffic or in the browser for the spam content / junk links.
- She could start exceeding the filespace on her hosting with all of these files, causing her account to shut down or to lose data.
This problem also doesn’t stop with her current site. She is looking into redesigning her site this summer, and this problem would have continued on to the new site had I not stepped in to fix it.
What can be done?
I see a lot of people offering service packages in WordPress where everything is automated — automated moves, automated security, automated updates. In my opinion, however, it is not enough. The automated scans and services are only looking at specific files, not the entire situation as a whole. If you have been hacked, you need someone who knows what they are looking to really look at the whole picture. Here are some examples of what I have found when I do just that:
- Outdated, unused installs (some of which the client didn’t even know were there!)
- Hacks outside the WordPress file structure.
- Scripts sending out spam on the server.
- Junk or spam files.
- Hacks in other installs (which can come back and re-infect a site the client has just cleaned!)
- Problems that should be dealt with for security or performance reasons.
- File buildup that should be removed for security and performance reasons.
- Damaged or hacked backup files.
Now, I’m not saying your little site needs constant, daily monitoring. For smaller traffic sites, you are probably okay with an annual or semi-annual security audit. For larger sites, you may consider fully managed hosting or a regular maintenance package. Just don’t let it keep going, year after year, without ever looking at your files and security.
And if you have someone maintaining your site now, please don’t hesitate to ask that person if they are doing periodic manual checks of your filesystems. I recently fixed a bad 3-site hack of someone who thought she was doing all the right things by paying for WordPress maintenance. As it turned out, her package was fully automated and not running with any manual oversight. She ended up blind-sided by a hack too. The same goes for hosting packages that provide automated updates. If you don’t have an actual human checking into things from time to time, they can go very bad and you won’t even see it coming.