Before I start, this article comes with a disclaimer:
This was the first hacked website that I had to recover, and I did not follow best practice, even though what I did was ultimately successful. You can copy what I did if you wish, but there are better ways to do it – check out the WordPress support site for more information. To be honest, I think the only reason I got away with it is because Ellison Place is just a simple blog – no fancy code or scripts anywhere, and I think at the time there weren’t even any plugins installed on it.
A sad tale of a hacked WordPress blog
ellisonplace.co.uk (note the missing hyphen – more on that later!) was owned by a very good friend of mine who used it to document her local history research. It had been set up for her in 2011 by another friend of hers. She came to me back in 2014 after a period of two years when, because of some very sad family problems, she had been unable to keep her site up to date. She had decided the time was right to pick up her research again, but when she looked at her site it was full of malicious links to various sites purporting to sell a popular pharmaceutical product.
Step 1 – get rid of the malicious links
My first attempt at cleaning it up (oh boy, did I have a lot to learn!) was simply to go into the posts and pages and remove all of the nasty links, and that worked. For about a day. Then, of course, they all came straight back.
Step 2 – update WordPress, the theme and the plugins
It was then that I realised that maybe there was a problem with the site security – which there was, but again, that wasn’t an end to it. Because my friend had neglected her site for so long the theme (TwentyTen) was horribly out of date, as was WordPress itself. So I updated the theme, and the couple of plugins she had, and WordPress.
Step 3 – add some security
And for good measure I installed WordFence and a Captcha plugin to restrict access to her login screen and comments boxes, and of course changed all the login details and passwords. And then I got rid of the links again.
All was hunky dory – for about another day, then they all came back again!
Step 4 – find the root cause
It was at this point that I realised that the hackers must have placed some malicious code on the site that was just putting these links back as fast as I could take them away.
I now know that finding that code should have been my first step.
Not just a hacked site, but a blacklisted one too!
The next thing to happen in this little tale of woe was that I decided (I can’t remember why) to google Ellison Place, but, surprise surprise, I couldn’t find it anywhere. So I did a site:ellisonplace.co.uk (note the still missing hyphen), and again nothing came up, even though I knew the site was up and live.
A bit of research told me that this meant that Google had blacklisted the site.
Step 5 – don’t be afraid to get help from someone who knows more than you do
So at this point I was faced with having to find the malicious code, then get the site unblacklisted. Given that this was my first encounter with a hacked website, I was well out of my depth, so I consulted with my friend, colleague and supergeek, Graham Robinson. Between us we came up with two options:
- find the malicious code, clean the site (again) and try to get it unblacklisted, or
- speak to the site owner to see if she would be amenable to a change of domain name.
Step 6 – move the site to a new domain (not normally recommended)
Option 2 is not normally one I would suggest as a change in domain name means you lose all of your search engine juice, but given that this site didn’t have any, and most of the followers had lost interest as it had been untouched for such a long time, we all felt that this was the best and quickest option.
A happy ending to our sad tale
So that’s what we did, and ellison-place.co.uk (note the hyphen!) was born. I obviously had to remove the nasty links again before copying all the posts across, but the new site is now clean, secure, updated regularly, and it hasn’t been hacked since.
So what is the moral of the tale?
If you do nothing else, keep your site themes, plugins and core files up to date. And if you don’t have time to do it, then it’s worth paying someone else to do it for you – someone like me!