I’ve just come into the office to discover that a clients WordPress site has been hacked. What made this one a bit different from what I’ve seen before is that this one didn’t completely take over the website and wasn’t immediately apparent from just viewing the site.
So how was this found? The client told me that their image slider on their home page stopped working a couple of days ago, and they asked me if I could have a look at it and see why. This led me to see that there were JavaScript errors that shouldn’t have been there. The strange part was that most of the errors were mostly in the core JavaScript files.
This threw up a lot of red flags because that just should not happen. so, I looked at the JavaScript files and found the code that the exploit had added to it. Now I knew what I was dealing with and what I needed to get rid of. I downloaded the entire site and did about ten searches for the different parts of the exploit code that I could find and remove it all. From there I was going to upload the site again, but I noticed that the exploit had been able to change the file permissions for a lot of files. I mean a lot… all of the JavaScript and most of the HTML/PHP files as well as a lot of folders were all set as globally writeable. After I saw that I decided to take a lot more cautious approach and delete every file on the site, and re-upload it all from my cleansed files.
This seems to have worked. The site is now clean, and the offending files are no longer being infected. All up this did take about 3 hours to do, and that was only because I got lucky with finding what to look for.
As always this is another example of why you always need to keep on top of your WordPress sites, and always ensure that you apply any updates as soon as possible.
You don’t want to be your site that’s down.