{"id":700,"date":"2010-04-20T19:09:06","date_gmt":"2010-04-21T03:09:06","guid":{"rendered":"http:\/\/www.artesianmedia.com\/blog\/?p=700"},"modified":"2010-04-20T19:09:47","modified_gmt":"2010-04-21T03:09:47","slug":"how-to-fix-your-hacked-wordpress-blog","status":"publish","type":"post","link":"https:\/\/www.artesianmedia.com\/blog\/how-to-fix-your-hacked-wordpress-blog\/","title":{"rendered":"How to Fix Your Hacked WordPress Blog"},"content":{"rendered":"<h2>A 12-step program to send your out-of-control blog to rehab<\/h2>\n<p>If your blog has been hacked, your first indication is when it starts acting like it\u00e2\u20ac\u2122s in the late stages of particularly noxious drug addiction. Your once mild-mannered blog is a now a nasty Hollywood tart, reeling around, <a href=\"http:\/\/wpblogger.com\/google-cloacking-wordpress-hack.php\" target=\"_blank\">blowing toxic breath in random stranger\u00e2\u20ac\u2122s faces<\/a>, <a href=\"http:\/\/www.blogherald.com\/2010\/04\/06\/cloaking-hack-puts-spam-in-your-wordpress-search-engine-results\/\" target=\"_blank\">accosting people in the street and making depraved sexual suggestions<\/a>, showing up at high-society events and <a href=\"http:\/\/www.wptavern.com\/forum\/troubleshooting\/861-porn-sites-directing-traffic-my-site-help.html\" target=\"_blank\">flashing its naughty bits<\/a>, and letting complete strangers <a href=\"http:\/\/www.pearsonified.com\/2010\/04\/wordpress-pharma-hack.php\">fondle its database and cram noxious javascript code into its secret places.<\/a><\/p>\n<p>Disgusting!<\/p>\n<p>At this point, you can either choose to slaughter and revive your blog (i.e. delete everything and do a clean re-install), or roll up your sleeves and start hunting down the rogue bits of code that are turning your blog into Britney\/Lindsay\/Paris. <strong>No matter what, you should <a href=\"http:\/\/wordpress.org\/extend\/plugins\/wp-db-backup\/\">back up your WordPress blog by using the WP-DB-Backup plugin<\/a>. <\/strong><\/p>\n<p>However, there is no guarantee that even if you go for the nuclear option, that the virus snippets won&#8217;t have wormed there way somewhere into your database, and will just pop up again (which is what they did to me &#8211; repeatedly) when you restore from the backup. This is why I reluctantly armed myself with some PHP manuals and started digging around in the guts of my blog.<\/p>\n<p>If your blog has been infected for a while, it may have already affected your Google page rankings; in some of the links above, you&#8217;ll see that they started getting de-listed by Google because they looked to the bots like pr0n0 spammers. It can take quite a while to recover from that; the whole thing reminded me so much of the by-now ubiquitous Hollywood paradigm of getting clean &amp; sober that I broke it down into<a href=\"http:\/\/en.wikipedia.org\/wiki\/Twelve-step_program\"> a 12-step program.<\/a><\/p>\n<p><strong>Step 1: Realize that we have a problem; then admit that we are powerless over what our blog is doing, and that is has become unmanageable<\/strong><\/p>\n<p>The first notice I got that some of the WordPress blogs that I use (and administer for others) had been hacked was when this strange code started showing up in the permalinks.<\/p>\n<p style=\"text-align: center;\">\n<div id=\"attachment_703\" style=\"width: 579px\" class=\"wp-caption aligncenter\"><a rel=\"shadowbox\" href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/bad-code-in-permalinks.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-703\" class=\"size-full wp-image-703 lazyload\" title=\"bad code in permalinks\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/bad-code-in-permalinks.jpg\" alt=\"\" width=\"569\" height=\"50\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/bad-code-in-permalinks.jpg 569w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/bad-code-in-permalinks-300x26.jpg 300w\" data-sizes=\"(max-width: 569px) 100vw, 569px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 569px; --smush-placeholder-aspect-ratio: 569\/50;\" \/><\/a><p id=\"caption-attachment-703\" class=\"wp-caption-text\">Kinda strange, right? Looks at first glance like some little bug with the extended permalinks function...<\/p><\/div>\n<p>xxxx<\/p>\n<p>Usually, when you choose long permalinks, that\u00e2\u20ac\u2122s to give Google\u00e2\u20ac\u2122s bots the chance to find &amp; index your content correctly.\u00c2\u00a0 But no prob, I thought: just go on in to Edit Post mode, and delete the code and re-save it.<\/p>\n<p>Curious. I saved it with the real permalink and it turned up with some strange gobbledygood at the end anyway. Wonder if that\u00e2\u20ac\u2122s having any kind of effect on the blog. Better check it in Google Reader.<\/p>\n<p><strong>Step 2: Come to believe that we are going to have to take serious action to restore the blog to sanity<\/strong><\/p>\n<p>Holy Sh-Nikes! Where did this come from?<\/p>\n<p><a rel=\"shadowbox\" href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/still-hacked-RSS-spam2.jpg\"><\/a><\/p>\n<div id=\"attachment_704\" style=\"width: 664px\" class=\"wp-caption aligncenter\"><a rel=\"shadowbox\" href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/still-hacked-RSS-spam.jpg\" target=\"_blank\"><img decoding=\"async\" aria-describedby=\"caption-attachment-704\" class=\"size-full wp-image-704 lazyload\" title=\"blog_hacked-RSS_spam\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/still-hacked-RSS-spam.jpg\" alt=\"\" width=\"654\" height=\"164\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/still-hacked-RSS-spam.jpg 876w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/still-hacked-RSS-spam-300x75.jpg 300w\" data-sizes=\"(max-width: 654px) 100vw, 654px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 654px; --smush-placeholder-aspect-ratio: 654\/164;\" \/><\/a><p id=\"caption-attachment-704\" class=\"wp-caption-text\">Man, you never want to see this associated with your blog. This is screaming sirens, flashing lights, all spelling out &quot;VIRUS ALERT!&quot;<\/p><\/div>\n<p>If you don&#8217;t get a jolt of adrenaline at seeing something like this where your blog contents are supposed to be, you don&#8217;t understand the gravity of the situation. This kind of pharmaspam is absolutely deadly; it usually comes from Eastern European hackers, and it means that the infection is serious.<\/p>\n<p><strong>Step 3: Made a decision to appeal to the higher powers \u00e2\u20ac\u201c Google (and <a href=\"http:\/\/codex.wordpress.org\/FAQ_My_site_was_hacked\" target=\"_blank\">the WordPress codex, as we understand it) to find the answers<\/a><\/strong><\/p>\n<p>One of the first things that I found was a long thread about how hackers register themselves as users.<\/p>\n<div id=\"attachment_729\" style=\"width: 423px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-729\" class=\"size-full wp-image-729 lazyload\" title=\"Sparsely-users\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Sparsely-users.jpg\" alt=\"\" width=\"413\" height=\"114\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Sparsely-users.jpg 413w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Sparsely-users-300x82.jpg 300w\" data-sizes=\"(max-width: 413px) 100vw, 413px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 413px; --smush-placeholder-aspect-ratio: 413\/114;\" \/><p id=\"caption-attachment-729\" class=\"wp-caption-text\">Sure enough, look at the number of users. Also look at the number of admins.<\/p><\/div>\n<p><strong>Step 4: Made a searching and fearless inventory of the renegade users<\/strong><\/p>\n<p>I went through page after page, hoping that I would be able to figure out which were the responsible, decent users, and which ones were the identities of the various spambots that were using my blog like a passed-out sorority girl in Satan&#8217;s frat house.<\/p>\n<p><a href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Look-for-email-addresses.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-731 lazyload\" title=\"Look for email addresses\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Look-for-email-addresses.jpg\" alt=\"\" width=\"631\" height=\"27\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Look-for-email-addresses.jpg 957w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Look-for-email-addresses-300x12.jpg 300w\" data-sizes=\"(max-width: 631px) 100vw, 631px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 631px; --smush-placeholder-aspect-ratio: 631\/27;\" \/><\/a>A lot of them were easy to spot &#8211; they had the various names for the erectile dysfunction drugs as their &#8220;@blahblah&#8221; addresses.<\/p>\n<p><strong>5. Admitted to ourselves that we had been remiss in updating the blog<\/strong><\/p>\n<p>OK. I admit it. I was afraid to update the blogs because we&#8217;d installed some customized plugins, and I didn&#8217;t want to have to futz with them if they broke. Saved some real time, eh? Now I was spending hours going through my blog(s) trying to figure out what had happened.<\/p>\n<p><a href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Upgrading-WordPress.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-732 lazyload\" title=\"Upgrading WordPress\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Upgrading-WordPress.jpg\" alt=\"\" width=\"483\" height=\"273\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Upgrading-WordPress.jpg 483w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/Upgrading-WordPress-300x169.jpg 300w\" data-sizes=\"(max-width: 483px) 100vw, 483px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 483px; --smush-placeholder-aspect-ratio: 483\/273;\" \/><\/a>As you can see, I started this whole process back when WordPress was still at revision 2.8.4.\u00c2\u00a0 Oh, the shame!<\/p>\n<p><strong>6. Became entirely ready to get rid of these freeloaders<\/strong><\/p>\n<div id=\"attachment_733\" style=\"width: 378px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/deleting-bad-users.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-733\" class=\"size-full wp-image-733 lazyload\" title=\"deleting bad users\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/deleting-bad-users.jpg\" alt=\"\" width=\"368\" height=\"606\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/deleting-bad-users.jpg 368w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/deleting-bad-users-182x300.jpg 182w\" data-sizes=\"(max-width: 368px) 100vw, 368px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 368px; --smush-placeholder-aspect-ratio: 368\/606;\" \/><\/a><p id=\"caption-attachment-733\" class=\"wp-caption-text\">Cry havoc! And set loose the delete function!<\/p><\/div>\n<p><strong>7. Ruthlessly removed the false admins<\/strong><\/p>\n<div id=\"attachment_735\" style=\"width: 673px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/the-culprits-hiding-at-Z.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-735\" class=\"size-full wp-image-735 lazyload\" title=\"the culprits - hiding at Z\" data-src=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/the-culprits-hiding-at-Z.jpg\" alt=\"\" width=\"663\" height=\"89\" data-srcset=\"https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/the-culprits-hiding-at-Z.jpg 915w, https:\/\/www.artesianmedia.com\/blog\/wp-content\/uploads\/2010\/04\/the-culprits-hiding-at-Z-300x40.jpg 300w\" data-sizes=\"(max-width: 663px) 100vw, 663px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 663px; --smush-placeholder-aspect-ratio: 663\/89;\" \/><\/a><p id=\"caption-attachment-735\" class=\"wp-caption-text\">These were where the hackers put their admin identities. All the way down at Z, where I had to trudge through hours of checking and deleting the other users to get to them. While I was in here, the hackers were trying to get back in to add more users. It was a race to see who was faster...<\/p><\/div>\n<p>I couldn&#8217;t believe that the hackers were trying to add more users to the pile, to slow me down. I managed to delete enough of them to get down to the Z&#8217;s, where their admin identities were hidden. And then I deleted those. Success!<\/p>\n<p>&#8230;or so I thought.<\/p>\n<p>CONTINUED IN PART 2&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A 12-step program to send your out-of-control blog to rehab If your blog has been hacked, your first indication is when it starts acting like it\u00e2\u20ac\u2122s in the late stages of particularly noxious drug addiction. Your once mild-mannered blog is a now a nasty Hollywood tart, reeling around, blowing toxic breath in random stranger\u00e2\u20ac\u2122s faces, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","wds_primary_category":0,"footnotes":""},"categories":[7,6],"tags":[851,850],"class_list":["post-700","post","type-post","status-publish","format-standard","hentry","category-blogging","category-blogs","tag-blogging","tag-blogs"],"_links":{"self":[{"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/posts\/700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/comments?post=700"}],"version-history":[{"count":0,"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/posts\/700\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/media?parent=700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/categories?post=700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.artesianmedia.com\/blog\/wp-json\/wp\/v2\/tags?post=700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}