12 February 2009

Blogging Tips : What if my WordPress Blog Got Hacked with the Google Redirect?

questions and answersRedwall_hp asks: is a legitimate website, and works fine if you access it directly. However, if you search “bookadvice” on Google or Yahoo, and click the result, you are taken to a bogus site that tries to install a smitfraud-type faux antivirus malware package. The SERP looks perfectly normal, as it should be, but when it’s clicked it doesn’t take you to, but to the malware site.

What you described in your questions is the (unfortunately) popular hack that places a redirect on a website to divert all or part of its search engine traffic to another website.

This hack is not limited to WordPress blogs, although some months ago a WordPress vulnerability made this a big problem on the platform.

Here is how it works: the hacker gains access to the WordPress control panel or to some specific files (e.g., plugins) in your server. After that he will insert some PHP code in one of the files, create a plugin, or create a fake .jpg image that will function like a plugin.

Once the code or the plugin is in place, whenever someone tries to access your website via a Google search result, he will be directed to another site specified by the hacker (usually a malicious site that will try to install something on the computer of the users).

If you want to test for this hack, you simply need to search the name of your site in Google and click on the right result. Then just check if your will end up on your site or on another site. It is a good idea to test this for a couple of posts too, and not just with the homepage.

If you find out that you got the hack, here are some steps that you can do to try to fix it:

1. Upgrade Your WordPress Intall

The first step is obviously to upgrade WordPress. Older versions have many security holes that make it easier for people to gain access to specific files inside your site or server.

2. Change your passwords

The second step is to change all your passwords. This include the WordPress admin password, the hosting account password and the FTP password. If you don’t do it already, remember to change the password regularly too.

3. Browse your site files via FTP

Log into the FTP account of your site and browse around on all the folders. You will be looking for any file that has a strange name or that looks suspicious. If you have a WordPress blog installed on another site, compare the structure of all the files to make sure they match.

4. Browse your theme files

Log into your WordPress control panel, go to the theme editor, and browse inside all your theme files. Look for lines of code that are not supposed to be there, or that contain a PHP code that you don’t recognize.

5. Check your database tables

Some hackers will also upload fake images to your “Uploads” folder and activate them with a plugin call. To detect this you need to open PHPMyAdmin, browse the “wp-options” table, and edit the “active_plugins” record. On that record you will see a list of all the plugins that are supposed to be active in your blog. If there is a strange one there named hdjsjekf.jpg, for instance, delete that.

6. Backup!

Backups are your best line of defense. No matter how secure you make your blog install, if someone is determined to break in, he will be able to. If you have backups, however, all you need to do is to put a fresh software installation in your server and restore the backup.

Finally, check also the post titled 3 Must Apply Security Tips for WordPress that I wrote a while ago with some tips that you can use to secure some parts of your WordPress site.

No comments: