Stop the press!!!!

My WordPress blog has been hacked! Well at least I am 99% sure it has anyway. Not sure if anyone else noticed but there has been this in the top left hand corner of the page for god knows how long:

Viagra Order Mail WordPress Hack!

I don’t know how long it has been there* because whenever you are logged into WordPress:

  • You can’t see it because of the logged in/ WordPress account bar at the top
  • I think the code that was hacked in was clever enough to not show this to a logged in user

So anyway just to clear everything up, I am not peddling Viagra as one of my side hustles, and apologies to everyone who has seen this strange message for the last X days/months!

How to fix your blog if you think you’ve been hacked

Luckily it turned out to be quite easy to fix, but I thought it was worth writing a post about it anyway because it might help others out there who are not sure how to proceed! There is a simple and free plug in to use called Wordfence** that we can use to see if any files have changed from the original WordPress versions. Simply follow these steps to check whether you’ve been hacked:

  1. CHANGE YOUR PASSWORD!!! ( Maybe to something more secure than password123 🙂 )
  2. Go to your WordPress Dashboard -> Plugins -> Add New -> Search for “Wordfence”
  3. Hit “Install”
  4. Enter your email adress to receive alerts for any future security breaches
  5. Update all your plug ins and WordPress to the latest versions, then back up all your files, database etc…
  6. Go to the Options tab in Wordfence and make sure the “Scan core files against repository versions for changes” option is ticked, along with “Scan plugin files” and “Scan theme files”
  7. Go back to the Scan tab in Wordfence, then hit “Start a Wordfence Scan”. Wait a minute or two

That’s it! Now there are three possible outcomes…

No warnings, not hacked: If you get no issues or warnings, the chances are you haven’t been hacked, great!

If you have some warnings though, it means some of your php or css files have changed from the orignal ones when you first downloaded WordPress, your plug ins and your theme:

Some warnings, not hacked: If you have even minimal technical knowledge, there is every chance you may have made a few updates to your css files (for the styling of your blog) or the php files (say, to include a plug in or a widget at a certain point on your page, that cannot be configured automatically). So just because files have changed doesn’t mean you have 100% been hacked. You now need to use the file change tool to see whether you can identify whether the file updates are your changes, or from some other malicious source (see below)

Some warnings, hacked: If you are certain that you have never changed any of your files, then unfortunately the chances are that you have been hacked!


Using the Wordfence file change Tool to see if you have been hacked

Warnings in Wordfence look like this:

Check if your wordpress has been hacked with Wordfence

The option you want to click on is “See how the file has changed”. You will then get a screen that looks something like this (click for full size image):

Wordpress hack prevention tools

As you can see in my case here, the one on the right, my current “live” file on my site, has some weird function compared to the left hand file, which is the original one that Wordfence is comparing it to (which I assume is stored in some secure database of WordPress files somewhere). This sort of thing should set alarm bells wringing immediately. The random string of letters you can see actually went on for hundreds, if not thousands of characters, which to get slightly technical for a moment, led me to believe that there is some sort of string decoding thing going on, which then perhaps converts that into javascript code, which gets injected into my site and creates the malevolent Viagra link. In laymen’s terms… they screwed me big time. You B**stards!!!!

Once you are sure you have identified file changes that you haven’t made, all you have to do is hit the “Restore the original version of this file”. You need to be careful here because you don’t want to overwrite any deliberate updates you have made and potentially forgotten about!

After I fixed the 3 files that I identified as not updated by myself, I fixed them, refreshed the site and the Viagra hack has now thankfully gone!


Future hack prevention

Luckily, the Wordfence plugin also provides lot’s of great features for future protection as well, such as protection from hackers trying to brute force your WordPress admin password, blocking of known malicious IP Addresses, plus plenty of others! There are many options to set depending on how secure you want your site to be, but please be sure to read up on the consequences of each one before making things “too secure” as you don’t want to end up blocking genuine users! If you are not 100% sure on what something does, best to just leave it to the default settings.

Sayonara Hackers!

Well that’s it really! I would just like to make it clear that I am not going to turn this blog into one that starts to write more and more blog posts about blogging (there are plenty of those out there already!), but just thought that this post might help people out there!

Finally, if anyone out there thinks they have been hacked and are not sure what files have been updated, please feel free to drop me a line! I am pretty experienced with PHP so should be able to spot any malicious code for you.

Anyone else out there had their blog hacked before? Did you find it easy to sort out or was it the bane of your life!? Let us know your hacking experiences in the comments! Cheers!




*If anyone can tell me how long it has been there I would be very grateful! (Just out of interest really!?)

**There is a premium paid version but the free one looks good enough to do the job, so I’m sticking with that! 🙂