A new client hired me to fix what they thought was an SEO issue with their WordPress website. Shortly thereafter, I discovered that their website had been hacked. Here’s what I did to fix the problem and prevent it from happening again.
Why It Looked Like an SEO Issue
After clicking on a link that pointed to my client’s website via Google’s search results page, visitors were redirected to a strange website. Therefore, it was quite logical to assume that the issue was on Google’s end.
However, I soon realized that the links on Google’s search results pages were, not surprisingly, legitimate— i.e., the underlying HTML code, did in fact point to my client’s domain.
Nope— Your Website Was Hacked!
Once I confirmed that the issue was not on Google’s end, I reviewed my client’s htaccess file— a configuration file used by Apache web server software that, among other things, can be used to redirect traffic from one website and/or page to another.
For example, if you change your domain name or remove a page from your website, your web developer may include instructions in this file to transparently redirect visitors (including search engine robots), to the new domain and/or web page. But in this case, the htaccess file was clean.
Multiple malware scans of their website also turned up nothing.
Ultimately, I discovered that a hacker had injected the redirection code into my client’s WordPress configuration file (wp-config.php). However, the redirection code was disguised using the PHP language’s built-in “base64 encoding/decoding”.
In other words, the malicious code looked something like:
… only, about 100 times longer. After I removed the malicious code, the redirects stopped.
I changed all WordPress and FTP passwords, and then, updated their WordPress and plugin software. I should also mention that I found evidence of additional, but unrelated tampering of other files within their website, which led me to remove the hacked code and recommend additional precautionary measures.
Hardening Your WordPress Website: The Basics
WordPress is a very powerful content management system. But like an automobile, it must be maintained.
- At the very least, stay on top of your WordPress and plugin updates to make it more difficult for hackers to break into your website.
- Avoid the use of common WordPress login names such as “admin” and “yourdomainname”.
- Use a password management app such as 1Password or LastPass to help you generate, store, and use complex passwords for your FTP and WordPress logins (the kind you can’t easily remember).
- Host your WordPress website with a company that takes security very seriously (e.g., Mediatemple; WP Engine; etc.). They’ll proactively disable plugins that are deemed to be a security threat to you and other customers. In other words, avoid budget hosting companies.
Beyond the Basics
In a future article, I’ll introduce you to a plugin that I also used to make my client’s WordPress website more secure, called iThemes Security Pro. This plugin allows me to monitor login activity and block suspicious login attempts. It also provides a list of recommendations specific to the website that can/should be fixed. And, among many other things, it enables two-factor authentication when logging in to your WordPress dashboard (your login name + your password + a dynamic code generated every 30 seconds by Google’s authenticator app— available for both Android and iPhone).