WordPress sites attacked by iFrame hack

The Problem:

Recently, one of our (WordPress) websites was compromised by an unknown assailant.

During a typical day at BoastingBiZ, our development team was performing routine maintenance on one of our websites and noticed a grayish/white bar that went across the screen at the bottom of the home page (just beneath the footer). After further research, this “Mystery” bar was found throughout the entire site. On the left hand side of this bar was 3 microscopic characters that appeared to be the letter “F”. Our team went ahead and viewed the source code of the page to identify where this line was generated from. They didn’t find anything in the code that would cause this to appear! NOT GOOD!!! This was our initial indication that we had a problem.

Over in our SEO Services department, our guys noticed that this same site was cached by Google at about the same time this “Mystery” bar was detected. Lucky us right?!? WRONG!! Now, when we perform a Google search for our company name, the search results for our web pages show a message underneath our description tag that reads:

“Warning: Visiting this site may harm your computer”

Our team immediately went into COMBAT Mode! We had no idea WHO, WHAT, WHY, WHEN and HOW this could have occurred. What we did know, was that our website was in perfect working condition throughout the day and was also in good standings with Google up until around 4:00pm that afternoon. We also knew that Google last indexed our site about a week prior. Something happened, and what ever it was, it happened recently!

Immediately, we had a meeting with all technical department heads. During this meeting, we discussed each and every detail of the work performed on the site through the past week. Perhaps it was a newly installed plugin, we thought. Or maybe it was caused by a new update that WordPress rolled out? It could be have been either of these if not a combination. Being that this issue was isolated to just ONE site, we knew it was not an attack on our server. Which was a relief to know!

In situations like this, we utilize a website that provides access to a set of tools which identify if a site has been infected with malware or has been blacklisted. Bookmark this link for future use: http://sitecheck.sucuri.net/scanner/

About 10 seconds after entering the URL, we received the Search Engine Optimization answers we were seeking! We identified “What” and “Where” the issue was in the click of a button. Then we knew exactly how we were going to fix the problem but, we did not know how we were going to prevent it from happening again. Well, we did some digging and came across the fix. See step 6 below for details.

Somehow, a Hacker-Jack was able to modify a JavaScript file within our site and became able to inject malicious malware. But rest assured, there is a way to add the necessary layers of protection! Follow the steps below to make sure your site is protected…

The Solution:

1. Make sure that the Database and Tables of your WordPress site are backed-up daily, weekly, or even monthly. Daily back-ups are HIGHLY RECOMMENDED so that you will not lose too much data in the event of a catastrophe (i.e. Blog Comments, etc.).

**Back-ups can be performed on the server level or directly onto your local machine via FTP or SFTP.

2. Make sure that your HTML & Javascript files are also backed-up daily, weekly, or even monthly. Again, “daily” is HIGHLY RECOMMENDED.

3. Make sure to set up your website in Google Webmaster Tools. If your site is not already set up here, please click the following link to set up your FREE Webmaster account with Google. www.google.com/webmasters/tools/

4. Identify the INFECTED file and its location using: http://sitecheck.sucuri.net/scanner/

5. Log into your site via FTP or SFTP and replace the infected file with your stored BACK-UP version.

6. Modify the permissions of your websites “Files” & “Directories” based on the following instructions provided by WordPress.org: http://codex.wordpress.org/Changing_File_Permissions

Great Job! Now you’ve added an additional layer of protection to your site! This was the first phase. The next phase only applies in the event that Google indexed the pages of your website after the malware was uploaded.

Once you’ve finished securing your site, you must request that the warning be removed from the Google listings by visiting:

http://www.google.com/support/webmasters/bin/answer.py?answer=168328.

At this point, you will be able to request a review of your website and explain what happened to the “Google Gods”. You will also need to explain the steps you took to correct the issue. Typically, if Google indexes your site after you have been hacked, they will notify you of the situation via email and provide you with info on how to request a review. If your site is no longer harmful to its visitors, Google will remove the warning and you will no longer be a “Google Blacklisted” site!

If you’ve run into a similar situation, feel free to leave a Question/Comment/Feedback – We would be happy to provide any assistance we can!

Written By: Bryan Loconto