This site has been blacklisted by Google in the past because it has been hacked into and malware deposited. Here are the changes I’ve made and the tools I’ve found helpful when this happens.
I’m using 1and1 for hosting and am suspicious about access to my account there.
Confirm the Problem
There are a couple of quick ways to confirm that the site is infected.
Use Chrome to attempt to browse to your site and if Google has determined that your site is infected, you’ll see a page that looks something like this:Sucuri tool to scan your site and it will not only tell you if there is malware but also which files are infected. Save the results of this scan. Also try the Google Safe Browsing diagnostic to see if it reports your site as having malware.
We’ll be coming back to these tools to re-test the site.
- Change the passwords (ssh, ftp, etc) for your host accounts that have access to the WordPress site
- Login to your WordPress site as admin
- Change the admin password
- Remove any unused accounts
- Update to the latest WordPress release
- Download the original sources for the PlugIns, Themes and includes and replace the infected files
- As you replace each script, the Redleg File Viewer tool which will show you if the file is still infected. In fact, this tool is useful to see where the infected script is re-directing your users.
- Generate a random password and change your MySQL database password using your hosting providers MySQL admin screen and in the wp-config.php script’s DB_PASSWORD line.
Full Clean-Up Steps
- Visit the WordPress key generator to obtain a new random set of keys, then overwrite the values in your wp-config.php file with the new ones.
- Re-import the database (after checking that it was safe) and reinstall themes and plugins from scratch
- Compare the old and new .htaccess and wp-config.php files. Use the old ones only if you recognize everything in them.
Confirm The Infection Has Been Removed
You can use the same tools described at the beginning to confirm that the infection has been removed but you’ll probably find that the information has been cached. The Redleg File View tool will work.
Getting Google to De-list Your Site
When your site is clean, you’ll want Google to rescan it to remove it from their list of infected sites. They provide help on what to do here.
I also found this Unmasked Parasites to be helpful in explaining the Google process.
The popular Timthumb image cropping tool has had many security exploits. The Timthumb Vulnerability Scanner plugin checks for these vulnerabilities and corrects them if you want. Scans are run daily (unless you disable them via the options link on the scanner page) via wp-cron. An immediate scan can be run under the WP Tools menu. I’ve found this to be very useful.
The WP Security Scan also by WebsiteDefender scans your site for security vulnerabilities and suggests corrective actions. It adds a WP Security menu item to the bottom of the wordpress menu with the scan information.
The WordPress File Monitor Plus Plugin is a fork of the original version that was not being updated. It has a good configuration page to set the monitor interval and a few other options and I like the Perform Scan Now option. It has had 6,700 downloads, 12 ratings for 4.75 stars and was last updated in June 2011.
The WP MalWatch Plugin runs once per night. There isn’t a configuration page (just access to the PHP scripts) and no ability to run the scan now. It uses a dashboard widget to report issues (not sure if it will send an email). The documentation talks alot about monitoring the .htaccess file. As of this writing there are 25,000 download and 12 ratings averaging 4.5 stars and it was last updated Sept 2010.
You’ll also find a good post on this topic from July 2010 by Jeff Starr.