My client’s website was hacked via an outdated WordPress plugin.

In “Steps to Fix and Prevent a Hacked WordPress Site”, you learned how to fix a client site after a hack. The steps in that blog came from two real-life scenarios, and today we will look more closely at one of them: an outdated plugin that opened the door to hackers.

I’ll explain how the issue was discovered, steps to fix it, and how to be more proactive with your client sites by taking preventative measures.

Discovering the Hack

It’s a common enough scenario for a web developer: The client’s site was launched in late 2013/early 2014 and basically left alone. They only needed a simple site to inform customers and didn’t intend on updating it very often, but found some of the features of WordPress useful. This means they didn’t frequently check the WordPress Dashboard, nor did they want to pay anyone to.

One day in late 2014 (about 11 months later) the client was browsing the site when he noticed a small message in the header advertising Viagra, but only when not logged in. The site had to get fixed before it was flagged for distributing spam by Google or listed on an RBL.

Finding the Script in a WordPress Plugin or Theme

Since the message was appearing in the header of the site, the first step was to find the theme file (header.php) and remove that text. It worked for a short time, but after about 6 hours, it came back. This was a slightly more sophisticated hack then just adding text and leaving; there was a script injected somewhere that would re-add the message if it got removed.

The next step was to basically comb the `/wp-content/` folder, looking for questionable scripts. This could be code you don’t recognize or code placed seemingly at random at the top of a file. WordPress Core could be replaced easily, but the big problem would have been if the site’s custom theme or a custom plugin was compromised, because it would require hours of development to update and secure the code. “Luckily” the location of the hack was a plugin available on the WordPress Plugin Repository – and an update was available.

After updating and replacing any other plugins that were out of date, removing themes and plugins that weren’t used, and scrubbing the custom theme by replacing it with the original, backed up version from launch day, the site was ready to be replaced. This included backing up the whole site and the database, putting up a temporary page, and uploading the clean site.

Preventing a Similar Hack

All-in-all, fixing the compromised site took about 10 hours of work over 2 days. Ultimately, if the site had been kept up through core and plugin updates, this would have been prevented. Another contributing factor was that the hosting company the site utilized did zero monitoring. The client was on a very basic package that left them on their own. Now, however, the client pays someone to keep up the site, making sure that WordPress and plugins are up-to-date and everything is functioning properly. With monitoring of their WordPress plugins and core, and utilizing professionals to help update and manage their site, this client is now secure from future hacks.

Managed WordPress makes it easy. Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSLs.