Was Your WordPress Website Hacked?

WordPress Malware Removal: Fixing a Hacked Website

by Adam Watts

WordPress Malware Removal and Security Upgrade If your WordPress website has been hacked, simply clearing off the malware isn't enough. Hackers have your number and they'll keep on getting in through your broken code until you fix it. I've put together this short (haha) list of steps to go through in fixing and properly securing a WordPress website after being hit by an attack:

It should be noted that many of these steps will require access to your hosting account's control panel. Programming experience and a file transfer program such as Filezilla or CuteFTP are recommended as well.

Step 1: Backup Your Site & Remove the Malware

  1. Make Backups of your database and 'wp-content' folder as well as your 'wp-config.txt' file in the root of your WordPress website and export all of your content from your admin dashboard (if you can access it) using the wp-importer/exporter plugin
    (Make sure you don't lose any data)
  2. For extra safety, take screenshots of the 'Settings' screens and copy widget contents into a text file
    (Widgets and settings aren't carried over in the export file, so you'll have to re-input these manually, unfortunately)
  3. Ask your host to do a malware scan and send you the results
    (You'll need the results to find the files that are infected in your 'wp-content' folder)
  4. Fix infected files in your backup of your site's wp-content folder and clear the bad code and/or files
    (This can be time consuming, but the rest of the steps are useless if you upload infected files back in to your new install)
  5. Delete ALL of your old WordPress files and upload a fresh version of WordPress via FTP to the root
    (Don't worry - as long as you've made backups as directed in step 1, all of your content is safe)
  6. Change the name of the folder 'wordpress' to something you wouldn't name a post, page or category (eg. your_files)
    (Naming this folder is for security, so use something that isn't easy to guess. Random strings are best)
  7. Upload your cleaned wp-content folder to the new install location (eg. /your_files/wp-content/)
    (NOT at the root, but within the renamed 'wordpress' folder)
  8. Copy index.php inside your WordPress main directory (eg. /your_files/index.php ) - Paste it into your root. You should now have an 'index.php' file at '/' and at '/your_files/'
    (Make sure not to delete the index.php file in the renamed 'wordpress' folder)
  9. Open index.php from your root '/' directory and change the line that reads: '/wp-blog-header.php' to '/your_files/wp-blog-header.php' (substituting 'your_files' for whatever you named your folder that contains WordPress)
    (This tells WordPress that your website page base is the root, while your WordPress base is hidden in your renamed 'wordpress' folder)
  10. Log in to your hosting control panel and change your FTP password as well as your Hosting Login Password and MySQL Password. Note your server settings for the next step
    (Changing your passwords is important - with access to your WordPress install, intruders can easily find your server settings)

Step 2: Setup a Secure WordPress Install

  1. Open the 'wp-config-sample.php' file in your '/your_files/' directory and add your server information
  2. Change 'wp_' under database settings to something different. Choosing something random is best (eg. 'rsxrj_')
  3. Make sure 'WP_DEBUG' is set to false and set your WordPress Salts (you can find them here: https://api.wordpress.org/secret-key/1.1/salt/) - then save this file and upload it back to the server. Now rename it 'wp-config.php'
  4. Visit your website (eg. http://www.yoursite.com/) and you should see a WordPress Install Screen, prompting you to install a new version of WordPress. Create a Username Password combo. Make sure you change from the default 'admin' user
  5. Log in to your new installation at 'http://www.yoursite.com/your_files/wp-login.php' and set your theme, activate plugins and site preferences and your site is ready to go.

Hiccups and Issues?

If your media library isn't showing your content, upload your 'wp-content/uploads' directory from the malware-free files and your site should be back to normal and more secure than ever.
(Make sure to secure this directory with folder permissions '755' and file permissions '644')

If your site is displaying a different look, make sure your theme is activated.

If you're seeing shortcodes printed on screen instead of the content they should be creating, make sure all of your required plugins are activated.

If you get a server error when visiting any pages other than the homepage, set or re-save your permalinks.

WordPress Security and Why Your Site Was Hacked

WordPress Security is Weak and Fixes can be Complex

by Adam Watts

Clean Your Website from Malware - WordPress Security I've been seeing questions all over online forums and social media about WordPress websites being hacked. These hacks, while mostly benign, can leak through servers and steal valuable information from others. For example, you may have an old or unused WordPress install currently on your server, not getting any updates or love. This is a security threat. Even your fully updated website, if not secured properly initially, can cause you money and time in malware removal and security upgrades. The problem is the default WordPress security isn't enough - and WordPress has already acknowledged this and offered up several solutions.

Why am I Writing This?

This post is to help WordPress users understand the importance in using recommended security convention when setting up your websites. One-click installations via your website host or a cheap website setup are often the culprit when you've found yourself victim of a random WordPress attack.

Why Were You Targeted?

A hack is rarely about your information or what the hackers think you have. It's about the fact that your website isn't secure, and they know it. Moreover, they will assume that you share a server with another website that does host sensitive information, which the hackers then hope to cross-contaminate.

Reasons they know your site is vulnerable can be numerous - though it's mostly due to the popularity of WordPress itself. As an open-source system, WordPress and the free plugins can be downloaded by anyone and have their vulnerabilities exposed.

Why Isn't the Default WordPress Security Stronger?

Any default is going to be just as weak - because certain conditions can be assumed by hackers. For example, if you don't change your admin username from 'Admin,' your website will be easier to hack. If you or your web developer neglect to create a better password or instigate a stronger setup, your website will be easier to hack. And so on...

WordPress Isn't to Blame

WordPress is a great system - which is why it's being hacked. Think Windows in the 90's and 2000's (I know, Windows is tough to deal with, but it was popular). Microsoft was a massive target because businesses with money used the system. WordPress has gained popularity - and with it, has become a target of cyber criminals.

Let's be clear here: I'm not saying that WordPress is any more vulnerable than any other website CMS in the way it's built or maintained. It's how your site was setup - probably using default tools in your hosting panel, which don't increase security from the default options.

How to Prevent Attacks

One of the main ways that hackers can breach a site's security is with either outdated or poorly coded FREE plugins and themes. Many premium themes and plugins are also known to have vulnerabilities that allow a hacker to create an admin user on your website, after which they can alter or break your site easily. Removing any plugins that you aren't currently using or minimizing the amount that you require are great first steps in lowering your chances of being hacked.

How to Clean a Site After a Hack

Going through your site manually is a pain. WordPress has thousands of files comprising its core - which is why I would suggest performing a re-install after simply going through your theme folders (parent and child) as well as your uploads folder. This means looking through all of the files and checking for code that is usually completely illegible (letters and numbers garbled in PHP).

If you aren't handy with programming and still have access to your WordPress admin panel, download Sucuri free security plugin and do a malware scan.

How to Secure a WordPress Website After an Attack

Use My Most Trusted Security Plugin: Sucuri

I've used Sucuri both in the free and premium versions and have found that both offer excellent - though not quite complete - options and advice for security. All of the options that are available in Sucuri can be implemented manually by your website developer and are outlined in the WordPress Codex. If you have been hacked, removal of the malware is your first priority, then securing your server.

Sucuri's premium version offers caching and a firewall through their server. Not necessary, but it's an extra layer of security for your site at a price that's affordable (no I don't work for them OR get a commission...maybe I should...)

Take a look at the steps necessary to properly clean and secure your WordPress website.

If Your Developer Doesn't Know What the WordPress Codex Is

If you ask your developer to configure your website's security as per the WordPress Codex's guidelines and they respond with anything close to "What's that?", they are not a WordPress developer and they will likely not be able to fix your problem with being hacked. They may be able to clear the malware from your website with plugins, but they likely have no idea how to secure a WordPress site properly.

Learning PHRets and DMQL for MLS Listings Display

PHRets and MLS Listings Integration

by Adam Watts

I've always been the kind of person that isn't intimidated by a large project or a problem - which is why I jumped at the opportunity to work on a website that involved updating and displaying MLS® listings from our local MLS® provider here in Calgary, AB. In one word, this phrets project was: humbling. I've been a website designer and developer since 2006 and working with WordPress since 2010, and felt confident in working in several languages.

Then - in steps the world of the MLS®.

If you're unfamiliar with the coding convention of the MLS® as I was, here's a small breakdown of the processes and standards: there pretty much are none. Each region controls data with a system built custom, offering no solid connection between naming convention, data offered or access. Of course, this made it extremely difficult to follow any tutorials on the subject, though I did find a few immensely valuable sites that either guided and helped me along the way. I've listed a few of the key websites that may help you figure out what approach you need/want to use to retrieve that data and post it to your site.

Websites to Reference

These websites may not all apply to your situation, but they applied to mine.

  • - RETSMD Website : login with your credentials to view data from your MLS® feed
  • - PHRets Github Page : PHRets is an open-source, pre-built script for connecting to a RETS feed
  • - WordPress CODEX : I created a custom plugin to update and display the data

I must have spent hundreds of hours sifting through bad information, broken code and dead ends to find a few options that worked for me.

Now that I have you feeling sorry for me - or more likely for yourself - for deciding to build a RETS feed display, we can get in to how it actually works and why it took me so long to get through. Hopefully I can save some folks a little time and frustration.

PHREts MLS Listings screenshot - full property viewI know have a fully functioning, updating RETS feed, installed on my client's website. The data is pulled and stored into a database and displayed on the website in various places. Images are pulled from the MLS® server and displayed on page load, to decrease the amount of disc space needed to store the images locally.

1. Use PHRets

I did a lot of searching online for solutions to the problem. Most of the monthly services didn't include Calgary - which is the region I needed - and didn't offer any serious customizing options, which was a requirement of the client. I stumbled on a few pre-built code options, including a few free WordPress plugins and themes that claimed to be able to connect to a feed - but again, didn't work in my region because none of the variables are set to the same names.

Plus I didn't want to pour through someone else's code in hopes that it actually did work.

PHRets ended up being the best option in my case because it runs on PHP and is open-source, therefore has lots of documentation and a decent amount of forum threads on usage. In my case, I was unable to use the 2.x branch of the code because of the age of the RETS feed I was pulling from (hopefully yours is using newer code).

If you do have the ability, run the 2.x branch and install it with Composer.

2. Visit RETSmd.com and Stay There!

I had a window with retsmd.com open almost the entire time I was working on the listings display. This is essential to know the values you're working with, objects and specific options available to you.

To use RETSmd, you'll need login credentials for an MLS® region. This means buying in to access their data yourself, or, more likely, working on this for a client who has purchased their licence. You'll need the RETS feed URL, USERNAME and PASSWORD to connect and see what data you're allowed to access

I found most of the data and values that I needed from an object called 'Listings' - though it's likely to be named differently by your feed provider.

3. Use DMQL Once You've Connected

DMQL is the language that you'll be using once you've established a connection. A quick search on Google will show you many websites with information and tutorials on DMQL, and if you're good with PHP, you should be fine with wrapping your brain around it.

DMQL is an extremely touchy language. If you don't have your syntax, options and variable names all correct, nothing will happen. I spent many hours trying to figure out why a connection wasn't retrieving any results, and it was usually to do with a slight error in syntax.

4. Turn Error Reporting On and Check It!

Debugging code and deciphering errors was the main challenge here. Make sure that you have turned error reporting on, however you do it (depending on the system or language you're using) and print results to your page while you're working on retrieving results and connecting.

Read More Soon!

To keep things readable, I'm not going to go in to detail on these topics here - that's for another post, another day - and will be on the subject of creating an initial PHRets connection - with PHRets 1.x.

Stay tuned for more information on this subject and more general website development, design and optimizing ideas, thoughts and musings.

If you have any questions, feel free to leave a comment below.