It’s been almost a month since my last blog post and I had actually in mind to write about something completely different. I guess from the feature screenshot you may have already noticed that something quite ugly happened. Oh yes! My hosting account got hacked over the weekend which basically led Google to block the SEO Armada website. I am not exactly sure how this could happen. All I know is that after I woke up Sunday morning to check on the blog, Google presented me with a nice red warning box that my website was reported as an attack page. After taking a couple of deep breaths and calming down, I started my Google research in how to fix the problem. Little did I actually know that soon all my other 5 (!) websites on the same hosting account would eventually be infected.
So, in order to give you a bit of a rundown in how I identified the problem, here is a quick summary of what I did:
1. I first checked my website status via the Google Webmaster Tools, and after a couple of button clicks, it was clear that my site was infected with malware:
I guess, it is thanks to Google Webmaster Tools that I was actually able to identify the severity of the problem. If your website is not registered with Google, go and do it now! It will save you a lot of headache in the event something similar happens to you. Another great tool to check the heath status of your website is on sucuri.net. Check out the free site scanner.
So, to me Google Webmaster Tools is the best thing since slice bread, because I was also able to identify the malicious code that was apparently installed on my website:
The tricky part was though to determine where the piece of code was installed. Still at Google Webmaster Tools, I soon discovered the problematic URLs were in the main directory and in the /tag/sem directory.
2. Still confused of what to do, I started to look at the source code of the individual web pages. To do this, simply right-click any web page of your site and select ‘View Page Source’.
Then, I copied a piece of the malicious code from the Google Webmaster Tools page into my clipboard and searched the pages. By doing that, it was soon clear that the code was somewhere in the header section. The difficulty with WordPress is that a lot of code which you normally see as HTML is actually generated through php functions and classes. So, going into the WordPress editor and removing the code from there was not an option. Well, hours passed and I was still not getting anywhere.
3. I eventually found a malware WordPress plugin on Google which shed a bit more light into the problem. The plugin is called ‘Exploit Scanner’ and what it does is, it basically scans all your WordPress files and pages for malicious source code. It is free, works fast and is very efficient.
After scanning all my files, I had narrowed down 4 php files which mentioned the malicious code from the Google Webmaster Tools. To do this, I again copied a piece of the code, such as <script>eval (function (p,a,c,k,e,d) { e=function etc. and searched the results page.
When I went back into Google Webmaster Tools to copy a piece of the code into my clipboard, I was petrified to see that Google had blocked another website:
You can probably imagine, I got a lot more nervous, frustrated and agitated than before. This never happened to me and I had no idea what was happening to my websites and hosting account. Totally stressed, I made the quick decision to change all WordPress passwords and the password of my hosting account. I also cleaned up my PC to make sure there was no virus or malware going from my FTP server to my hosting account.
And 2 hours later, the following happened: Another two (!) websites had been blocked by Google! And again, it was malware and the same piece of code they were infected with. (Again, thanks to Google Webmaster Tools…)
It was clear to me that I needed to make a quick decision in what to do next. If you are as well a business owner and you run one or more websites your business heavily relies on, then there is no time to waste. Situations like these can for example heavily affect your search engine rankings if you don’t act quick enough to rectify the problem. Depending how often your website gets crawled by Google, it may only take a couple of days to be de-indexed. Crawlers obviously don’t visit websites that are blocked due to malware!
4. I finally made the decision to seek professional help from someone who specialises in malware. After a bit of research on Google, I had found the service called unmaskparasites.com. The website is run by Denis Sinegubko who is a Russian malware researcher. If you Google his name, you will notice Denis has made quite a reputation for himself by writing numerous articles and papers on the subject.
The website has on one hand a self-diagnosis tool which enables you to scan your website and do your own analysis. Denis also offers a consulting service for the price of only $35 which includes the removal of any malware from one or more infected websites.
Once I emailed Denis about the problem I had, he sent me within a couple of hours a detailed report on the infection and on how to remove the malicious code from my websites. Based on his instructions by identifying the individual infected wordpress files which I needed to clean up, it was clear to me I had come to the right place. It was a pleasure working with Denis who helped to clean up all my websites within 24 hours.
I definitely had my lessons learned. Even though I am not sure what caused websites to be infected with malware, it is wise to regularly scan your PC for infections. It is also a good idea to regularly change WordPress and hosting account passwords. I have also installed a plugin called Malwatch that periodically scans WordPress files for malicious code.
If you are interested in the technical details of my WordPress infection, Denis was so kind enough to post an article about it
