There are a number of ways that you might find out that your website has been hacked, beyond the obvious one of discovering a weird image on the home page, like the one above, announcing gleefully that you’re now “owned” by some shadowy perpetrator. It’s more likely you’ll stumble across a series of anomalies, such as modified or new files, traces of unauthorized logins or unusual bandwidth usage, which after a while produce a growing sense of panic that something just isn’t right. But these days crackers are wily critters who can easily ensure that most site owners never discover an infection — unless someone else points it out to them.
This could come in the form of a visitor who clicked on a link that took them to an obvious spam- or malware-based site. Hosting providers can also provide an alert, especially in shared-server environments in which infections, once established, can quickly spread from site to site. I once had a supposedly “premium” provider alert me that my WordPress site had been infected. But not to worry, they had removed the offending files. All very nice, except their clumsy cleanup took down the site, to the point where it needed a complete reinstall. Thankfully, I had a recent backup.
But perhaps the worst way to find out that your site has become the playground of dark operatives is to have Google tell you. Because once Google thinks you’re evil, it’s goodbye traffic. This happened to me recently when by chance I came across a listing amongst a page of search results for a modest WordPress-based site that I was managing for a friend. There before me were the letters of doom, proclaiming: “This site may be hacked.” The only thing worse would have been the even more lethal, “This site may harm your computer.” Small comfort.
My first reaction was one of disbelief, since the site was running a security plugin from a respected service that was supposed to prevent this very thing from happening. I immediately changed the passwords on the site and ran a full scan, with the plugin blissfully announcing that all was as it should be. Grr! At this point it was time to let Google know that I was aware of the problem, so I headed to its Search Console and checked out the security issues that were freaking it out. Its concerns weren’t ungrounded, since it had found some nasty hidden directories with such enlightening names as signature-loans-athens-ga and cash-advance-loans-ma. Ouch.
I won’t bore you with the tedious process of cleaning up the site and then alerting Google to its newly-pristine condition, so the warning could then be removed. Instead, I’m hear to sing the praises of a security plugin that I turned to for help with the cleanup and subsequent lock down. I’m speaking of Wordfence, available in both a free and Premium version, at $39 per year. The free version may well provide all you need but of course the Premium version does supply additional functionality and flexibility, and that’s what I’ve been using. I have to admit that I’m now a fan and rank it up there with Yoast SEO, Akismet, BackupBuddy and Contact Form 7 on my shortlist of essential plugins.
The laundry list of features is just too much to go through but the heart of Wordfence is its scanning capabilities, which even in the free version are very robust. There are no less than 17 options you can enable, such as scanning for signatures of known malicious files, backdoors, trojans, suspicious code and specifically the HeartBleed vulnerability. You can even scan outside the WordPress installation itself, in search of additional unpleasantness. And you have to like that Wordfence checks URLs against Google’s safe browsing list. I’ve opted in to receive email alerts for anything dubious that the scan finds, although post infection I’m happy to report that these have just been related to plugins that needed manual updating or that have changed their TXT documentation files. After receiving a warning you can head to the admin area on your site and view details about the warning, as shown below, and let Wordfence know what action you’ve taken.
Also handy is being able to view before and after versions of any altered files. It was clear that a plugin had simply altered its TXT file to indicate support for a new version of WordPress. Whew! This is provided in the free version.
Another nifty free feature is Live Traffic, which every two seconds updates its display of site traffic, both human and otherwise. I used this to identify visits that were clearly arriving to take advantage of exploits, since visits to the pages and directories I had deleted were highlighted. It was then just a click to block the offending IP or entire countries of origin. Goodbye, Ukraine (country blocking is a feature available in the Premium version).
In summary, Wordfence helped me identify and remove the infection, and a month later the site has remained clean. Hard to ask for more than that. Whether you opt for the free or premium version, I’m confident Wordfence can bump the security of your site up to another level.