Oh Noes!

Look familiar? Hopefully not. But if your site now looks like this, it’s bad, but there is hope.  I had my first foray into this world last week when my brother in law’s site was hacked.  It took some digging, but here are the steps to getting your site back again. Part one will cover getting yourself unblocked.  Part two will cover getting your posts and other data back, and part three will get you up and running and take steps to prevent it from happening again.

So the steps:

• Get rid of the offending code,
• verify you are the owner,
• request a review,
• make sure it doesn’t happen again.

Getting rid of the offending code

What happened?  In this case it was pretty clear.  The site was using an older version of WordPress (pre 2.8.3).  WordPress patched it way back in August, so part of me is impressed it took so long to get hacked.  This was a pretty serious security hole; before it was patched it managed to take out a lot of blogs (including Scoble).  Needless to say, if you aren’t running the most recent version of WordPress, or not sure stop reading. Upgrade now.  Looking at access logs it looks like the site was hacked not once, but twice. [Note to hackers: when you hack a site, try applying a patch. it's safer.]

First up is the database.  When the the hole was initially discovered, the recommendation was to NOT export your database, and instead follow a series of other steps.  At the time I would agree with that advice.  Unfortunately, once you hit the blocked list, the intercept message stops you from even logging into your site to do the additional steps.  Instead, we’ll back up the database and the site, then set up a clean room environment to export your data.   Check with your host provider for specifics, but in myPHPadmin select the database and hit export (and download as a zip).

Next up are the files.  Again, we’ll be using these for our cleanroom in part two.  Grab a blank thumbdrive, create a /hacked_site/ directory, FTP to the site and download everything straight to the thumbdrive.  Be sure to get the .htaccess files, since they are more than likely corrupt as well.  Once copied, stop thinking about them.  We’re not opening, clicking on, viewing or even looking at ANYTHING there unless we can do it safely.  That’s in part two.

Now, take a deep breath.

Delete your entire site. Seriously, all of it, especially the .htaccess files.  Don’t be concerned.  Right now no-one in the world can get to your site, and unless you do something about it, no-one ever will.  Part two will try and recover as much as possible, but even if you can’t get everything, at least you’ll be able to start over.  Until your site is unblocked, you can’t even do that.  So delete it. Delete it all.

Now, open up your faveorite text editor and create simple html file:

<html>

     <head>

        <title>Down for repair</title>

     </head>

    <body> Our site was recently hacked.  We've removed all offending code and are in the process of rebuilding the site.  We appreciate you patience. </body>

</html>

Save this as index.html and upload it to your site.  Why?  well, we need to have your site reevaluated, so you need to show you’ve actually taken steps and are ready to be checked again.  If your hosting company has a control panel, you could reinstall WordPress from there, but since the site is still blocked, there is no way to go any further than the default install.

Verify you are the owner

Next go to Google Webmaster tools.  Don’t have an account?  Perfect time to sign up (besides, if you want your site back, you have to).  Once logged in, you need to add your site.  That’s pretty straightforward.  Click on add a site:

Enter the url of the site.  For best practices, start with www.yoursite.com and you can (and should) add yoursite.com later.

Once added, you need to verify.  There are two ways, add a meta tag to your index file, or upload a specific file.  I find it easiest to upload the file:

Upload the file, double check it’s there, then click verify.  In my experience, the process is instantaneous.

Request a review

Almost done.  Once verified,  your Webmaster Tools home screen should have an alert about possible malware.  Click on the link for Request a review, and you’ll be taken to a short form.  In the text area, be sure to outline the steps taken (You completely removed all offending material, and will install the latest, patched version of WordPress)

And then wait.  In my experience it took less than a day to get unblocked.  While you are waiting check out part two (coming soon) where I’ll walk you through the process of recovering your posts.