Repairing my hacked WordPress site
Incorrect tiles and descriptions showing in Google search results
On October 14 my web traffic went down to less than a fourth of what it normally is. It took me a day or so to find out why. From my viewpoint my blog was fine. I finally did a google search on my most popular term expecting to see some drop in ranking. What I did see shocked me. Instead of the normal title and description, my blog post – still ranked number one, now said “Buy Viagra with a prescription.” The cached preview showed a page titled “SOMA for sale.”
However, if you actually clicked the link, which few people were doing, you got the original page. I was really confused.
I did some forum searches to see if other people we having the same problem with Google. It turned out they were but all the post I found were closed to comments and there were no answers. It took quite a bit of digging to find out what was causing the trouble. It turns out that 90% of the people who are reporting the problem are hosted on Godaddy like I am. There seems to be a security problem with he Godaddy servers. If my trouble returns, I will switch away from Godaddy. I hate to because I have had good service over the years from them but this lack of security is not acceptable. See this article for more info: http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/
I followed the helpful guide at this link: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
I began by making a copy of the wordpress directory on my web site. I used Filezilla to make the copy. Next I had to learn how to make a copy of my SQL data base. This took a lot of reading before I was able to learn to use the data base controller software on Godaddy’s hosting controls. I also installed a plug on the blog that makes backups. This let me make a copy of the database easily.
In the process, I accidentally changed the password on the database so my blog was down with errors overnight until I realized the problem. I had to edit the wp-config file to fix it. It took more reading to learn how to do that.
By this time I was more comfortable using the Hosting control software and I had backups of everything on my hard drive.
I had also figured out some of how the hack worked. Somehow they inserted code that redirected the traffic if the googlebot was doing the surfing. I used http://web-sniffer.net to find out what was being presented to Google.
I got the courage to hit delete and cleaned up all the old files from the server. I left the database in place.
Instead of letting Godaddy reinstall WordPress for me or trying to install it using Filezilla, I used a program called EasyWP WordPress Installer. It is available here: http://smackdown.blogsblogsblogs.com/2008/06/18/easywp-wordpress-installer-cause-there-aint-no-such-thing-as-too-easy/
I simply downloaded the file to my computer and then used Filezilla to copy it up to the server. I then used my browser to run it. I had to open a separate window in the browser to get the right data to access my SQL database on Godaddy. I had to change the hosting parameter that is says 99% don’t need to change but all the info was on the Godaddy info page. I just copied and pasted it into the form.
The program loaded up a fresh install of wordpress and sucked in all the data from my database. At first the blog was still blank because there was some error with the theme. I simply reloaded the theme and it cleared right up. I did have trouble for a while getting 404 errors on individual blog posts but that cleared upon its own after a few minutes.
I then checked through all the photo files in the backup of the upload directory. I had read where some people had had their site hacked by someone putting php files in the photo directories. I did not find any suspicious files so I uploaded all photos using filezilla. That took a few hours. Once the photo files were back in place the blog posts looked fine again.
I then began the tedious task of reinstalling plug ins. I tried to get fresh versions of as many as possible. However, there were a few that I had to restore form my back ups. I really have no way of knowing if they were clean. I have tried to use web sniffer to check regularly to see if any of the posts have been re corrupted but so far none have.
I have to give a special thanks to the folks at smackdown for providing lots of good and useful info on how to fix my blog. Hopefully Google will rescan the affected articles soon and correct their files.
I have learned a lot about how WordPress works and I will be able to rebuild the blog a lot faster next time. I used this event as an opportunity to clean up some plug ins I don’t use anymore and make some other changes to the blog I have wanted to do for a while.
I have no idea what the motivation for the hack is. There are no links I see that would make anyone any money or bring them clicks. The only issue for me was destroying my search results. I guess some people like to cause trouble just because they can.