How to Fix a Hacked WordPress Site (with shared hosting)

My site was recently hacked. And because I combined all of my websites into 1 account, it affected all 20 of my websites. Fun, fun.

When I would type in my website, AVG would block the site and a pop-up would announce it was a virus called “Exploit Blackhole Exploit Kit (Type 2115)“.

Anyway, it took me 6 days and countless hours (working 16-18 hours a day) to finally figure how to fix it. I made 20+ calls to tech support, researched every article I could find, and I was unable to find an answer that really helped me. So nearly a week (and half a head of hair) later, I finally figured it out by putting bits and pieces of the information I received together…but never from one article or one person.

So, I figured that I would create a post with the solution I found in case any of you out there are having the same problem. Part of the problem for me was that I am a graphic designer and not so much a website tech savvy person, so a lot of answers confused me and gave me headaches. So I’m hoping to write this in a way that everyday people can understand. I did a lot of unnecessary, painful things in an effort to try and repair my websites. I hope to save you some time.

If this solution doesn’t work for you, I apologize. But I thought if I could save just one person from the torment that I have endured over the past several days, it would be worth my time in writing it out.

Here’s a quick overview of what I did for those of you who are more advanced. (You can read more detailed, step-by-step instructions further down):

A Quick Overview
  • Restore any affected files to an earlier date (this is only a temporary fix).
  • Change all of your passwords, including FTP Manager, Admin pages, etc.
  • Make sure you have the most updated version of WordPress and any plugins you are using.
  • Temporarily disable all plugins.
  • Temporarily disable all comments. A simple way is to upload this plugin: Disable Comments for WordPress. Make sure you activate it.
  • Install the WordPress Firewall plugin. Activate it.
  • Install the WP Security Scan plugin. Activate it. Let it scan your site and then you should fix any errors or problems that it shows you.
  • Add a .htaccess file to your wp-admin folder for extra security.
  • Then password protect your wp-admin folder (using the “Permissions” menu option)
  • Change the permissions on your wp-config.php file, all of your .htaccess files, and all index.php files to add extra security. (Uncheck the “write” box in the “Permissions” menu option).
  • Double check your files again to make sure that the virus hasn’t returned in the time it took you to make the above changes. If it has returned, remove the virus code and save the changes, making sure not to undo any of the permission changes you just made.
  • Monitor your site for the next 24-48 hours before you know for sure that it’s gone. Check on your website every 2-6 hours to see if the virus pops up again.
  • Request reconsideration of your site once you know that the virus is gone.
  • Backup ALL your files
  • Keep the Firewall plugin and the Security Scan plugins enabled to block any future attacks.
Things You Should Know:

(You can skip this section if you want)

  • I have shared hosting with GoDaddy.
  • My particular hack was something called “php injections”. I know this only because the GoDaddy people told me so. I tell you that so you know how to Google search it if you need to. Also, as I said before, AVG would block the site and a pop-up would announce it was a virus called “Exploit Blackhole Exploit Kit (Type 2115)“.
  • My #1 problem was that I was reading too many articles to try and fix my websites. It caused confusion, migraines, and extra steps that I didn’t need to do. So, in my case, I had to exit out of most of the articles I was reading.
  • Most of the tech people at GoDaddy are excellent and really go out of their way to help get you from one step to the next. I find that I will make 20 different calls, each time just hoping to make one step. Then I’ll call back and have that person walk me through another step. Occasionally, you will come across a person who sounds annoyed, unenthusiastic, and depressing. Hang up. Call back until you get someone you like and feel you can talk to. And know that they are not always right. In fact, I had more luck figuring it out myself then I did with any of the tech support people. They did help fix broken links and some other minor issues, they are great for that.
  • Take a deep breath. Turn off all TV programs, noise, anything distracting so that you can think clearly. I find that I get seriously bad headaches when doing this stuff, so I need to eliminate all distractions, turn on some relaxing music, calm myself down, and just follow these simple steps:
First Steps

We need to remove the bad code from all your files. It will most likely come back within minutes or 2-6 hours, but you can follow these steps every time it comes back. This is a temporary fix, once we tighten security and fix the problem, you won’t have to do this anymore. Here’s how:

(1.)  I happened to find the virus code in my index.php file. The way that I was able to locate it is by going into my FTP Hosting Account (GoDaddy can walk you through these steps if necessary).

At the top of the hosting manager, click from “current” to “history”. Where it says “this is a snapshot of your files from” with a calendar date, you’re going to wanna change that date to an earlier date when your site was working fine, before the viruses started popping up. (Be careful not to set it too early because if you’ve made any changes or updates to your website, I think it could potentially remove those changes, but I’m not certain. For example, I set mine for 4 days before I noticed any viruses).

(2.) From here, on the right hand panel you will see a bunch of green circles that say “current” beside them. Those are most likely okay.

If you notice any yellow circles that say “different” next to them, that is probably where the bad code is. You can check it by clicking “edit” from the menu options. The file will open and you can take a look at it. You don’t have to edit it manually, I will tell you the easy way, but you can just see for yourself here if anything is suspicious. My virus looked like a bunch of numbers repeating at the top (see below).

(3.) Yours may look different.

Close the file without saving. Next, you’ll want to click “Restore” from the menu options. Now open the file again and see if that suspicious code is gone. If so, then you’re on the right track.

Now check the wp-admin as well as the wp-content folders. If the index.php file (or wherever you found your virus) was changed in those as well, “Restore” them. (You may notice more than one file that has been changed, so be sure to look around and be thorough. My wp-config.php file was messed with as well.)

For me, I have more than one domain within this same FTP Manager. So, I noticed that I had to go into every single domain folder and “restore” the index file. You may not need to if you only have one domain.

(4.) Now your website should work at this point. Temporarily. As I said before, the virus will most likely come back within a few short hours, or even minutes, because we need to change some of the permissions on your files. But don’t worry, we’ll fix it together in the next steps below.

Click out of “History” mode and into the “Current” mode in your FTP Manager.

Second Steps

Since we don’t know where the hack attack is coming from, let’s take extra steps of precaution.

(1.) Change ALL your passwords. GoDaddy can walk you through changing your FTP Password. Change your admin passwords on all your sites, and make sure you are using a more complicated username other than “admin”. Use a complicated password as well using a combination of capital and lowercase letters, symbols, and numbers. (Obviously, write down your new passwords and usernames and for what each if for.)

(2.) Make sure you have the most up-to-date version of WordPress as well as any plugins.

(3.) Disable all comments and plugins temporarily. I uploaded a plugin to Disable Comments for WordPress and it worked well. Make sure you activate it and configure it by checking all the boxes. (This includes audio players, contact forms, everything. People can inject codes into your comment or contact forms, so let’s just be safe and take this step. We’ll enable them again later, after we’ve fixed everything.)

(4.) Install the WordPress Firewall plugin. This is essential. Make sure you activate it.

(5.) Install the WP Security Scan plugin. This will scan your website and find any potential problems, which will also help you make the security on your website stronger so that this doesn’t happen again. Make sure you activate it. It will immediately list any problems (see below).

One of the problems it detected for me was that I needed to rename all of my folders that start with “wp”. This is easy is you follow these steps:

Under the WSD Security panel, click “Database”. All the way to the bottom you will see a “Change Database Prefix”. In the box where it says “Change the current:” change it from “wp_” to something random, such as “tx_“. Then click “Start Renaming” and it will automatically rename all your folders. (This step helps make the inside of your website invisible to hackers.)

This plugin also told me that I needed to add a .htaccess file to my wp-admin folder. Sounds complicated, but it’s not. All you need to do is to find the file called “.htaccess” in your website (in the main directory part, in the html folder) and copy it to your wp-admin folder. (I always double check to make sure my website still works at this point, so I know I didn’t put the file in the wrong place or something. Again, if you get stuck on any one of these steps, you can always call Tech Support at GoDaddy to walk you through that ONE step).

Mine looks something like this on the inside:

Next Steps

(1.) Now you’ll want to password protect your wp-admin folder. To do this, simply click on your wp-admin folder (but do not open it). Then select “Permissions” from the menu options. Click the “Password Protect” tab at the top and click on the orange button that says “Add User”. In the area that asks for Username and Password, enter an entirely new username and password than you use on any of your sites or your FTP Manager. (Make sure it is complicated and includes capital and lowercase letters, numbers and symbols. You’ll need to write down this password, of course, so you don’t forget.)

Then click on “Ok” and make sure the “Password protect directory” box is checked and that you see your username in the box that says “Users who may access the selected folder(s)”. (If not, simply click on ‘Add User’ again and select the user or re-enter your info again until it works.)

Now your admin folder is double password protected. So that’s good!

(2.) You’ll also want to change the permissions on your wp-config.php file so that it’s more difficult for a hacker to access it. To do that, simply click on the wp-config.php file and select “Permissions” from the menu options. Choose “Advanced Permissions” on the top tab. Under “Owner Permissions”, uncheck the box next to “write”. Also make sure that the “write” box under “Web user permissions” is unchecked as well.

Great! Now your config file is protected.

Please note: At times when you want to use the WSD Security Plugin that we installed earlier, you’ll just need to go back in and put a check in the “write” box. Make sure you uncheck it when you are done using the scanner plugin.

IMPORTANT:

After I wrote this article I noticed a few of my sites were still affected with this “virus”. So I had to go in and change the permissions on ALL of my .htaccess files and index files. It wouldn’t allow me to password protect those files, so I simply unchecked the permission to “write” each file, as mentioned above. That made all the difference. I haven’t seen the virus show up since, and all of my sites are working properly. But you do have to be careful NOT to uncheck the “read” or “executable” file boxes. I think this must have been a BIG reason I was getting hacked. So definitely try that. If you notice a certain file that keeps getting hacked, change the permission on that folder. It seems so obvious now!

Disclaimer: GoDaddy informed me that this was only a temporary fix and that I should purchase their website scanner to prevent future attacks. We’ll see.

 

Final Steps

(1.)  Now, we wait.

At this point, you may want to go back into “History” mode and make sure that all the files are current and none have been changed (“Different”). Depending on how long it took you to install the Firewall and Security plugins, your files could have been attacked again. So just double check for good measure and if you see any “different” files, restore them.

Let’s see if all these things we just did fixed the problem. I would give it about 24-48 hours before you know for sure, but check on your website every 2-6 hours to see if the virus pops up again.

Please note: You’ll want to restore the files as soon as you see any viruses, so that you can prevent Google from removing your website from the search engines. Google will do that if they detect any malware on your site or if anyone reports it as an unsafe site. If your website has been reported, once you’re sure the virus is gone completely you can simply resubmit your website to Google and they will check it and restore it to their search engines. Click here for the link to do that: Request reconsideration of your site.

If at this point you are still seeing the virus, double check to make sure you followed all the steps above correctly. you may have to completely uninstall WordPress from your website and reinstall (which is what most people will tell you to do as your very first step, but I had to find a way around that since my files were not properly backed up). If you have a backup of your websites prior to getting the virus, use that. If not, backup your website just in case, but the whole point is to make sure you don’t re-upload any corrupted files. I’m not sure if I need to go into more detail about this. You can probably Google the best way to do this. GoDaddy can also walk you through this process.

(2.)  Once the virus is completely removed, you can slowly start reactivating some of your plugins. Just be careful and keep an eye on them because this is one way that you can get hacked. Make sure you only install trusted plugins, and if you notice any bad changes after re-activating them, immediately deactivate and/or delete them. I chose to keep an eye on my site for a few days before re-activating any plugins, just so I would be able to notice a difference.

(3.)  Backup ALL your files and keep all your backups updated regularly. That way, if you get hacked again, you can just reinstall your website from a fresh backup.

(4.)  Keep the Firewall plugin and the Security Scan plugins enabled to block any future attacks.

(5.) Go through your website and check all the pages and any links that you have. If you have problems with broken links or pages showing error codes, call GoDaddy and they can walk you through fixing it. I had to set all my custom permalinks to default because the pages weren’t loading and some links were broken. That fixed it for me.

Also, there were some other small steps I had to take too, involving resetting the php files in the “File Extension Management”….sounds very complicated but it’s easy. Just mention that to them and they can tell you whether or not you need to do that and how to do it.

Please Note: This means more than just using your “export” tool from within your WordPress Dashboard. You also need to keep your themes, plugins, and uploads backed up as well from within your FTP Manager. To do this, I use the Java FTP Client and transfer the directly to my computer. Go to Hosting Manager > Content > Java FTP Client. Create a “new folder” for your backups, and transfer to the new folder on your computer.

Good luck! I really hope this helped you out!