Your Content Management System Was Hacked - Now What?

04/24/2013 7 min read Written by Lynton

Content Management Systems (CMS), like Wordpress and Joomla, are amazing tools that make truly dynamic web pages possible without having to learn a lot of code. Because these Content Management Systems are extremely popular there are, unfortunately, a number of malicious individuals out there looking to take advantage of loopholes within these systems. For example, if you are using a stock installation of a CMS you might even have a “generator” meta tag in your site’s source code that tells the whole world what CMS and what version of it you are using. Armed with this information, an unscrupulous website visitor knows exactly which vulnerabilities to test to get access to your website files and even your databases.

Don't be lulled into a false sense of security even if you have a site without sign-in or membership options. Some of the nastiest hacks of Content Management Systems have involved Black Hat SEO tricks that take advantage of smaller sites that might not have the resources to deal with hack removal. The Pharma Hack, as it's been called by many in then CMS community, involves hacking the source code of a CMS so that it displays different information to Google Spiders than it does to everyone else! When Google visits an infected page it is served a version of that page that has been artificially stuffed with keywords and links that build up the reputation for other sites (unrelated to your website) at your site’s expense.

Fortunately, there are some easy things that you can do to keep yourself safe and handle your website security in a preventative fashion. 

A Solid CMS Foundation - The First Step in Avoiding CMS Hacks

CMS companies release lots of versions and updates to their software - not just because they are enhancing the features - but also because they are addressing security holes that are being discovered. Your number one concern when designing a website should be doing so in such a way that allows you to easily update your core CMS without overwriting your design changes. If you aren’t a designer but rather just a site administrator, you should double check with the designer or developer who worked on your site to make sure that you can easily update your site’s core technology.

Any plugins, extensions or other third party software that is being utilized by your CMS might also have vulnerabilities. These too are often addressed in updates. Make sure that you are using the latest version of all of your tools and check for updates regularly. It helps if you stick to only popular and well maintained plugins. Most Content Management Systems will maintain a web page full of known plugins that open up vulnerabilities. Staying away from these plugins (until they fix the issues) is advised.

You should also invest in a security tool of some sort. I recommend Better Wordpress Security for Wordpress and Admin Tools Pro for Joomla. Both of these tools require a good deal of understanding to enable so if you aren’t comfortable doing this yourself you should reach out to a professional or try it on a new, fresh install of the CMS so you can practice what works and what doesn’t. Always keep the documentation handy as a guide to what you should be doing to be sure your security settings are configured properly.

Finally, and perhaps most importantly, use secure passwords! Try to utilize the rule of 1 upper case, 1 lower case, 1 number and 1 special character in each password. This provides the maximum variance to avoid brute force hacks (bots that just type in random combinations of key presses until they get a correct response). You should also avoid key patterns in your passwords such as a number of keys in a row followed by the same keys while holding shift (qwertyQWERTY). Don't make it easy for the hackers. 

How To Confirm Your Website Has Been Hacked

Every hack is going be a little bit different. If you been attacked by the Pharma hack, for example, you will probably not notice that you’ve been attacked until you start seeing results for “Pay Day Loans”, “Car Credit” or similar “spammy” links that have nothing to do with your site in your search results. 

To see why the pages are showing bad information to Google you have to use the Google Webmaster tools Fetch as Google tool. Go into your webmaster tools account and on the left slide click the Fetch as Google link. Then, when you get to the page, type in a link to a page that has been infected then click fetch. Once you get the “success” message click on the word success and it will show you the code that Google was able to pull. If you have been infected, you will see paragraphs of text relating to pay day loans or whatever flavor of keywords the hack has chosen to use.

There are also tools that can change your user agent in your browser to that of Google Bots so that you can view your site live and see the infected keywords on the page itself. This is handy for navigating many different pages to see where the infection has occurred. However, you may run into a case where the hack is on every single page because it is injecting itself into the CMS source code.

Repairing and Recovering From A Hack

Once you've confirmed a hack, your first instinct is going to be to search for malware or viruses on your server - which isn’t a bad thing - but in our example case of a Pharma Hack, the hack is hidden in your source code - your Base 64 encoding. Essentially there is one large file hidden somewhere in your directory that contains a bunch of random characters that means absolutely nothing to us. However if you were to run this code through a base 64 decoder it would contain all those paragraphs of infected text we saw when we fetched the page as Google. So now you are thinking okay, well I just have to find that file and delete it and that should be it, right? If you were to simply delete the hacked file you would find that your website no longer works! That’s because in your htaccess file there would be a redirect in place that actually runs the file. In some case that file could be “image.php” in a temp folder. In order to remove the infection, you simply need to remove this htaccess redirect. In fact, if you start by investigating the htaccess file you can learn a lot about the nature of the hack.

You’re not in the clear yet, unfortunately. Usually hackers gain access to your files by injecting a .php file into your site that they can run to scan for vulnerabilities. This file will be named in one of two ways. Either it will be a strange name like “underwater.php” or even “db.x.php”, or it will be an incredibly well camouflaged name like “joomla-repair.php." If you’re knowledgeable about Joomla you may notice the last file as a filename not appropriate for your root directory, but the average user might not. This file needs to be eliminated. Once that is eliminated you need to download a base 64 search tool (a .php script) and run it and find any instances of base64 encoding that are occuring in your root directory. Lots of files like copyright.php will contain a script at the top of them that adds that malicious file back into your directory. Be cautious though, because these files are actually good CMS files that have been infected. Removing the bits of base64 encoding text will keep the virus from returning.

After you’ve cleared your site of malicious code you can start to breath easier. Now you’ll want to change all of your ftp passwords just incase they were stolen. You will also want to update all of your tools and the core CMS. The hack is gone now but its effects linger on! Google still shows your page as having payday loans on it! This is because google caches websites for long periods of time before it refreshes its index. You'll want to go into webmaster tools and resubmit your index to Google to hopefully trigger a new cache.

Finally the last unfortunate bit of news. When your site was hacked the domain name was sent to a repository that these black hat hackers have been using to spam links to. You now have lots and lots of backlinks from horrible websites that have nothing to do with your content. This will also generate negative SEO for your site. Luckily, Google now has the Disavow Tool in Webmaster tools to disavow bad links. Just keep in mind that this process will take awhile to recover from but eventually you will be in the clear.

Simple, right? Of course, there is always the option of calling us or using a hosted platform like HubSpot so you can focus on the content of your website rather than the back end of your website.

Photo Credit: Difei Li via Compfight cc
By: Lynton

Lynton is a HubSpot Elite Partner that provides certified knowledge and tools to grow your business through integrated inbound marketing, including lead generation strategies, website designs and development, and CRM integrations.

Subscribe Today

Stay Up-to-Date With HubSpot and Marketing Trends

Never miss a beat with the latest marketing strategies and tactics. Subscribe to the Lynton blog and receive valuable insights straight to your inbox.