As some of you know, this little blog has been hacked twice in the past week by malware. The first time was by something called zettapetta, that tried to redirect some users to a website called freesavez5.com. And this morning it was by something called holasionweb. No virus was installed onto users computers upon visiting my blog, but it was very troublesome to say the least. Not to mention that it just doesn’t look very good to have a big ugly “this site contains malware” warning as an introduction to your blog.
So last weekend I spent 36 hours STRAIGHT fixing this blog (thanks to all of those who helped!). This involved no sleep, little food, lots of tears, much, much stress, and borderline insanity. BUT, I fixed it.
And the reason why I didn’t hire someone else to do it was because, even though I could have paid someone to remove the malware for me (as it was I figured it out on my own pretty quickly), nobody but me knows the customizations I have put into the blog, amounting to probably 50+ hours of work done over the past 2 years. Customizations that were required to get the blog to look right- for the pages to display properly, for the comments to work, for the images to be in the right place, etc, etc, etc (ETC). All of those little things that will make you crazy when they aren’t working right.
*Those* could not have been fixed by anyone but me. That fancy text you see as the titles to posts took probably 20 hours alone to get right. (Yep, when I want to get something done, I’m determined!). SO, it had to be me, and my little brain, fixing it. SIGH….
I tried everything to fix it. And I mean, every single thing I read online. I deleted ALL of the files on my server and started from scratch, upgraded wordpress, even went in manually to the php files and removed the offending malware code. I ran the script I found online that cleans your files (wordpress-fix.php), I repaired permissions, I re-set passwords, everything.
And this morning I was hit again. But this time, instead of screaming, destroying personal property, drinking large quantities of gin or curled up in a ball on the floor crying, I knew what to do. Because ultimately last weekend, in the end there was really only one thing that worked, worked well, and (thankfully) was very easy to do and took only a few minutes. And that was a restore to history in my hosting admin panel in godaddy. (If only I had found it at the *beginning* of my saga, and not the *end*).
So I wanted to write this little note in the hopes that if someone else reading this, who has a wordpress blog, livebooks site, or any other site that uses php files gets hacked (thousands are getting hacked as I type this), they will remember reading this, follow these instructions, and be able to do a quick fix, saving themselves the sheer agony and torture I went through last weekend.
I know lots of photographers follow my blog, and we all love our little wordpress blogs with our custom ProPhoto themes, which sadly are filled with the little files that are becoming infected, and also those gorgeous livebooks sites are also filled with the same php files as well, so hopefully, fingers crossed, this will help at least one person out there.
Please bookmark this page in case you need to refer back to it. And feel free to pass it on as I suspect that, with thousands of blogs (and non-blog sites running php files) becoming infected, many will need information like this.
To fix a blog or website hosted by GoDaddy that has become infected with malware (of any type), here is what you do (for other hosting providers besides GoDaddy, continue reading- at the bottom I have my recommendations for you too!):
Log into your hosting control manager where your blog is being hosted. You want to make sure it says ‘hosting control manager’ in the upper left hand corner (I know all of those GoDaddy pages are confusing).
Click on the name of your account that holds your blog. In my case, the account is called ‘cowbellyblog.com’.
Got it? Cool.
On the next page you will see 4 boxes at the top:
your files // your applications // your domains // your email
Click on the box that says ‘your files’.
On the resulting page, at the top left, under the large ‘File Manager’, you see where it says ‘current’ and then ‘history’? Good!
Click on ‘history’.
Give it a minute to load.
The little spinny thing should be going.
Relax, it’s going to be ok.
Alright, you might want to get a drink, but your problem will be solved before you can finish it. (Whoopee!)
Ok, so now all of the files should be displayed.
“that’s crazy, what is that stuff?!”
For those of you who know about as much about files and hosting and servers as quantum physics, this is your introduction to the guts of your blog. Those are your web files! Pretty cool, eh?
Everything you see there is what makes your blog run, the pages display, the plugins work, the images display, and all of that cool stuff. Sadly, all of the .php files on your server (your server is what you are looking at right now, and the ‘php’ files are all of the files that end in ‘.php’), have been infected with some nasty looking malware code. Yuck.
This means that if you were to save/download one of the .php files to your desktop, and open it in dreamweaver, you’d see some really yucky looking code at the top (or maybe bottom). And lots of it.
Ok, so now you are looking at the contents of your server, and you have the little ‘history’ selected at the top. Right? Cool.
Now, still looking up where it says ‘history’, scan your eye to the right, to the little icons across the top of the page.
You see the little icon where it says ‘restore’?
That is going to save your life, and your sanity.
BUT, don’t click on it yet (yes, I know you want to get back online NOW, but you’ve gotta make sure you do this right!).
Before you click the little ‘restore’ icon, you need to click the little calendar icon below it, right next to where it says in bold ‘This is a snapshot of your files from m/dd/yyyy’
What you need to do, is click the little calendar icon, (it will say ‘quick pick calendar’ at the top), and then click the last date you knew that your blog/website was functioning normally.
Sometimes you can tell the exact date and time you were infected by the malware, by looking at the ‘date modified’ time on all of the .php files on your server (3rd column to the right).
If you knew your blog/website was working perfectly two days ago, and today you got an email/message/FB comment from someone saying “your blog has malware” and the ‘date modified’ on all of the files was 2:47AM this morning, that’s most likely the time it was hit by that nasty little malware bugger.
So pick a date BEFORE that time. In my case, I figured out that my blog was hit last Friday morning at 12:23AM, so I picked last Thursday (the day before) as the restore date.
(Note: if you pick a date that is too far back, you may lose a few blog posts, but that’s certainly better than having an infected blog or beating your head against a wall for days!)
Ok. Back to the hosting control panel.
So you are in the history state, you see the little restore icon, you have selected a date that is before you got infected, so now here is what you do:
Click the little black checkmark at the top of the columns, just to the left of ‘Filename’ to select all of the files (you may need to increase the page size to 50 if you have lots of files there).
Then, UNselect any folders/files that belong to other websites (IF you have them). For instance, I have my regular cowbelly.com website, and several other websites, on that same server, in folders named for each website, and they weren’t affected (they don’t contain any php files thank goodness), so I didn’t need to restore those folders.
Then, once you have all of your blog files selected, click the little ‘restore’ icon at the top.
On the resulting page, ignore everything it says and click the yellow ‘ok’.
Then on the resulting page after that, again ignore everything it says, and click the yellow ‘yes to all’.
You will get the little spinny thing for awhile. It might feel like an eternity.
It might take 5-10 minutes for it to work it’s magic, depending on how much crap you have on your blog Loads of plugins? might take longer. Old blog with years of photos? Might take longer.
You might also want to, instead of selecting ALL of the files and folders, just do them one folder at a time. Do the wp-admin folder, then do the wp-contents folder, then do the wp-includes folder, then do all of the files on that main page. (Note, wp-contents folder will take the longest, as that’s what contains all of your uploaded images, plugins and theme files).
Now be patient.
Have a sip of that drink.
Call a friend and do some talk-therapy.
When it’s done, for just a few seconds, it will show a little ‘restore completed successfully’ in the bottom right corner. It will be back on the main server screen, showing your columns again with all of the files there.
Now, and this is important, because I don’t want you freaking out and thinking this didn’t work, if indeed it did.
You need to remove all of your cookies, empty your cache, and clear your history, BEFORE you try and view your blog/website again. Seriously, do it now.
In firefox it’s as simple as going to ‘tools –> clear recent history’ (or clear private data). Make sure you have removed your cache, and your cookies, and history, so you are looking at a fresh view when you finally do try and view your blog. (If you don’t know how to do this, google it, it’s great knowledge to have just in general).
Ok, so cache, cookies, and history all gone? Right?
Then, close out your browser and re-open it.
NOW, still with me? Still breathing?
Ok, you might want to hold your breath, and cross your fingers, and get up and do a little dance first to blow out the tension. You are ready to see if it worked.
Type in your blog/website address into your browser. Hit enter.
Did it work?
Now you can finish that drink in celebration and not despair. YAY!!
Click on the links, and try to log into your admin to make sure everything is back to normal. If not, you may have hit some snafoos along the way. You may need to restore again, to an earlier date, or restore one folder at a time, and do chunks of files at a time. If that doesn’t work it’s best to contact GoDaddy at that point for help, or go through the process yet again in case you missed something. This worked like a charm for me both times I tried it, and the first time I did it I had no idea what in the hell I was doing.
“Ok, that’s great and all Jamie, but what do I do if my blog/website isn’t hosted at GoDaddy?”
Contact your hosting provider and ask them if you have the ability to do a history restore in your admin panel, and ask them to walk you through it, or at least send you detailed instructions on how to do this.
And also, if you royally screw up your blog in some other way (as I have a couple of times in the past), this may work for that as well.
“How do I prevent this from happening again?”
Sadly, at this point, you don’t. Because no one knows what the cause is. Or if they do, they aren’t telling. Yet anyway.
I have heard/read every reason in the book for this happening. GoDaddy is blaming WordPress (it’s not a wordpress issue, as there are lots of non-WP sites affected). ‘Experts’ are saying you need to: upgrade your wordpress version, change your file permissions, set up an .htaccess file to protect your wp-config file, set up scrambled passwords, change your database password to something long and complicated, change your FTP passwords, change your login information, install antivirus and malware catcher plugins, etc, etc.
I’ve tried all of these things (except I didn’t scramble my passwords but I did change them last weekend to all be things long and complicated), and I still got hit again today, as many others have. I will no longer waste my time trying to protect myself, since it clearly didn’t work anyway.
I think the best defense at this point, until the ‘experts’ can figure out how this is happening, is to do the steps I outlined above, if and when it happens again.
It’s frustrating and it sucks I know, but really it’s the fault of a few evil people who like to wreak havoc on other’s lives by writing viruses that affect productivity, harm small businesses, and destroy people’s sanity. THOSE people need to be burned at the stake, IMHO.
I really hope this helps at least a few people from the stress and frustration I felt, and helps you get back online quickly and with the least amount of stress possible.
Back to work with me!! 🙂