Website Hack, exploited or compromised
Posted by Rick G. on 02 May 2015 12:48 PM
Once a website is hacked, there is never going to be a way for you to be 100% certain you have cleaned every file unless you physically examine every file on your account, line by line, function by function. This is an incredibly tedious task as you can imagine and would cost thousands of dollars to have done properly. It's not even something we would do because we could never guarantee that we 'found everything'. In fact, we don’t think you would get that guarantee from anyone - it's next to impossible.
Really, your best and only realistic option is to completely delete _all_ files in the public_html directory. Consider that 'every' file is compromised - you simply do not know if they are not, so error on the side of caution and assume they are.
Once you have completely deleted all the files, you can now be certain that there are no exploited files in the public_html directory, because there would be no files in that directory.
You would then begin to rebuild the site using the latest version of your software downloaded directly from the vendor. If you have any plugins or extensions you should very carefully research each one for known vulnerabilities. we've read that it is estimated that 75% of all Wordpress extensions are vulnerable and have known backdoors BUILT INTO them. Plugins should only come from highly trusted sources after thorough investigation of the vendor and the plugin itself.
We would add that you should _never_ run Wordpress alongside any other software.
It should always be isolated to its own cPanel account. It's not a matter of if, but when your Wordpress installation gets exploited the attacker can now modify any and every file on your entire account - this includes Magento files or any other application that is installed in the same account as the exploited Wordpress installation.
We literally deal with these exploits multiple times a day. It is typically the first thing and the last thing we do every day. Wordpress is incredibly insecure and can only be run safely if you are extremely vigilant of not only your Wordpress version, but every plugin that you have installed. It's just incredibly popular software so it is extremely targeted by attackers. We, and every host, is constantly being scanned for Wordpress exploits - it's an impossible battle, and even more impossible to ensure that you have removed every piece of exploited code from an account.
It's just so common for us to see this problem every day and people spending hours upon hours 'fixing' their site only to be hacked again the next day as the exploit was not found, or the backdoor was not discovered.
The only certain way to be sure is to completely delete all files and to reinstall - there's really nothing else you can do besides go through your site and hope that you've found it.
Services like sucuri.net can be helpful to help protect a site, but once the site is exploited, they rarely are able to completely clean the account - we've seen this time and time again. So, if you were going to use that service, you should use it after you reinstalled the software and were certain the site was no longer compromised and that no code on the website was vulnerable.
We would add that it would be very rare that only your Wordpress installation is exploited. Most of the time we find that backdoors are placed in other locations on the account, such as a livechat directory, Magento directory, etc - completely unrelated to Wordpress, but on the same account which the attacker has full access to, including the ability to delete every file if they wish.
How you go about it is entirely up to you, however it is not something that is inside the scope of technical support - this is a development issue, not at all a problem with the server.
We hope you understand and take our advice to reinstall all files starting from scratch, and very carefully at that. Then, be extremely vigilant about your installation and constantly monitor your versions of everything installed, including the Wordpress installation.
We would also recommend following us on Twitter @crucialwebhost, as we do announce all major vulnerabilities on our twitter feed as well - in hopes to avoid situations such as the one you have found yourself in.