My site has been hacked. Actually it happened a couple of times starting a few months back with a lot of redirects to a Russian porn site, followed by hacking my email and spamming the world which resulted in my service provider locking my account for a few days.
I thought the bad guys were gone but they came back about 2 weeks ago, or possibly never left.
I run a WP theme and keep it updated, both WP version, template and plugin updates.
Also do the same on all my computers, running Secunia on a constant basis to alert me to OS and program updates. Microsoft Essentials is my antivirus and Spybot checks for bad guys.
Two weeks ago my site went dark. No hits. Just barely showing up in search engines and when it did it was several pages back. Traffic dropped to near zero for 5 days. When it started to creep back it was barely a trickle compared to before and still had almost nothing on Google, Bing, etc.
No warning messages from Google analytics or webmaster. No malware. Only hint of something wrong was a big spike in 403 codes from people trying to access my site.
My son is a website/email security expert and I had him look at the site. He found some suspicious items and some file permissions that were not secure. He didn't have time to get into the site in more detail but saw enough to know I was definitely hacked, and possibly they had been there for some time.
My most recent tip off came when I upgraded to WP 3.4 and got a warning message that I was going to be redirected from inside the admin section which is extremely odd.
Normal scans on the client side showed nothing suspicious but Google and Bing both noted the high number of 403 codes.
Last night I was talking with my son again and he had more time to look at files in the admin section. What he found in wp-admin and index.php shocked even him. His exact words were "I have read about this but never seen it firsthand. This is extremely sophisticated. Oh, these guys are good. Really good. Yes, they OWN you."
On one hand I was glad he was having fun. Almost like seeing the Loch Ness monster in the flesh, so to speak.
On the other, I wanted him to get it out.
He was more fascinated in trying to figure out how they got in (other than the obvious permission settings) and how long they had been there.
Not me. I wanted them dead.
Talking further, he said inquiries to my site were still being redirected to Russia. Even more, when someone hit my site and got a 403 message and email was immediately sent to the hackers giving them the search term and other information.
He asked if I had any content on my site written by someone other than me. Other than quoting sources like the NYT Health Blog or Consumer Reports (with links and credit), no, it is all original.
As we talked more I remembered a post I had put up sometime last year about "Does Medicare cover Viagra" and had linked to an authority site where the information was provided. I also knew that my site has a lot of hits for "medicare viagra" and similar terms.
While Robert (my son) was eliminating the malicious code and writing more security code I looked at my Viagra post.
It had been completely rewritten by hackers.
Instead of the 200+ word post it had only one line "Find out how Medicare covers your Viagra".
I didn't even bother to look for links, I deleted and trashed the post. Followed up with a quick site search to see if Viagra was mentioned anywhere else.
It wasn't.
When I deleted the post, my sitemap was regenerated followed by pinging Google, Bing, Yahoo.
This morning I checked my site and my PR3 is restored (from a 0 for the last 2 weeks). My target search terms are back on pg 1, even the broad ones and it looks like traffic is starting to come back.
I had been trying to blame Panda or Penguin when in fact the problem was a hack. More importantly, all of the normal malware programs never picked this up, either from inside WP, Google webmaster or server checks.
The only way I would have known is to have someone who knows code and what to look for, all triggered by some really suspicious things going on then putting the pieces together.
Hopefully you won't have to go through this, and this is not a plug for my son . . . you probably couldn't afford him. But if your site traffic and ranking suddenly drops it may not be your fault.
I thought the bad guys were gone but they came back about 2 weeks ago, or possibly never left.
I run a WP theme and keep it updated, both WP version, template and plugin updates.
Also do the same on all my computers, running Secunia on a constant basis to alert me to OS and program updates. Microsoft Essentials is my antivirus and Spybot checks for bad guys.
Two weeks ago my site went dark. No hits. Just barely showing up in search engines and when it did it was several pages back. Traffic dropped to near zero for 5 days. When it started to creep back it was barely a trickle compared to before and still had almost nothing on Google, Bing, etc.
No warning messages from Google analytics or webmaster. No malware. Only hint of something wrong was a big spike in 403 codes from people trying to access my site.
My son is a website/email security expert and I had him look at the site. He found some suspicious items and some file permissions that were not secure. He didn't have time to get into the site in more detail but saw enough to know I was definitely hacked, and possibly they had been there for some time.
My most recent tip off came when I upgraded to WP 3.4 and got a warning message that I was going to be redirected from inside the admin section which is extremely odd.
Normal scans on the client side showed nothing suspicious but Google and Bing both noted the high number of 403 codes.
Last night I was talking with my son again and he had more time to look at files in the admin section. What he found in wp-admin and index.php shocked even him. His exact words were "I have read about this but never seen it firsthand. This is extremely sophisticated. Oh, these guys are good. Really good. Yes, they OWN you."
On one hand I was glad he was having fun. Almost like seeing the Loch Ness monster in the flesh, so to speak.
On the other, I wanted him to get it out.
He was more fascinated in trying to figure out how they got in (other than the obvious permission settings) and how long they had been there.
Not me. I wanted them dead.
Talking further, he said inquiries to my site were still being redirected to Russia. Even more, when someone hit my site and got a 403 message and email was immediately sent to the hackers giving them the search term and other information.
He asked if I had any content on my site written by someone other than me. Other than quoting sources like the NYT Health Blog or Consumer Reports (with links and credit), no, it is all original.
As we talked more I remembered a post I had put up sometime last year about "Does Medicare cover Viagra" and had linked to an authority site where the information was provided. I also knew that my site has a lot of hits for "medicare viagra" and similar terms.
While Robert (my son) was eliminating the malicious code and writing more security code I looked at my Viagra post.
It had been completely rewritten by hackers.
Instead of the 200+ word post it had only one line "Find out how Medicare covers your Viagra".
I didn't even bother to look for links, I deleted and trashed the post. Followed up with a quick site search to see if Viagra was mentioned anywhere else.
It wasn't.
When I deleted the post, my sitemap was regenerated followed by pinging Google, Bing, Yahoo.
This morning I checked my site and my PR3 is restored (from a 0 for the last 2 weeks). My target search terms are back on pg 1, even the broad ones and it looks like traffic is starting to come back.
I had been trying to blame Panda or Penguin when in fact the problem was a hack. More importantly, all of the normal malware programs never picked this up, either from inside WP, Google webmaster or server checks.
The only way I would have known is to have someone who knows code and what to look for, all triggered by some really suspicious things going on then putting the pieces together.
Hopefully you won't have to go through this, and this is not a plug for my son . . . you probably couldn't afford him. But if your site traffic and ranking suddenly drops it may not be your fault.
)
