If you attempted to visit my blog on Friday using either Firefox or Chrome, you most likely received a warning that the site was compromised and dangerous. While I’m still not sure how they got through, I can tell you that my blog was compromised. Code was injected into the site in every place where javascript was being output that attempted to install malware on the computers of people who visited nick.pro.
No, it was not because I was lazy and didn’t keep my blog up to date. The blog was already running the most up-to-date version of WordPress available. The compromise most likely came through a vulnerability in one of the plugins or in the theme I was using.
My first inclination would be to pretend that such an embarrassing lapse of security never happened, but I thought that perhaps the tale of how I’ve brought things back up might help others who find their websites hacked as well.
The infection first came up on Wednesday night and was pointed out to me by a coworker. I spent a few hours cleaning out all the injected javascript and doing what I thought would lock down the site from being infected again. Unfortunately Thursday night at just before midnight, the infection recurred. Rather than spend hours trying to clean it out again, I took the entire site down and left up a simple “offline” message with a 503 status code to indicate that it was a temporary outage (as suggested under Quarantine your Site on Google’s “Cleaning your site” help page).
Friday night I did a fresh install of the WordPress software with a new database, new database password, and new password for my user. I then imported my content from a backup copy from well before the hack (you do make regular backups of your blog’s content right?) and manually copied over the images (and only the images) from a backup as well.
Because I am still unsure how the attacker gained access to my site, I installed only the bare minimum plugins to get my site functioning again, and for the moment am using the default TwentyEleven WordPress theme that comes with a stock WordPress installation. When I have more time I will make a brand new theme not using any existing theme as a basis in case it was the theme I was using that was compromised.
I held off writing this “I’m back” post for the weekend in case somehow I still didn’t have the leak secured, but the site has not been compromised again, so hopefully the worst is behind me.