About a week and a half ago, with the school semester ramping up for final projects and the end of the semester in sight, I thought I was in a good place as far as my progress in my web development classes in preparation for the Mesa College Web Development Portfolio Show. Then disaster struck. With no warning, while I was in class, I received an email from my paid webhosting service stating I was infected with malware and that all my accounts and websites had been shut down to prevent the spread of it. I was unable to FTP or access my cPanel page. Since the email included a link where the malware was spamming from, I still didn't think it was all that bad since it wasn't a directory of any of my important websites. How wrong I was!
After replying to my webhost to get access back so I could remove the infected directory, I hadn't yet thought what my plan of action would be if it were something bigger than one directory. My webhost finally granted me access the following day and required that I change all my passwords. The first thing I did was change passwords for my cPanel account, FTP account, database passwords, and admin accounts for all my WordPress sites. Next, I tried bringing up all my websites in a browser window and nothing would come up. I then tried looking at my website directories but nothing was listed in my domain root. All my folders were wiped clean! At this point I may have started to hyperventilate and curse the web development Gods who unleashed this hell on my website projects! I probably also cursed out my webhosting company for deleting all my directories without coordinating it with me first. After frantically emailing my webhost asking what happened to my websites, they told me they took my sites offline while trying to clean my directories of the malware. Whew, I was relieved for the time being but not for very long!
Once they cleaned my sites and brought them back up, I again tried to access them through a browser window but it was a crapshoot. Some came up very slow and limping, while others didn't come up at all. After browsing my website directories, I was finding all kinds of invalid index.php files being created at numerous folder root levels with @include statements in them. I also found @include statements injected into valid index.php files. In addition, the malware was renaming index.html files in my non-WordPress sites to index.html.bak.bak and inserting an infected index.php file in its place. It was obvious that my sites were still infected. After taking several deep breaths and again cursing the technology Gods, I started to clean each website folder of the malware manually going through hundreds of files and folders in the process. The reasoning behind this? I wasn't sure how long I had been infected for and wasn't confident that my recent backups were clean copies. After spending nearly two days cleaning a total of six websites and finally was able to view them in a browser window, I felt confident the worst was behind me. Yeah right! The very next morning, I woke up to find all my sites were infected again. I was now in full-blown panic mode!
Because I had never experienced a hacked website before, I was totally unprepared on how to tackle the problem. After Googling suggestions on how to clean malware on infected websites, I learned the first thing to do is NOT TO PANIC! Panic will not allow a person to think clearly and logically when confronted with a scare like this. I couldn't help myself, those websites were built with my blood, sweat, and tears and countless hours of my precious time! Those sites were my babies and my ticket to a better life once I finished school. So armed with this valuable piece of information, I started to think about the problem logically and kept panic at a safe distance. My first thought was how to contain the malware from spreading. It most likely was spreading from one of my WordPress sites which were unprotected. After some research, I installed the WordFence security plugin on my WordPress sites and enabled the website firewall for each one. After scanning each site using the plugin, it alerted me to suspicious files and guided me on how to clean the infection. After following the instructions and removing the malware, I managed to stem the bleeding to a manageable level. After successive scans of WordFence with no malware reported, I thought I was in the clear. Just as I was starting to pat myself on the back, another WordFence scan alerted me again to infected files. Panic started to rear its ugly head. I surmised that there was probably some type of infected code hiding in one of my WordPress databases that kept the malware alive. At this point, I was resigned to hiring a professional security company to clean my websites and databases because I didn't trust my backups. After reaching out to both Sucuri and WordFence, they each wanted a minimum of $170 per website! Damn, that's over $1,000 to clean all six of my sites! NO THANK YOU!!
I decided to sleep on it that night and formulate a plan of action the next morning. Well, wouldn't you know my plan of action came to me in my sleep. Most of my websites were non-WordPress and have been static for quite some time. I was able to find clean backups from a few months ago. I was also able to find decent backups of my e-commerce and one WordPress site from last semester since those sites haven't changed much either. The only site I was worried about was my most important site of all which was my portfolio site showcasing my school projects. I managed to find a clean backup a few days prior to the malware infection and only lost one full day of work on the site. That's a hell of a lot better than paying someone $170 to clean that site! I then systematically zipped each website directory and downloaded them to my local PC and deleted them off the webserver. Afterwards, I exported the "bad" database tables to my local PC and deleted each database from the server. I then restored each website directory, one at a time, and recreated each database and imported good backup tables and then re-established connections to each site. After several hours, all my sites were back up and running with malware-free directories and databases! During this process, I also reinstalled WordFence on each WordPress site and locked everything down. In addition, I modified my root .htaccess file to ensure directory listings were disabled and locked the file to prevent any unwanted changes. As an extra measure, I made each wp-config.php file for my WordPress sites unwritable. My sites have now been malware free for almost two weeks and I get notified whenever a hacker tries brute forcing their way into my sites resulting in their IP's being blacklisted.
So what have I learned from all this? I can honestly say that, while I didn't enjoy the experience, I believe it was absolutely necessary in my growth as a web developer. If it wasn't for this harrowing incident, I would not be aware of the importance of securing websites, especially WordPress sites, and vigilant in performing critical backups on a regular basis. I gained valuable insight and experience in the responsible operation of websites that no book or article could properly prepare me for. After figuring out how to troubleshoot and remedy this malware scare myself, I'm now ready for that pat on my back but always remembering that the next scare may be just around the corner.