When I started using WordPress, I was warned about hacks, backdoors, and vulnerabilities. Supposedly it isn’t a big issue if you exercise some common sense. My experience with the platform was weak and I didn’t know what “common sense” for WordPress security was.
Over the years, I’ve had multiple WordPress websites hacked, and each time it happened I failed to learn my lesson.
My first website (which received significant traffic) got hacked. It was the result of a vulnerability in a WordPress plugin. The hack caused a content injection that was pretty crafty.
In this post I talk about what happened and how I fixed it.
What is Content Injection
Content injection can take the form of a sneaky script that is only active when a user visits the infected web page. It can do other things, but this was the case for me. My content injection infection would store a URL redirect script that is only discoverable when the web page is loaded.
The redirect would take my traffic to sites that sell male enhancement products.
It was able to infect all my web pages (including images). My site started ranking for a lot of unwanted keywords.
About The Hacked Site
This was a small personal blog that featured game guides for games that I was currently playing. When I play a video game, I get obsessed with something called min/maxing. In short, min/maxing is the process of diluting gameplay down to a science and abusing the mechanics implemented by the developers.
This usually breaks how the game is meant to be played but opens the door for a lot of fun shenanigans.
As you can see in the graphic above, the traffic numbers for this site were sitting around 8,000 to 9,000 monthly visitors. This number is a little misleading as I had a post go viral for a couple of weeks and it helps me rank #1 for a couple of keywords. This topic was a breakout topic that I knew wouldn’t last.
The actual traffic leading up to the spike was sitting around 3,000 to 4,000 monthly visitors.
After the viral post stopped helping my rankings (and lots of competition showed up), the traffic fell back to normal numbers and then the plugin vulnerability kicked in around May 2019.
Effective immediately, all my traffic was siphoned.
Many of the keywords I was ranking for were low competition long-tail keywords. It didn’t take very long to reclaim my position, but there was a lot of damage.
Finding What Went Wrong
I didn’t even notice the site was hacked until I got an email from Google Search Console saying my site had a content injection warning. I had clearly neglected this site for many months.
I didn’t know how to fix this nor did I have it in my budget to pay someone to fix it. I had to learn how to do it myself.
What made it worse was the five other domains I had on the same host were also infected. The files would spread across the entire server and re-infect each other as soon as I cleaned them.
I didn’t know what to do, so I actually deleted most of them entirely. These were sites I was using for testing small ranking factors, so it wasn’t such a tragedy.
After doing some research, I found which plugin caused the infection and promptly removed it. I won’t name the plugin as it was and still is a commonly used plugin. It wasn’t really their fault and I don’t want to shame them for it.
Righting The Wrong
Fixing my hacked WordPress site took me nearly three whole weeks. I had spent hours each day learning which files were core WordPress files, which files are safe to delete and which ones should be manually cleaned.
After each cleaning, I sent a request in Google Search Console to validate the fix. It takes up to two days to check if your site is clear of content injection. When submitting a request, you are warned to make sure you are confident the problem has been resolved.
For each request that returns a failed result, you get prioritized less and less for having your site reviewed again.
I know this because I had to do it about FIFTEEN times.
I was losing my mind. Every time I cleaned my site and sent a request, I’d get an email from Google that my site is still compromised.
One evening, my wife and I had plans to meet with some friends. While waiting for her, I thought I’d do some more hacked website cleaning. I would dig through a bunch of PHP files that were re-infected, remove the bad code, then save the file.
Another trip to the Search Console dashboard and submit yet another request.
Surprisingly, I got the email from Google a few hours later while we were out. I felt a pit in my stomach as I’ve opened this email many times before only to be disappointed. The content injection warning was cleared and they’re going to re-index my web pages!
Getting the traffic and rankings back to normal was a battle with Google’s index. Despite being back online and passing Search Console’s review, I was still ranking for a lot of keywords that are undesirable.
Doing a bit of research led me to find others who were in the same situation. It appears that Google would continue ranking me for those keywords until it had a chance to re-crawl and update it’s index for my web pages.
I made sure to re-submit the sitemap. I also requested re-crawls of each individual affected URL.
It took roughly 3 to 4 months to get these keywords off my website.
After enough hacked websites, I became a pro at cleaning and fixing hacked WordPress sites. The first time it happened, I had no clue what to do. It took me THREE whole weeks to get my site back up and running. Even then, it took MONTHS to recover my traffic and rankings.
The last time I had to clean a hacked WordPress website, it took only 12 minutes. Not bad. In the end, I’m grateful for the incidents as they taught me a deeper understanding of WordPress and how it stores content using databases.
Using a Firewall With File Monitoring
A good firewall plugin will quickly scan your infected files. A better one will notify you immediately if any changes were made while you were away. This kind of live file monitoring gave me peace of mind as I doubted the effectiveness of my clean up attempts.
Two weeks without a peep from the file monitoring plugin let me know I was in the clear.
Create Backups Regularly
This should go without saying. There are a handful of free backup plugins available. You’ll want to use one that can backup your database, themes, plugins, and media files. A good practice is to export your backup and store it offline.
Some premium plugins can automatically perform backups and store them on your cloud storage of choice.