WordPress cybercrime gangs are taking control of sites to place hidden malware on top of them. Most of them are e-commerce stores.
And no… Differently from what is believed, they don’t want to steal payment credentials, but instead hijack the site’s ranking and reputation, to promote an online scam.
Are you afraid of someone hijacking your website’s SERPs ranking?
Then keep reading to find out what happened, how it happened, and how to prevent it.
WordPress Hackers Re-direct Traffic On Top
These attacks were discovered a few days ago, after Larry Cashdollar (Akamai security researcher) set up a Honeypot to get a deeper knowledge about it.
The first thing to discover is that attackers were using brute-force attacks to get into the site’s admin accounts, where they overwrote the main index file to inject malicious code.
Cashdollar suggested that the malware’s role was to work as a proxy, redirecting incoming traffic to a Command-and-Control server managed by the cybercriminals.
The attack would go like this…
- First, the user visits a hacked WordPress site.
- Then, the hacked website would redirect the user’s request to view the infected server.
- If met certain criteria, the C&C server would order the WordPress site to reply with an HTML file.
- That would “summon” the scammy store on top, instead of the original that the user wanted to see.
Surprisingly enough, it was said that attackers hosted over 7,000 e-commerce stores during the time Cashdollar’s honeypot was on.
Bad actors were also capable of generating and submitting sitemaps to Google’s search engine while deleting the old one and going undetected.
This was harmless to them but was quite harmful to the original WordPress site owners, which went downhill on their keywords position due to the relation with scammy entries.
Without a doubt, this could be easily used for Black Hat SEO extortion schemes.
Can you imagine? A criminal group asking you for a ransom to intentionally poison your site’s ranking that you have been working for a long time.
I truly hope it hasn’t happened to you.
But the truth is, it could happen at any time because nothing strikes more fear and confusion than a hacked WordPress site.
That would mean the loss of Traffic, Revenue, and Brand Value.
What’s worst, is that even if it’s happening to you, there’s a high chance of not knowing it.
With all honesty, WordPress can malfunction a lot.
If you suspect you have been hacked, first make sure that you have been hacked.
How to Know If WordPress Hackers Are Close
Your site has been hacked if:
- You do a site:example.com search on Google (replacing example.com with your site) and you don’t recognize the pages that are shown there.
- You identify that users are being redirected to sites when you didn’t want them to.
- You are seeing Adware appearing in your site header or footer (showing porn, drugs, or illegal services).
- Your hosting provider reports that are something malicious or spammy is happening to your site.
All of these sound scary, right? Fear no more, because the following steps can help you purge and protect your WordPress site from hackers.
How to Prevent WordPress Hackers From Re-directing Your Site
1) Don’t panic: Probably not the best thing to say when someone’s panicking, but the reality is that without a clear head, then the problem will be harder to diagnose/fix.
2) Maintenance mode: You don’t want your visitors to see your site in a compromised state, do you? If you recognized that your site is being attacked, then a plugin like Coming Soon Page & Maintenance Mode will do the rest. Builders like Elementor Pro also have it added into the settings. Remember: you can edit it as preference.
3) Reset Passwords: If you don’t know which password was used to get into the site, then the best you can do is to change them all to prevent hackers to access it again. But this isn’t only your WP password, but your SFTP, database, and hosting provider’s as well.
4) Update and/or Reinstall Theme and Plugins: It’s easier than it sounds. And this would probably help you fix it because themes and plugins are usually the main hacker’s backdoor. If your site keeps failing after the update, then it’s time to deactivate and delete it completely, to later install them later again.
5) Remove Users: If any admin accounts have been added to your WordPress site that you don’t recognize, it’s time to remove them. Before you do this, check with any authorized administrators that they haven’t changed their account details and you just don’t recognize them. Go to the Users screen in your WordPress admin and click the Administrator link above the list of users. If there are any users there who shouldn’t be, click the checkbox next to them, then select Delete in the Bulk Actions dropdown list.
6) Remove Unwanted Files: To find out if there are any files in your WordPress installation that shouldn’t be, you’ll need to install a security plugin like WordFence, which will scan your site and tell you if there are any files there that shouldn’t be.
7) Clean Out your Sitemap: If your site suffered from a similar attack as the one previously exposed, then you should regenerate your sitemap using the SEO plugin of your preference. You’ll need to submit it into Google’s Search Console to be crawled.
8) Reinstall WordPress Core: Everything else failed? Then even your Hosting provider’s support will recommend you to reinstall WordPress CMS itself. This would replace corrupted files from the core. Just be aware: make a backup of the wp-config.php and .htaccess file first. And thank me later.
9) Clean Out your Database: The worst it can happen is your database getting hacked as well. So, if it does, then you’ll need to clean that one up too. Good news: after doing so, your site will run faster with less stale data.
Getting hacked is always an unpleasant experience.
It means losing track of business, probably confusing or directly affecting your visitors, and losing reputation and money in the process.
All of what you have read today, are proven steps to secure your business’ site.
And you can either do it yourself alone or get a helping hand from cybersecurity experts.
Which one would you prefer?