How to cure your GoDaddy WordPress hacked blog
Update: I adapted a script to easily verify and cure the infection on your site. Check this post for more.
The GoDaddy hosting service got hacked three times in a row now. On April 27, May 1 and May 7, many sites, including thousands of WordPress blogs, got infected by malware code. Update: GoDaddy hosted sites were massively attacked again on May 12 and May 17.
In a recent post, I described how I found out the hard way my Drupal site was hacked, and how I cured it the hard way.
Last night, BlogTips was hacked too, but this time, I was able to cure the problem faster.
The problem is so wide spread, and the impact for the infected blogs is that devastating it is worth to checking yours too, if it is hosted on GoDaddy. Once infected, you need to cure your blog real fast before browsers and search engines blacklist your blog. Here is how:
1. Check if your blog is infected
If your blog is part of the recent GoDaddy attacks, you (and your visitors) might see it if your site redirects to a malware site which gives a Windows-like screen asking to scan your computer.
The easiest way, however, is to check some of your .php files. If the first line of the file starts with:
?php /**/ eval(base64_decode("goobledegoob"))
(where “goobledegoob” is a long series of numbers and characters), then unfortunately my friend, your site was hacked too.
2. How to cure it
Cure the problem fast before your users and search engines start mistrusting your blog. Thecremedy is to remove that one-liner with the hack code from all your .php files. You can do that manually, but you’ll be busy for quite a while.
- save this PHP code in a file called “wordpress-fix.php” on your computer. It contains two basic commands to remove the EVAL malware code, and extra empty lines from all your .PHP files on your root directory and all sub directories.
Update: to avoid the script to time-out before all files are cleaned up, you might add the line
as the first PHP command
- FTP the “wordpress-fix.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):
- Then execute the code with the command:
- Delete the wordpress-fix.php file after execution.
- Update: if you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code
3. How to prevent from being hacked?
Well, at this moment, it looks like it is GoDaddy being hacked, and not the individual blogs. It is still advised to change your FTP password, and your admin password on your blog, but that by itself does not seem to prevent new hacks. One of my sites got hacked twice in a row.
You can also subscribe to Sucuri’s free malware monitoring service, so they can scan your blog automatically for malware,…
Let’s hope GoDaddy gets their security back inline quickly, otherwise we are all in deep poohooh for a while!
Picture courtesy TheTechHerald