Follow BlogTips via RSS Get BlogTips updates via Email Follow @SM4NP - Social Media for NonProfit

How to cure your GoDaddy WordPress hacked blog

Posted on May 9th, 2010 by

hacker

Update: I adapted a script to easily verify and cure the infection on your site. Check this post for more.

The GoDaddy hosting service got hacked three times in a row now. On April 27, May 1 and May 7, many sites, including thousands of WordPress blogs, got infected by malware code. Update: GoDaddy hosted sites were massively attacked again on May 12 and May 17.
In a recent post, I described how I found out the hard way my Drupal site was hacked, and how I cured it the hard way.

Last night, BlogTips was hacked too, but this time, I was able to cure the problem faster.

The problem is so wide spread, and the impact for the infected blogs is that devastating it is worth to checking yours too, if it is hosted on GoDaddy. Once infected, you need to cure your blog real fast before browsers and search engines blacklist your blog. Here is how:

1. Check if your blog is infected

If your blog is part of the recent GoDaddy attacks, you (and your visitors) might see it if your site redirects to a malware site which gives a Windows-like screen asking to scan your computer.

The easiest way, however, is to check some of your .php files. If the first line of the file starts with:

?php /**/ eval(base64_decode("goobledegoob"))

(where “goobledegoob” is a long series of numbers and characters), then unfortunately my friend, your site was hacked too.

2. How to cure it

Cure the problem fast before your users and search engines start mistrusting your blog. Thecremedy is to remove that one-liner with the hack code from all your .php files. You can do that manually, but you’ll be busy for quite a while.

An easier solution is offered in this post by the folks of Sucuri Security. Update: I adapted a script to easily verify and cure the infection on your site. Check this post for more.

  1. save this PHP code in a file called “wordpress-fix.php” on your computer. It contains two basic commands to remove the EVAL malware code, and extra empty lines from all your .PHP files on your root directory and all sub directories.
    Update: to avoid the script to time-out before all files are cleaned up, you might add  the line
    set_time_limit(0);
    as the first PHP command
  2. FTP the “wordpress-fix.php” file to the root directory of your blog. In GoDaddy, that is the /HTML directory (which also contains index.php, wp-login.php etc..):

    GoDaddy Root Directory

    GoDaddy Root Directory

  3. Then execute the code with the command: http://yoursite.com/wordpress-fix.php
  4. Delete the wordpress-fix.php file after execution.
  5. Update: if you are using a caching plug-in, don’t forget to CLEAR YOUR CACHE, otherwise the malware will continue to be served to your users, even though you cleaned your .php code

3. How to prevent from being hacked?

Well, at this moment, it looks like it is GoDaddy being hacked, and not the individual blogs. It is still advised to change your FTP password, and your admin password on your blog, but that by itself does not seem to prevent new hacks. One of my sites got hacked twice in a row.

You can also subscribe to Sucuri’s free malware monitoring service, so they can scan your blog automatically for malware,…

Let’s hope GoDaddy gets their security back inline quickly, otherwise we are all in deep poohooh for a while! :-(

Picture courtesy TheTechHerald




8 Comments to “How to cure your GoDaddy WordPress hacked blog”

  1. Make Money In Blogging | Make Money from your Blog says:

    [...] Follow this link: How to cure your GoDaddy WordPress hacked blog [...]

  2. [...] How to cure your GoDaddy WordPress hacked blog [...]

  3. [...] was down, or how attackers are getting into the site, but several sites such as here, here and here explain how to tell if you are hacked and how to clean [...]

  4. Phil Martin says:

    Thank you for this post.

    15 out of 10 – absolutely amazing – this worked brilliantly!!!!

    My hacked and compromised site was repaired simply by running this script and following your instructions.

    I will be telling everyone i’ve built sites for to sign up to Sucuri. They rock!

    Thank again massively for this post

  5. Megan Sheehan says:

    Thank you thank you thank you!
    This was amazing! I will be suggesting it to all other bloggers I know.

    Megan

  6. iamgotzaa says:

    Hi

    I was hacked with some stupid trashy script with !@(*#&)^!*& type. And I was educated to use FiZScript (you can google it) written by Thai SEO guru.

    What it does is searching for pattern of any files in your site. Work very fine for WordPress and other CMS.

    However, Keep your site back up periodically and change ftp password every three months or less.

    hope it help
    iamgotzaa

  7. How to cure your GoDaddy WordPress hacked blog | Wordpress Develop says:

    [...] Go here to read the rest: How to cure your GoDaddy WordPress hacked blog [...]

Leave a Comment

*