I got hacked. You may have noticed that my blog was offline for a few hours recently. The hackers won. I was unable to remove all traces of their activity, and ended up reinstalling my site from a clean WordPress install and a backup (thank goodness I had one!). But to my dear visitors who saw the site while it was hacked, my deepest apologies for the performance enhancing drugs you saw displayed here. They won’t help your SEO, sorry.

This experience of being hacked was very instructive for me. Since we create wordpress sites where I work, anything that teaches us to be more effective at securing them is actually a good thing. Therefore, I spent hours upon hours (both in and out of work) trying to determine the source of this hack. What I came away with is that if you get hacked, your best recourse is a backup. So for heavens’ sake, if you haven’t backed up your site, go do it. Right now. I’ll wait.

Then learn some good resources for hacked site clean up.

Here are a couple I used, but there are many others:

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ottopress.com/2011/how-to-cope-with-a-hacked-site/

Updated: A friend shared this post he wrote with me as well: http://idriveroi.com/index/wordpress-security-tips

And by the way – step one is to use this key generator to change your security keys in wp-config. Otherwise anyone who is logged in can remain logged in through the use of cookies – even if you change your password.

Now I’m clearly no expert at wordpress hacks, but finding this one in the first place was pretty tricky. So let me share what I learned:

It all started with Google.

They listed my site in the SERPs, but under the title was this panic inducing snippet: “This site may be compromised.”

So I went and checked Google webmaster tools for malware. None found. Manual actions? None. Finally, I saw the smoking gun. Under content keywords – was this:

content-keywords

Ah-ha! Since my site isn’t about a certain male challenge, these were completely out of place. Clicking on these keywords, by the way, will show you a few pages where Google’s found that keyword.

Next step, follow one of those links and look at the source code.

Yep – there it is! Ok, well that’s easy enough; I’ll just strip that out of the template and…

… wait a minute, they’re gone. I open a browser window and go back to the site – not logged in. Yep, those spammy keywords and links are nowhere to be found.

I have a hunch, and go to Hide My Ass (by the way, if you don’t know what this does, it masks your IP address so that servers can’t tell where you are) and I try my site again. Links are back.

Wow, so this hack is “clever” enough to disappear from my IP address once it sees that I’ve logged into my site. Impressive.

That’s pretty much the end of the story…

…because as you already know, I gave up trying to find all the infected files (there were dozens) and decided to do a clean install instead. Hopefully it worked. And I hope that I helped you a little with your own issue – if not by telling you how to fix the hack, by illustrating how it happens to everyone.

Getting hacked can make you feel pretty dirty – and stupid – like “why me?” Trust me when I say you are not alone. As Google cracks down on more and more spam techniques, the spammers and hackers are getting desperate.

Best of luck to you, and remember to back up your site!