The best way to remove malware from a WordPress blog using GoDaddy

As some of you know, this little blog has been hacked twice in the past week by malware. The first time was by something called zettapetta, that tried to redirect some users to a website called freesavez5.com. And this morning it was by something called holasionweb. No virus was installed onto users computers upon visiting my blog, but it was very troublesome to say the least. Not to mention that it just doesn’t look very good to have a big ugly “this site contains malware” warning as an introduction to your blog.

So last weekend I spent 36 hours STRAIGHT fixing this blog (thanks to all of those who helped!). This involved no sleep, little food, lots of tears, much, much stress, and borderline insanity. BUT, I fixed it.

And the reason why I didn’t hire someone else to do it was because, even though I could have paid someone to remove the malware for me (as it was I figured it out on my own pretty quickly), nobody but me knows the customizations I have put into the blog, amounting to probably 50+ hours of work done over the past 2 years. Customizations that were required to get the blog to look right- for the pages to display properly, for the comments to work, for the images to be in the right place, etc, etc, etc (ETC). All of those little things that will make you crazy when they aren’t working right.

*Those* could not have been fixed by anyone but me. That fancy text you see as the titles to posts took probably 20 hours alone to get right. (Yep, when I want to get something done, I’m determined!). SO, it had to be me, and my little brain, fixing it. SIGH….

I tried everything to fix it. And I mean, every single thing I read online. I deleted ALL of the files on my server and started from scratch, upgraded wordpress, even went in manually to the php files and removed the offending malware code. I ran the script I found online that cleans your files (wordpress-fix.php), I repaired permissions, I re-set passwords, everything.

And this morning I was hit again. But this time, instead of screaming, destroying personal property, drinking large quantities of gin or curled up in a ball on the floor crying, I knew what to do. Because ultimately last weekend, in the end there was really only one thing that worked, worked well, and (thankfully) was very easy to do and took only a few minutes. And that was a restore to history in my hosting admin panel in godaddy. (If only I had found it at the *beginning* of my saga, and not the *end*).

So I wanted to write this little note in the hopes that if someone else reading this, who has a wordpress blog, livebooks site, or any other site that uses php files gets hacked (thousands are getting hacked as I type this), they will remember reading this, follow these instructions, and be able to do a quick fix, saving themselves the sheer agony and torture I went through last weekend.

I know lots of photographers follow my blog, and we all love our little wordpress blogs with our custom ProPhoto themes, which sadly are filled with the little files that are becoming infected, and also those gorgeous livebooks sites are also filled with the same php files as well, so hopefully, fingers crossed, this will help at least one person out there.

Please bookmark this page in case you need to refer back to it. And feel free to pass it on as I suspect that, with thousands of blogs (and non-blog sites running php files) becoming infected, many will need information like this.

To fix a blog or website hosted by GoDaddy that has become infected with malware (of any type), here is what you do (for other hosting providers besides GoDaddy, continue reading- at the bottom I have my recommendations for you too!):

Log into your hosting control manager where your blog is being hosted. You want to make sure it says ‘hosting control manager’ in the upper left hand corner (I know all of those GoDaddy pages are confusing).

Click on the name of your account that holds your blog. In my case, the account is called ‘cowbellyblog.com’.

Got it? Cool.

On the next page you will see 4 boxes at the top:

your files // your applicationsย  // your domainsย  // your email

Click on the box that says ‘your files’.

On the resulting page, at the top left, under the large ‘File Manager’, you see where it says ‘current’ and then ‘history’? Good!

Click on ‘history’.

Give it a minute to load.

The little spinny thing should be going.

Relax, it’s going to be ok.

Alright, you might want to get a drink, but your problem will be solved before you can finish it. (Whoopee!)

Ok, so now all of the files should be displayed.

“that’s crazy, what is that stuff?!”

For those of you who know about as much about files and hosting and servers as quantum physics, this is your introduction to the guts of your blog. Those are your web files! Pretty cool, eh?

Everything you see there is what makes your blog run, the pages display, the plugins work, the images display, and all of that cool stuff. Sadly, all of the .php files on your server (your server is what you are looking at right now, and the ‘php’ files are all of the files that end in ‘.php’), have been infected with some nasty looking malware code. Yuck.

This means that if you were to save/download one of the .php files to your desktop, and open it in dreamweaver, you’d see some really yucky looking code at the top (or maybe bottom). And lots of it.

Ok, so now you are looking at the contents of your server, and you have the little ‘history’ selected at the top. Right? Cool.

Now, still looking up where it says ‘history’, scan your eye to the right, to the little icons across the top of the page.

You see the little icon where it says ‘restore’?

That is going to save your life, and your sanity.

BUT, don’t click on it yet (yes, I know you want to get back online NOW, but you’ve gotta make sure you do this right!).

Before you click the little ‘restore’ icon, you need to click the little calendar icon below it, right next to where it says in bold ‘This is a snapshot of your files from m/dd/yyyy’

What you need to do, is click the little calendar icon, (it will say ‘quick pick calendar’ at the top), and then click the last date you knew that your blog/website was functioning normally.

Sometimes you can tell the exact date and time you were infected by the malware, by looking at the ‘date modified’ time on all of the .php files on your server (3rd column to the right).

If you knew your blog/website was working perfectly two days ago, and today you got an email/message/FB comment from someone saying “your blog has malware” and the ‘date modified’ on all of the files was 2:47AM this morning, that’s most likely the time it was hit by that nasty little malware bugger.

So pick a date BEFORE that time. In my case, I figured out that my blog was hit last Friday morning at 12:23AM, so I picked last Thursday (the day before) as the restore date.

(Note: if you pick a date that is too far back, you may lose a few blog posts, but that’s certainly better than having an infected blog or beating your head against a wall for days!)

Ok. Back to the hosting control panel.

So you are in the history state, you see the little restore icon, you have selected a date that is before you got infected, so now here is what you do:

Click the little black checkmark at the top of the columns, just to the left of ‘Filename’ to select all of the files (you may need to increase the page size to 50 if you have lots of files there).

Then, UNselect any folders/files that belong to other websites (IF you have them). For instance, I have my regular cowbelly.com website, and several other websites, on that same server, in folders named for each website, and they weren’t affected (they don’t contain any php files thank goodness), so I didn’t need to restore those folders.

Then, once you have all of your blog files selected, click the little ‘restore’ icon at the top.

On the resulting page, ignore everything it says and click the yellow ‘ok’.

Then on the resulting page after that, again ignore everything it says, and click the yellow ‘yes to all’.

You will get the little spinny thing for awhile. It might feel like an eternity.

It might take 5-10 minutes for it to work it’s magic, depending on how much crap you have on your blog Loads of plugins? might take longer. Old blog with years of photos? Might take longer.

You might also want to, instead of selecting ALL of the files and folders, just do them one folder at a time. Do the wp-admin folder, then do the wp-contents folder, then do the wp-includes folder, then do all of the files on that main page. (Note, wp-contents folder will take the longest, as that’s what contains all of your uploaded images, plugins and theme files).

Now be patient.

Have a sip of that drink.

Call a friend and do some talk-therapy.

When it’s done, for just a few seconds, it will show a little ‘restore completed successfully’ in the bottom right corner. It will be back on the main server screen, showing your columns again with all of the files there.

Now, and this is important, because I don’t want you freaking out and thinking this didn’t work, if indeed it did.

You need to remove all of your cookies, empty your cache, and clear your history, BEFORE you try and view your blog/website again. Seriously, do it now.

In firefox it’s as simple as going to ‘tools –> clear recent history’ (or clear private data). Make sure you have removed your cache, and your cookies, and history, so you are looking at a fresh view when you finally do try and view your blog. (If you don’t know how to do this, google it, it’s great knowledge to have just in general).

Ok, so cache, cookies, and history all gone? Right?

Then, close out your browser and re-open it.

NOW, still with me? Still breathing?

Ok, you might want to hold your breath, and cross your fingers, and get up and do a little dance first to blow out the tension. You are ready to see if it worked.

Type in your blog/website address into your browser. Hit enter.

………………………..

Did it work?

Yes??

Yippee!!!

Now you can finish that drink in celebration and not despair. YAY!!

Click on the links, and try to log into your admin to make sure everything is back to normal. If not, you may have hit some snafoos along the way. You may need to restore again, to an earlier date, or restore one folder at a time, and do chunks of files at a time. If that doesn’t work it’s best to contact GoDaddy at that point for help, or go through the process yet again in case you missed something. This worked like a charm for me both times I tried it, and the first time I did it I had no idea what in the hell I was doing.

“Ok, that’s great and all Jamie, but what do I do if my blog/website isn’t hosted at GoDaddy?”

Contact your hosting provider and ask them if you have the ability to do a history restore in your admin panel, and ask them to walk you through it, or at least send you detailed instructions on how to do this.

And also, if you royally screw up your blog in some other way (as I have a couple of times in the past), this may work for that as well.

“How do I prevent this from happening again?”

Sadly, at this point, you don’t. Because no one knows what the cause is. Or if they do, they aren’t telling. Yet anyway.

I have heard/read every reason in the book for this happening. GoDaddy is blaming WordPress (it’s not a wordpress issue, as there are lots of non-WP sites affected). ‘Experts’ are saying you need to: upgrade your wordpress version, change your file permissions, set up an .htaccess file to protect your wp-config file, set up scrambled passwords, change your database password to something long and complicated, change your FTP passwords, change your login information, install antivirus and malware catcher plugins, etc, etc.

I’ve tried all of these things (except I didn’t scramble my passwords but I did change them last weekend to all be things long and complicated), and I still got hit again today, as many others have. I will no longer waste my time trying to protect myself, since it clearly didn’t work anyway.

I think the best defense at this point, until the ‘experts’ can figure out how this is happening, is to do the steps I outlined above, if and when it happens again.

It’s frustrating and it sucks I know, but really it’s the fault of a few evil people who like to wreak havoc on other’s lives by writing viruses that affect productivity, harm small businesses, and destroy people’s sanity. THOSE people need to be burned at the stake, IMHO.

I really hope this helps at least a few people from the stress and frustration I felt, and helps you get back online quickly and with the least amount of stress possible.

Back to work with me!! ๐Ÿ™‚

Facebook comments:

16 thoughts on “The best way to remove malware from a WordPress blog using GoDaddy

  1. just wanted to say thanks, as i have been through the 36-hour-attempt-to-unhack drama before, and upon seeing i was hacked again….well, you know. so THANK you for this. no idea why i never thought of it but i sure didn’t. you are a hero! ๐Ÿ™‚

  2. Thanks a lot for your step by step post for removing the malware from a wordpress site. This morning I just got up to learn my WordPress blog Technocian is attacked by malware. I was very upset knpwing this and tried to take the help in Google. Your was the first site, I hooked on to and really my site is out of problem now. Thanks.

  3. hi Jaime,

    John here…. You spent some time with my wife and Bootsy this weekend.

    you may remember i mentioned i was in IT?

    a hardened IIS/Web server that you maintain yourself may be the way to go. if you are spending that much time maintaining a site and the security is sideways from your host this may be the way to go.

    i don’t trust hosting sites personally.

    a decent hardware firewall, backup solution appropriate to your needs, a security certificate, a static IP, and the server and software license a decent beginnings.

    i recommend running a Hardened IIS server running an OS you can support yourself with a little time and determination.

    several routes:

    * Apache
    * X-server (Apple)
    * IIS (Windows)

    my personal recommendation is IIS Windows Web Server Core 2008 R2 – unless you are a Senior Systems Engineer in Apache flavor. X-Server is an option, and die hard MAC afficianados swear by it…. but no one else will (sorry MAC folks, s’truth!). absolutely stay away from the free flavor of Apache, Tomcat (more security holes in it than a ten year old Windows browser).

    do NOT use consumer grade anything. if you can buy it at Fry’s or Best Buy it isn’t good enough. at the very least the small business grade but preferably enterprise grade equipment pays for itself many times over.

    also get the software assurance for the software. upgrades are expensive, and a little hit upfront is so much easier to take than paying for the same thing over and over.

    just an idea. i can point you to some good consultants if you’d like to chase this (one of which set up the IIS farms for Disney and ESPN – and he trained me) so you know they’d be solid.

    anyway, best of luck – and we are very much looking forward to seeing how Bootsy’s pictures turned out, and we had a blast.

    John

  4. Crap! That stinks! Glad you got it all figured out. And thanks for sharing how you fixed it. One good thing that came of all this is your site now loads about twice as fast! At least for me anyway!

  5. Great info!! Now something I just learned yesterday is the only difference between the Linux and Windows hosting options is that backup restores for Linux are free, but for windows hosting costs $100+!! It’s not related to your operating system so if anyone has it set to windows, go change it! ๐Ÿ˜‰

  6. My blog is still for a few hours hosted by Godaddy. This is the 3rd hack since April 22, so this is it. I spent days fixing it, cleaning files, etc. All I got from Godaddy CS was accusations that my WP version was not up-to-date (false) that my password was weak (false) etc. No response to my email of yesterday regarding the latest malware. Not even a perfunctory “don’t worry, we are working on this.” Why would they work on it, come to think of it, since it is all MY fault?

    Now I hired a security specialist to clean up my files. However all this hard work, mine and his, remains open to any hacker. So this is it, I am switching to another hosting company, one that cares about security and keeping its customers. The lesson of this is that, as long as you stay with Godaddy, you have zero security.

  7. P.S. You may want to switch hosting companies. I checked out Media Temple quite thoroughly (were I’m hosting my new blog) and they have a sterling reputation with backup redundancy. Something that GoDaddy seems to be sorely missing.

  8. Holy crap! How insanely frustrating Jamie. I’m so glad you figured the whole thing out. To bad that this is amusing to some people to who try to ruin the hard creative work of others. Once again, so glad that you were able to recoop your blog and recoop your sanity.

  9. @Matt- yay!! And if you HAD picked up the phone, you may have gone through the same thing I did where you talked to an ignorant GoDaddy CS person who didn’t tell you to do this, and just said “upgrade your site”, and you STILL had to figure this out on your own. Glad you got it fixed! @Luc- so sorry this happened to you too! It sure would be nice if we really knew how to protect ourselves. I for one am getting really tired of the time lost dealing with this issue.

  10. Hey Jamie,

    Just wanted to say that i enjoyed reading your posting about your woes with both cases of malware. I personally had to take down my site twice in the past week which sucked but i am prepared should it happen again. I am waiting to see what preventative steps can be taken so that i don’t need to spend time and resources fixing this issue again.

    Regards,

    Luc Arnold
    SpicyWebDesigners.com

  11. Thanks so much! Found your post at WP through a google search on the virus. Your steps worked perfectly and I didn’t have to pick up the phone!

    Matt

Comments are closed.