Last night, I discovered that all of my WordPress sites on Dreamhost (including this one) had been hacked. I’m not sure when this happened, but I discovered (quite by accident) small text links hidden at the bottom of various pages.
Having been hacked before, this isn’t my first rodeo. Thus, I tried to keep a cool head and not panic while troubleshooting the problem.
It didn’t take long before I discovered the culprit. The following bit of code had been inserted into a php file in the theme of each site:
<?define('USE_DIRA', '/wordpress/wp-content/themes/default/images/'); @eval(@base64_decode("a-huge-long-string-of-gibberish"));?>
That huge long string of gibberish is actually a bunch of code that’s encoded in base64. When that statement gets evaluated the gibberish gets decoded, and you end up with nefarious code on your page. Yuck.
The affected file varied from site to site, but the end result was the same…
I wound up with spammy text links hidden on my pages. I searched the databases and couldn’t find any evidence of contamination, nor could I find extra users. Hackers sometimes create an extra user to serve as a backdoor into your installation — and they’re not always visible from the WordPress dashboard.
Instead of hunting through my entire WordPress installations to look for rogue code, I simply deleted and re-installed all of the core files. This is actually a good thing to do every once in awhile, as WordPress updates often leave old files behind.
Because three of the four sites were running Thesis for WordPress, I went ahead and replaced the core theme files and manually checked the customization files for any contamination. For the fourth site, I had to look a little more carefully because that runs on a custom theme, and I couldn’t just swap out the core files.
Assuming that this was the extent of the hackage (only time will tell), I think I got off lucky. As far as I know, my databases weren’t contaminated. I have changed all of my login passwords, as well as the mySQL password (which is stored in clear text in wp-config.php) and I think (hope!) the trouble is all behind me.
I’ve also cleared out any inactive plugins as well as all themes aside from the one that’s currently active on each site.
As for how it when/how this all happened, I’m not entirely sure. I’ve been pretty bad about keeping WordPress updated, so there’s a decent chance this was all my fault. I did notice a dip in search rankings last fall, but just chalked that up to a Google algorithm change. In fact, it may have been my sites getting hacked and Google penalizing me for the extraneous links.
Another possibility is that this all happened when Dreamhost got hacked back in January. It’s hard to say and, frankly, it doesn’t really matter at this point. Going forward, I’ll have to keep my software current. I’m also considering a better (managed) hosting solution. Maybe something like WP-Engine.