I see strange ads or codes on my site and I think I might have been hacked. What do I do?
Please note that both OptimizePress version 1.62 (or above) and all versions of OptimizePress 2 are fully secure. There was a vulnerability back in April 2013 (for OptimizePress 1.0) which has been fully patched.
This article will guide you on how to deal with your site if you were running an older version of OptimizePress 1 which may have been susceptible to attack, or you suspect your site may have been infected with malware or hacked in some way.
*Please note that although OptimizePress 1.6 and above -- and all versions of OptimizePress 2.0 -- have been certified as secure, there are other ways that hackers may attempt to attack your site such as login attacks or through vulnerabilities in other plugins*
Here are a few issues to lookout for on your site if you suspect you may have been victim of an attack (these are based on issues we have seen):
- Website running really slow (takes a very long unusual amount of time to load)
- Strange ads showing up in places you have not coded an ad to show up.
- Strange issues with Widgets and Menus
- wp-admin login box suddenly changes styles for no reason.
- Unable to edit some pages/posts
- Mobile version of your site redirecting to other sites that contain questionable content
Symptoms of this are not limited to the above. Here is an image capture of the most common type of ad which displays in various locations (sometimes even inside the admin panel).
What to do if you have been hacked with malicious code and malware:
We discovered a potential vulnerability in OptimizePress 1.0 back in April 2013. We immediately patched the OptimizePress files to fix the issue. If you are running a version older than 1.62 then you need to update your site to OptimizePress 1.62 (or above) to fix this issue
The best way to do this is to go to Wordpress > Appearance > Themes and activate a different theme - then delete OptimizePress. Then go to our members area at http://www.optimizepress1.com/wp-login.php and download the latest version of OptimizePress and then go to Appearance > Themes > Upload, and upload the new theme.
Once you have the latest version of OptimizePress 1 installed, there are some additional steps necessary to clean the infected files:
*****THIS ARTICLE IS FOR INFORMATION PURPOSES ONLY*****
PLEASE MAKE CHANGES AT YOUR OWN RISK OR
CONSULT THE SERVICES OF AN EXPERT
Step 1: Clean the infected files
The infected files will have several lines of encrypted code at the very top starting with line 1. It will begin with You will notice that the original code for your files has not been altered, and this code is just inserted above it. So it will look something like this:
This code will be found in the top portions of the following files:
- wp-config.php (please backup this file before editing).
- index.php file in root of WP installation for this
- "..." file in same directory as wp-config.php file (see below)
- "..." file in wp-admin folder.
We have also had some reports of a file named "..." in the root directory and wp-admin directory of WordPress. This file should be removed as that is not a file included with WordPress. The "..." file is one which may be redirecting mobile versions of sites to other domains with explicit content.
The above list of files may not be the same for your site and may not be limited to the above mentioned files. Make sure you do not delete code that is needed or you will break your WordPress installation. Other files in wp-admin and wp-includes also would be infected, but Step 2 below will get rid of those.
You will need to access your site through FTP or cPanel and find any files which have malicious code such as the screen shot above.
Also note, that you may also need to re-install your plugins and themes as well in more severe cases.
Step 2: Re-Install WordPress
There are other infected files likely inside the wp-admin and wp-includes folders. The best way to clean those would be to re-install WordPress.
Make sure you are using the most up to date version of WordPress. If you are not using the latest version and need to keep an older version for some reason, you will need to do this manually which we suggest contacting a WordPress professional for as we are not able to provide instructions for that.
To re-install WordPress, login to your WP-Admin Dashboard and then click on the link in the top left that says "Dashboard" and then you will see more menu items below that after the page loads. Click on "Updates" and then click on "re-install" and it will go through the process. Once it is done you will see the welcome to WordPress page.
At this point your WordPress installation should be clear of infected files, but you'll also need to check files outside your WP installation to make sure that your hosting account has not become compromised. Your web host may be able to help scan your site for any additional malicious files.
Please change the following after getting rid of the infected files:
- Change passwords to all Admin accounts (may also be good to change user account passwords also).
- Change your web hosting account password, as well as any ftp passwords
- Change the keys inside the wp-config.php file since if anyone has those then it could be possible to hack the site.
NOTE: If you use cPanel we have noticed that once one WordPress site gets hacked with malware, other WordPress installations on your hosting account may also become infected. It is very likely if you have this issue on one site, that all of them have it. So please make sure you check all other WP sites on your hosting account. You do not have to have OptimizePress installed for this issue to occur on the other sites.
Also, please be aware that if you have OptimizePress version 1 installed and it is an older version which contains the vulnerability, even if it is not activated you will still be at high risk of getting hacked.
If you have multiple sites on your hosting account, if one of your sites becomes hacked with malware then it may be possible for that to spread to other sites on your hosting account (especially if using cPanel).
Please also be aware that while we have had some success with cleaning these files mentioned above, the hacking methods could potentially change and we will try to keep this article updated as we hear about other issues regarding this.
If your site was hacked we also recommend running a security scan on your site. You can do this by using a plugin like "Wordfence". This can be added to you site by going to Plugins > Add New and search for Wordfence. Then upload and activate this plugin and follow the instructions to scan your site.
If you have any problems please do let us know and we can help further - please ensure if you do need our help that you include your site url, Wordpress administrator logins, and FTP or cPanel access.
We also recommend our article about how to secure your site for the future also.
Important Update: The Malware only seems to effect PC users, but does not actually infect the PC. The scripts that are being run by the malware will only function properly when a Windows PC is used. We have experienced issues where this was reported but were not able to duplicate issues caused by this malware on a Mac computer.
If you have any doubts about your ability to fully clean your infected sites we would recommend hiring a professional malware cleanup service such as the ones provided by Succuri.