Finding Great Web Hosting

Thoughts On The Best Web Hosting I Have Found...

Manually Correcting the GoDaddy Wordpress Virus Ninoplas

A large number of WordPress sites at GoDaddy have been being hacked recently. After the site has been compromised, all traffic to the blog is being sent to either a web page that attempts to deliver malware to the visitor or will redirect the page to search results, such as Bing search results for anti-virus.

Shortly after the virus was first identified, someone helpful at Inspirated.com released a script to fix the problem. Fixing the process manually is very difficult because when the site is compromised, every PHP file is updated with a script that causes the redirect. This means to fix the problem you would need to edit every PHP file by removing this redirect (which often appears as the first line in each file as a base64 method).

While I imagine the script provided by the site above works great, I had manually fixed my WordPress blog when I was hit by this problem. I’ll discuss how I manually addressed this problem for those who would prefer to address the problem by hand.

Manually Addressing the Ninoplas Hack

These are the steps I followed. I’m not going to say they are the best steps but they are the ones I used. My blog is hosted in a directory named “blog” so these instructions will be based on that. If your blog is hosted in another directory or in the root, you’ll need to adjust your steps accordingly. Also, you will need a backup of your site’s files to follow these steps. These steps are intended for those familiar with configuring WordPress.
1. First, you need to set your site into maintenance mode. There are plug-ins and in-depth guides for doing this but if you need to do this quickly simply:

  • Create an index.html file that states your site is under-going maintenance and will be back soon

  • Upload this to your blog’s directory (the same directory as wp-config.php)
  • Rename the index.php to index.old (or something else)

Now when people visit your site they will see the index.html. This also protects your visitors from being redirected to wherever the hack was sending them so you should do this when you begin.
2. Create a new directory called blog2
3. Upload your clean backup of WordPress files to the blog2 directory.

  • If your theme has changed since your last site backup, download your theme files from your original blog directory (which currently still has the malware in it). Open every PHP file and remove the first line which will be a line of PHP often using the Base64 method. After you have fixed every PHP file, upload your theme files into the theme directory in the blog2 directory.

  • If you have added any plugins since your last site backup, I recommend simply re-installing each of these through WordPress itself and reconfiguring them there.
  • If you have added images since your last backup and are not using a CDN (you would know if you were using a CDN so if you’re not sure, you’re not using one), you will need to download your wp-content/uploads directory and then upload those to the blog2 directory

4. Rename blog to blog_old and rename blog2 to blog
5. Verify the site is now working. I would recommend backing up the hacked version of your site just in case you missed something. After you have a backup stored locally, I would remove the bad version of your blog from the site.

Are the users really the source of this problem?

Many reasons have been listed as to why people be hit by this problem such as using PHP4, having weak passwords, using incorrect file permissions, etc. My problem with this is that I didn’t fit into any of the categories that have been provided so far. My password was literally a string of nonsense characters I generated using a password tool. My GoDaddy account had been on PHP4 but I upgraded it to PHP5 a few weeks before I saw this problem because I wanted to begin using SSH. I fit none of the reasons given for why a user would be responsible for this problem occurring.

I wonder this: is it possible that many of the compromised sites do have these problem areas but that these problem areas are not the reason they have been hacked? I know that, at least in my case, it seems that everything being listed as a weakness is not something I needed to correct

Why Only GoDaddy?

Assuming this is a problem universal to WordPress hosting, such as incorrect file permissions or weak passwords, then why is the problem only (or predominantly) occurring with GoDaddy hosting? Wouldn’t identifying and attacking GoDaddy-only sites be more difficult than hitting any self-hosted Wordpress site at all? In other words, is it reasonable to believe that a hacker would find a WordPress site with a weakness but then, because they realize it is not hosted at GoDaddy, they decide to leave that site alone? Do hackers really show this type of preference when trying to break into a site? Does the host really matter for their purposes? I am a little skeptical that somehow identifying and then attacking only GoDaddy sites would somehow be easier or preferred. My personal conspiracy theory is that someone out there figured out how to attack all the sites on a particular shared server. In other words, they’ve gained access above where my site files were located and were then are able to attack my site, regardless of how well or how poorly my security was.

New Web Hosting

I found it concerning that: a) my site was hacked but b) my site did not fit into any of the security weaknesses listed. Because there appeared to be no solid answer as to why it happened to my site, it seemed to me that there could be no guarantee that it wouldn’t happen again. GoDaddy had also taken the stance that it wasn’t their fault (which I understand if it really is user errors in security) and they were sending out the message that users would need to fix their sites and improve their security. To me, continuing to host here sounded risky.

I had been researching new hosting options already and knew I wanted to move my old sites to HostGator, this even just gave me the excuse to do so. Shortly after doing so, a second wave of hacks hit WordPress sites on GoDaddy again, this time a different flavor of the same problem. Then people started complaining that their sites were being hit repeatedly with the same problem again…even after implementing all of the fixes suggested. I heard around this point (the beginning of May) that GoDaddy started taking this problem pretty seriously. I’m no expert and I can’t say that GoDaddy was suffering from some kind of internal problem but comments like this seem to make it less and less likely that users are really at fault.

My thoughts now are that I am so glad I moved to HostGator after the first attack. My performance has improved, the support is phenomenal and I’ve not been hit by any problems since the move. I realize moving to another host won’t solve any problems if there is some core issue with my security settings or with Wordpress, but my paranoid personality can’t help but feel that this problem goes deep than individual my settings. So far, the move has proven to be the right choice.