More than 835 million sites around the world use wordpress. It was a no brainer decision that we also used for our blog. But while wordpress is one of the most popular CMS out there, it is also which gets attacked and infected most if you are not careful.
I am explaining a chronological timeline on when our site got infected, how it was affected and maybe it will help you secure your site in the future and learn from our laziness and mistakes!
How did it all started?
We are not obsessive about our Google rankings but we do check once in every 2–3 weeks. In September 2023, we saw the declining traffic. Not a big concern as ranking fluctuates! October we noticed that the traffic was in decline again. Was the team using chat GPT to write content or we had been hit by another Google penalty? We did some investigation but none of that was happening. We did saw that on blog average amount of time users spending on site was less than 1 minute, which was little concerning.
At the end of October, one of my team members shared the blog post another person outside our network and then they complained that they saw something like this when they go to our blog
Press enter or click to view image in full size
Alarm bells were triggered and we jumped into action. What the hell was happening?
The problem was none of my team members were getting this message in their browser. I cleared all the cache, deleted all the logs and still this issue could not be reproduced. Finally when I went to a different laptop from a new IP address, I could see this pop up.
This malware was so smart!!
Then I found another clue. As soon as I searched in the default wordpress box, the spam message popped up.
We looked at recent published posts.Nothing odd! Then we went through the pages and found 2 spammy pages that were published.
This was disturbing. Did anyone hacked our admin or the author accounts?
We went through our authorized users list to figure out how this happened, but saw no changes. As a precaution, we asked everyone to change their password
We thought that the reason for this malware popup on the search results was that there were 2 posts in published status in pages, not posts!
We deleted the spam pages and again verified from a different IP address.
The problem had still not been resolved! Our team was still getting the popup!
Press enter or click to view image in full size
What are the next steps?
I will write down the few other things we did
- Installed the jetpack malware plugin
- Upgraded all the plugins and theme (Yeah I know we should be doing regularly)
- Installed lynis on the server. Lynis is an open-source security auditing tool for UNIX-based systems
I spent couple of days to install them, run reports and go through them Especially the report from lynis was not easy to read.
But none of them were able to detect the malware
AWS Guard Duty to the rescue
Since our complete application is site is hosted on AWS, we should have tried for solution from AWS but that was ignorance on our part, relying more on google search.
AWS Guard duty is the malware and threat detection tool from AWS. Initially the team was skeptical but since we were running out of options, we decided to give a try. You can have 1 month trial, takes only few mins and we had nothing to lose.
And viola!! It was able to detect the file which had the malware. It even gave the size of the file before and after the malware.
Press enter or click to view image in full size
It was wordpress child theme created by my developer for some customization. I thought that since you extend the parent them, the child theme will automatically get upgraded when you upgrade the parent. What a wrong assumption!
How we fixed the malware?
- We removed that file, delete the child theme and upgraded the main theme
- Set up auto update on all the plugins
- Made sure that we always update to latest version of wordpress
- Enabled AWS Guard duty on the complete infrastructure
Traffic Impact on blog
The problem was resolved around Nov 15 and you can see below how traffic was impacted mainly to the blog and then started to recover slowly in December.
Press enter or click to view image in full size
Overall impact on the website traffic
It was the blog that was affected most but since the overall customer experience goes bad, the complete site was penalized
Below is the Clicks from Google webmaster console
Press enter or click to view image in full size
Hope this is helpful to anyone who runs into similar issue. If you can any more questions or comments, please post below.
And since the CollegeHippo team have fixed the malware on our site, feel free to do Master’s program search if you are looking get a Master’s degree.