My Site Is Spewing Spam
Have you received a notice from the site host that your site is infected? Do you use a utility such as Wordfence which has given alerts of modified/infected file in your site? I recently encountered the problem of spewing spam from my site, and here are my thoughts and final fix.
First, let’s clarify that this site is hosted on Godaddy, and in their vast number of sites, writeandcreate is an extremely small fish. Because of this, I received no notification from them. Fortunately, my site has the Wordfence plugin installed. Wordfence, whether using the free or paid version, provides an invaluable service to the site host, owner, and web users in general. I received an email from my site that multiple files were infected, and the individual files and infection details were included.
Can This Be Fixed?
My initial thinking is that it will be too much trouble to investigate and repair each of the files. My next consideration is how important my site is for revenue generation for LinkEmUp, my small consulting firm. After considering those two issues, the initial solution considered was to completely eradicate the site and start over. This would mean cleaning out all of the files, posts, and uploads. It would also mean starting with a new, empty theme and customizing my site appearance and contents to the point of properly displaying my brand to the public at large.
Is there an option other than this? Yes, actually, there is. I could pay the Wordfence staff to clean up my site. After all, they charge a “reasonable rate,” right? Well, that description can mean different things to different people. If the site spewing spam is owned by Godaddy, a US government site, or even Equifax , then the Wordfence rate is probably quite reasonable. For my small, part-time, consulting business the rate is a bit steep. No, paying the Wordfence staff is not a feasible solution to my site problems.
What Is The Fix?
Fortunately, I took some time for consideration of the problem. That evening some research into the problem revealed a header installed on many of the infected files. Research also revealed that the only way for a certain eradication of the problem is to completely remove and rebuild the site. Still more solutions to be considered, so I decided to sleep on it.
The next morning I started looking at the files, using my site file manager, listed in the Wordfence alert. Yes, I was seeing the include file indicated by my original research. Things are looking pretty good. After editing these files and renaming a few that seemed to have random names, I ran a Wordfence scan again. The scan results are now looking even better.
The next step was to delete the zip file which initiated the attack along with some of the code created inside of WordPress system files. Yes, this code was quite easy to identify since it was inside of a “<?php” block and with clear references to attack servers. While making these changes, I often verified the operation of my site to ensure that nothing had been damaged, also running a Wordfence scan occasionally to verify progress.
What Is The Source Of This Problem?
Well, I can’t be certain of that answer. What I know is that I have updated every plugin (within a day or two, usually) as new versions have become available. So how did this happen, then? Well, I had a plugin installed that had not been updated for a few years. It was showing up on the Wordfence scans as a concern in need of action. Unfortunately, I didn’t consider it to be too much of a threat. I can say with a fair amount of certainty that this abandoned plugin had been compromised and allowed the installation of at least four different spam generating engines on my site.
I highly recommend a backup and scanning plugin on your WordPress site (Wordfence is highly recommended). Yes, I use Updraft Plus Backup and have regular weekly scheduled backups. Investigation of the infected files reveals that my site has been infected for at least six months. That revelation eliminated the likely solution of restoring my files, but a manual repair of so few files was definitely feasible.
At this point, my site is clean and I am able to publish this blog post so that others may be able to better decide if there is a route other than wipe and recreate. Do I know that my site is clean? At the moment, yes. The lesson learned is to keep an eye on the emails sent by Wordfence in case something like this happens again. Now I will find out why it happened so that I can take a more active role in preventing a recurrence of “spam spewing.”
