Find If Someone Hacked Your WordPress Blog & Changed The Files
How can you find if your WordPress blog has been hacked ?
WordPress Blogs (or for that matter, any software) become more vulnerable to hack attacks if you are not using the latest security updates. Hackers can then inject code into your WordPress files (especially themes) that will allow them to inflate the Google rankings of other spam websites though your blog.
And this is no uncommon thing. Dr Tony Hung recently discovered several WordPress websites that got hacked (include ZDNet) and affiliate links were secretly embedded into blog templates. Allen Stern, Kevin Burton and Matt Craven have more on this issue.
Is my website hacked ?
When a hacker gains access to your blog or website, he will modify certain files so that his tracking code gets executed and the spam links get displayed when people view your web pages.
So if you are curious to know if someone hacked into your WordPress blog last night and changed the files, you can look at the timestamp of every file on your web server and pay special attention to file that were modified during the time-period when you were fast asleep.
Don’t worry, you don’t have to try this manually, here’s a command to help you out:
Step 1. If you are on WordPress and have enabled WP-Cache plugin, go to your Plugin Settings and delete all the files from cache.
Step 2. Login to your web server using telnet or putty and switch to the directory that contains your WordPress files.
Step 3. Type "ls -Roh | grep YYYY-MM | sort -k 5,6" (without quotes and replace YYYY-MM with current month like 2008-04)
If the timestamp of any of your WordPress theme files or the standard WordPress files appears recent, you may want do a carefully check the contents of these files and compare them with the original files in your backup. Good luck.
Technicals - The ls command will recursively display all the files in WordPress directory and the -h switch will show their exact size in KB or MB. The grep command will limit this list to files that were changed only this month (or you can limit it to a day). The sort command will finally arrange this list to show files at the bottom that were modified most recently.
Related: How to Test Your Website For Errors
Subscribe in a reader
cool tip for WordPress users !
But most of the hosting provider does not give shell access. So all Wordpress users will not get benefit out of it. However, it is very good information.
Hackers also insert iframe into the cached files. This happened only when permission of the files and folders are incorrect.
A much better way (single command, no piping, much faster) would be to use our very own “find”. It can give you so many options to use:eg.
find . -cnewer -print or find . -newer -print(to find files newer than any certain file.
find . -ctime n -print (finding files changed within last n*24 hours etc) and there are many more options.
hmm, the above comment removed my “file” argument after -cnewer and -newer as it was enclosed in angled braces.. Pls add this argument if u use the command ;)
@Shodan: You are right. I too do not have ssh access. But ftp gives the the same info!
I verified this. Both GUI (Filezilla) and the command line ftp client in Windows does show the last modified date of files.
However, real hackers will leave only minimal or no evidence!
Best way is to always validate your feed. When hackers insert code they mess up with the feed. A website like feedvalidator.org can help with this. The feedvalidator Validates your feed and shows the code, and so you can check for any invalid url or snippet.
Thx for the tips…
That any simple way to protect our WP from hackers?
Imagine if you have more than one blog, and you must check one by one… hmm… after check it I must go to long vacation…. :)
That’s indeed a good way of finding out if any change was made to the template. But what if changes were made in the blog post and you have 100s of posts, you can’t check it like that.
I found I have been hacked by checking the cache of my pages in Google. My site got hit bad.
I am afraid it gets harder to keep track of all wordpress versions if one has many blogs with different wordpress versions. I don’t know a very effective method against it, especially content injection.