The NGO Atomic Reporters contacted us because their Wordpress website had been hacked and injected with shady advertisements, spam links and other weird text. Basically their whole content was garbled, as the injected text could only be removed by hand. They were desperate, because they could not find a way to fix the problem, without writing all their content again or going through each of the entries, one by one. For some unknown reason there was no backup, which made the situation even worse.

Securing the website

First we looked at the Wordpress configuration and checked the most important settings. We found out it was possible to create new user accounts for unregistered users. Wordpress has a couple of dangerous settings, that if configured incorrectly, offer a bigger attack surface. As is often the case, lots of plugins were outdated or not being used. There was no application-level firewall installed and no security module configured.

We instantly fixed those vulnerabilities. From now on nobody could gain access to the system anymore. Then we went on to see what actually happened to the page content. As it seemed an unknown attacker had been able to inject content into the database. The new content was inserted into selected database entries, each of them containing text for posts and pages. Not only was there text injected, but also dangerous javascript code, along with links to shady websites.

Fixing the nightmare

Since removing hundreds of spam entries, for hundreds of different pages and posts, was an impossible thing to do and very obviously not a clever solution, we had to find a better way. First we made a backup of the complete database. Then we exported the database parts that had been hacked to a .wxr (wordpress extended rss) file. This way, the text became editable in an editor or IDE of our choice like Notepad+. As a second and crucial step we wrote multiple Regex queries that would match all the suspicious parts.

Search and replace

We searched for javascript opening tags or obvious HTML tags, that had been repeatedly used in the spam messages. There are great tools that make writing complex Regex rules much easier like Regexr and Regex101. Once the Regex was rock-solid we just had to hit "Search & replace all" and boom. All hacked parts had been removed and the content appeared as it had before the injection. Voila!

Reimporting the database

Once all spam messages had been removed from the website content, we reimported the .wxr file back into Wordpress, overwriting the hacked entries and restoring the original state of posts and pages. Because we secured the system properly and configured Wordpress correctly, there was no way a similar attack could happen again. Never say never, but our team made it a million times harder for any intruder. An automated bot will simply fail to gain access and move on, if the page is properly secured.

Creating a backup

As a final important step, we created a full backup of the whole Wordpress installation. This had been neglected in the first place, which is always a very bad idea. You should create regular system backups, in case of a server problem, a human mistake, like deletion of content, or a hack/exploit that renders your page unusable. We set up a regular backup that runs every week, to help prevent future problems. Atomic Reporters injection nightmare had been put to an end. All issues destroyed. Over and out!

About our client

Atomic Reporters is an independent, non-profit, incorporated in Canada at the end of 2012, operating as an officially recognized international NGO from Austria, providing substantive and non-partisan information to journalists about nuclear science and technology. Atomic Reporters is organizing workshops and seminars and provides training opportunities for journalists.

Thanks for reading, have a hack-free day! 🛡️