I’ve been having an ongoing issue with the site recently.
Despite having the site locked down tight, and with iThemes Security, Sucuri, and Jetpack installed, somehow a malicious code injection occurred.
The result of the infection is that all pages and posts were modified to add scripts that cause popups and redirects to malware sites. If you’re using something like NoScript under Firefox, or the Brave browser, then you will have been protected from these if you visited during a period of infection.
Undoing the edits is simple enough – just rolling back to a pre-defacement backup of the database. It’s preventing re-defacement that is the ongoing problem.
Re-defacement has happened several times now, and each time I have taken increasingly drastic steps to try to remove the re-infection vector, including going through the entire database row by row. Each time I think I have purged it all, it somehow manages to come back.
I’m at the stage now where if it happens again, I may have to blow away the entire site and reconstitute it from scratch, which will probably mean broken links and loss of comments. Which, considering what Datahamster is all about (preserving stuff for perpetuity) is sadly ironic.
Hopefully it won’t come to that. Fingers crossed.
Well, it did come to that. I had to blow away the entire site and do a fresh install.
I have very cautiously re-imported the posts and comments from a database backup, but if the site gets defaced again then, well, I don’t know what I will do.
I’m cautiously optimistic that the site won’t get re-defaced. Famous last words, I know, but this is a fresh install of WordPress, with a new database, minimal plugins, and with things like XML-RPC completely disabled, and the only data I have imported from the old database are the posts, comments, and media. And that was after exporting just those tables to a text file, going through the SQL line by line in a text editor to make sure that only legitimate-looking content was there, before then importing it into the new database. Of course, I could have missed something, but if I have then I’m going to be utterly stumped as to where I went wrong.
So far, so good.
If the site does get defaced again then I think it will be via a fresh attack rather than a re-infection, as I simply don’t see how any of the data I re-imported could have contained anything that could re-infect.
Still looking good. Getting optimistic now.
No further defacement has occurred. I think I can call this fixed now.