Fixing a Hacked Website
We’ve had an interesting week this week at Outerbridge Towers. Someone came to us wanting help with their website. So far, so usual. Unusually, their website had been comprehensively hacked. Outwardly, the site looked normal. Often hackers1 deface the site so that it’s immediately obvious what they’ve done, but not in this case. This hack was much more subtle – when you visited the site, sometimes, but not every time, a pop-up window appeared telling you that your computer was infected and you needed to click on the button to download a piece of software which would solve the problem. Needless to say, this software would actually make the problem worse, no doubt by installing some ransomware. Oh, and all of this was accompanied by a loud, insistent bleeping noise, presumably designed to instil panic into the unsuspecting user of the site.
The person who approached us wanted our Website Recovery Service, so we got to work.
Before we even looked at the database, it was clear that the files on the site had been thoroughly defaced. And not just the theme files, but all the WordPress core files and plugin files too. After further investigation and discussion, we discovered that the site owner had paid for a cheap site. It had been purchased offshore and a cheap site is exactly what they got. The “developer” had built the site using a nulled theme to keep the cost down. Big mistake!
In case you don’t know, and hopefully you don’t, a nulled theme is a theme which normally has to be paid for but which someone has (illegally) made available for free. Of course, if it looks too good to be true, it probably is. The distributor usually tampers with nulled themes. In this case, the malicious code that was added to the nulled version of the theme, propagated itself into the rest of the site.
Fortunately, we cleaned the site up and get it functioning again which a clean, properly-purchased version of the premium theme. Unfortunately, there were some differences between the site before and after recovery. The developer who used the nulled theme was such a cowboy that they also altered the theme files directly. Updating the files to the latest, clean version meant that all the customisations were lost. This is why WordPress has child themes. Like many WordPress features, it’s a simple concept with major benefits – you just need your developer to know this sort of stuff. Anyway, I digress. The owner of the site was more concerned about whether we’d been able to save his data as this was business critical. We had.
What conclusions can we draw from this? Firstly, don’t ever use a nulled theme. Developers put a lot of time into making their themes. By using a nulled version, you cheat the developer out of getting paid for their work and you put your own site at risk. Secondly, going for the cheapest option when building a site may come back to haunt you. You’re likely to pay more in the long run.
One last thing, our Premium WordPress Website Support Package customers don’t need to worry about any of the above – in the unlikely event of their sites being hacked (and it hasn’t happened to date), free recovery is all part of the service!
- I’ve used the term hacker in this article but really I mean cracker; it’s just that hacker seems to be the usual term used by the mainstream media.
- The image above (the featured image in WordPress speak) shows the theme nuller’s calling card which was inserted into the nulled theme. I’ve removed some of the references in the image as I don’t want to give them any specific publicity, but I think you still get the idea that this wasn’t a great theme to use!