Earlier in the week a couple of friends were nice enough to let me know that Google
Fortunately I take regular backups, and the easiest way to fix was to restore the WordPress files from a backup (after of course confirming that the backup was Malware free). Â My Database was not impacted so I did not have to restore it.
I am still trying to determine how the malicious code found its way in, Â I am careful with my site using secure SSH and WordPress passwords, the only WordPress Plugins I use are well known and trusted, but I would like to solve this mystery.
In the mean time some lessons learned (or reinforced) and action items
- Backups, Backups, Backups, make sure they are running and TESTED
- I changed all my passwords related to my blog, including my Dreamhost account password, my SSH Account, and my WordPress password
- Changed my WordPress.com password since the account is linked to my blog via JetPack
- I changed my database password even though it did not appear to have been compromised
- After the cleanup was complete I submitted my site to Google for review and removal of the Malware flag which fortunately they were quick to do
- I am following up with Dreamhost to see if they had any known breach, though they are generally 100% transparent on the rare occasions they  experience any Hardware or Software issues
Thanks to having working backups this was not a big deal, but I would like to figure out how the malware found its way in, and what I can do to better protect myself in the future.
Has your site ever been hacked? Did I miss anything on my cleanup? Â Have any suggestions to better protect my site? Please share them in comments below.
Don’t you know you should always wash your hands after going to strange websites?
I gather you’ve ensured your local PC is clean, but that said, are credentials saved in your SSH client? I once had local malware exploit the saved credentials in the Filezilla FTP client in order to inject HTML on web pages in the related account.