Transferring infected sites to Tiger Technologies

We (unfortunately) have lots of experience helping people fix a WordPress site after we discover it’s been “hacked” due to weak passwords or outdated plugins.

We have multiple security systems designed to catch this when it happens, and in most cases we can then use our logs and file timestamps to:

  • find the exact time the site was compromised;
  • identify the underlying security problem (almost always an outdated plugin or theme);
  • restore an uninfected copy of the site from a backup;
  • update the plugin or theme to prevent a recurrence.

However, there’s one case where this doesn’t work: when a customer is migrating a compromised site from another hosting company to ours, so we don’t have logs, accurate timestamps, or backups from the time of the problem. If the customer doesn‘t know how the problem happened, the site is almost certainly still vulnerable to “hackers”. Security experts agree that in this situation, the only safe course is to start over with a new set of script files.

When we tell customers about their site being infected, we often hear something that surprises us. They tell us they’ve removed one or two malicious files, but they don’t plan to do anything else because they don’t see any other infections and they think the rest of the site seems fine. This is rarely true, for two reasons.

The first is that it should have been impossible for hackers to modify your site to start with. If they did it once, but you don’t know how they did it, they can probably do it again. By definition, something was already wrong with a site that allowed any malicious files to be added.

The second reason is that hackers usually make small, hidden modifications to many files, allowing them to regain full access later. The fact that we, you, and your visitors can’t see anything else wrong doesn’t mean much. The intruders’ goal is to make changes in a way most people will never notice. A system like WordPress (including plugins and themes) contains hundreds of thousands of lines of code, and there’s no possible way to find all potentially malicious changes to it.

(Some people try to “scan” site files using a program on their computer, but Windows or Mac security scanners are not designed to scan for website source code infections. And while online WordPress security scanning services can be useful for identifying malware, it doesn’t guarantee that a site is clean if such a service finds nothing: it could just mean that the infection hides itself in a different random file they can’t check.)

So if you find that any file on your site has been compromised, you must assume that other files have, too, but that you’re not noticing it. And that, in turn, means that your site could be sending spam, infecting the computers of your visitors with viruses, or showing offensive content to some visitors. Even if your site looks fine to you, and the hackers aren’t currently doing anything malicious, the compromised files can be used at any future time without warning.

Once you discover this, you really have only one choice: Replace all the PHP script files on your site with freshly downloaded copies. You must do this: We can’t let you transfer an already-infected site to our servers.

You can follow our steps to replace all of the files — it’s not very difficult, and is vastly preferable to getting blacklisted by Google and other search engines, or finding out that your site has been spreading viruses to your visitors.