For those who hadn’t already heard, this site was hit with a variant of the WP Pharma Hack. The exploit happened back in late June, but wasn’t detected until recently. This appears to be some new version that hides itself differently than its predecessors and the standard steps to sanitize the infected files were ineffective, so I opted instead to take the site offline, delete the compromised WordPress installation and database, and start over. I’ve taken some of the recommended steps found around the web to harden the new install, but I can’t be sure this iteration is any more secure than the previous one, since no one seems to know how the crackers behind the Pharma hack are getting in. Crazy right?
If you visited my site any time after June, you’re probably safe. The Pharma Hack doesn’t attack site users, spread malicious code or even change the content you see when you view a page, and none of the scans I created were changed. Instead, it tampers with back-end WordPress files to hijack search results and click-counts, presumably for some financial payoff. You can read more about the exploit here and here.
Google still shows compromised results on a site:apple2scans.net search, and I don’t know how long it will take for the links to be updated, but as of today anyway, we’re free of infection. I tried using Google’s Webmaster Tools to speed up their cache refresh, but it didn’t have an affect, so it could be a while.
Tonight, I will start to repopulate the files and rebuild the pages, but with more than 20 GB to upload, sort and organize, it will probably take a few days before everything returns to normal. In the meantime, you can reach me by email if you need anything.
So, there it is. Thanks everyone for your patience, and extra big thanks to Peter Neubauer, who spotted the infection and was the first to inform me. And of course, to Ken Gagne, my WordPress therapist, site manager and occasional mentor for all his help.