Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 1 of 12
`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 1 of 12
`
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 2 of 12
`
`WordPress Hacked Redirect, How to Detect and
`Clean it
`
` Posted on January 2, 2017 at 1:13 am
`
` Tags: WordPress Hacked Redirect, WordPress Malware Redirect
`
` 6 Comments
`
`We can help with WordPress issues! We have the experience to get the job done quickly, and to your satisfaction.
`
`GET A FREE QUOTE NOW
`
`S
`
`o, did it hurt you when you see your website is redirecting to phishing or malware websites? Alas, even
`when you have strengthened your website’s defenses, about 30,000 web sites are hacked daily. So it’s very
`important to know what to do when that day comes!
`If your website was hacked there are more chances that attackers might insert malicious code that redirects your
`website to phishing or malware websites to grab traffic, that’s just adding insult to injury – and can really damage
`your website reputation.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 3 of 12
`
`In case your site is redirecting visitors to phishing or a malware site, you will possibly get blacklisted by Google!
`Google isn’t going to take any chances with its reputation, if your webpage(s) smell even the slightest bit fishy,
`it's going blacklist you. I will cover Google blacklist later on in this article.
`
`Let Us Handle Fixing Your Hacked WordPress Site.
`
`What Is Malicious Redirect – A Definition
`
`A hacker can use a script they created to systematically redirect your website to a Scam Website or an Adult(call me
`Porn) website in order to down the reputation of your own website. Most commonly they will use the following
`tricks to change the behavior of a website!
`◾ Upload or create a file in your WordPress site with the malicious script encoded.
`◾ Add themselves as a Ghost Admin on your website.
`◾ Execute PHP code they send through a browser.
`◾ Collect personal information like Email, for spam purposes.
`◾ Change anything on your website for their own purposes, often for spamming.
`
`If a file is added, it’s often named to look like a legitimate file like that’s the part of WordPress core files. The file
`could be named sunrise.php, wp-users.php, wp-system or wp-configuration.php or something similar. Typically
`hackers add the malicious scripts to .htaccess, wp-includes, wp-content/themes, wp-content/plugins or wp-con-
`tent/uploads folders, or may also change your wp-config.php file.
`
`Examples
`Malicious Redirects in Header
`
`Encoded Malicious code is added at the Top of Header file of your active WordPress theme: header.php
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 4 of 12
`
`Malicious Redirects in Footer
`
`Malicious script is added in the footer of the active WordPress theme.
`
`Use our WordPress Malware Cleaning Services.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 5 of 12
`
`What Does Blacklisting Look Like?
`
`So, we’ve already talked about the methods you may check and find out if your website has been injected with mali-
`cious scripts, but I feel like it’s a good idea to spend additional time in what we refer to in one of our previous arti-
`cles as the "symptoms" of a site being hacked and blacklisted. Not every blacklisted website will exhibit those signs,
`however most of them can help you find out if your site is in trouble:
`◾ There is a huge/sudden traffic to your website for specific keywords that have nothing to do with your web-
`site content – particularly related to pharmaceuticals.
`◾ Your site is suddenly redirecting to anonymous websites not in your possession.
`◾ Ghost Administrators appear in your website’s dashboard who weren’t created by you or other legitimate ad-
`min users.
`◾ Your website is unexpectedly flagged as containing malware in search engine results or by desktop or cellular
`anti-virus detection software program.
`◾ Your hosting provider moved your website to junk or quarantine mode.
`
`It’s important to keep in mind that Google can provide various safety warnings as well. These warnings may appear
`in the search engine results page where your website is indexed. Most common warnings you will see are listed be-
`low.
`
`This site may harm your computer
`
`Example: Google has detected malicious code on your website.
`
`This warning appear when Google believes your website contains a Trojan which is triggering a download popup
`that is malicious – like fake Anti-Virus popups, Fake shopping discounts etc.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 6 of 12
`
`This site may be hacked
`
`Example: Google has detected your site has been hacked.
`
`This warning appears when Google Google has a solid reason that site has been completely compromised or
`hacked and taken over by using someone apart from you.
`
`A Step-by-Step Guide For Removing The Malicious Scripts And Re-
`directions
`Step 1: Scanning Your WordPress Site
`
`In case you suspect that your website has been hacked with a malicious script there are various ways of checking,
`however, before you run any of those, you need to generate a complete backup of your website. Despite the fact
`that your site can be hacked, there’s still a chance, things could worsen before they get better.
`
`Having a backup is maybe the next best thing after sliced bread. If you accidentally make a mistake while cleaning
`your site, your backup acts as your fail safe.
`You could restore your website to the point where you first began working on it and keep investigating from there
`as if nothing else happened. Once you have backed up your complete website, you’re ready to get started.
`
`Extra Tip: Here are some websites that offer free scans for malicious files.
`◾ Unmask Parasites – Helps you to know if your website has been hacked. This is a great first-step in figuring
`out whether or not there’s a problem.
`◾ Norton Safe Web – You can quickly find out if there are any threats related to your website.
`◾ Quttera – Deeply scans your site for malware.
`◾ VirusTotal – One of the best online scan website available to scan your website or IP Address for Common Vi-
`ruses, Malicious scripts, Hidden Backdoors, etc. It uses over 50+ online antivirus scanners to get more accurate re-
`sults.
`◾ Web Inspector – This website scan for backdoors, , injected scripts, malicious redirections code with a fairly
`detailed report.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 7 of 12
`
`◾ Scan My Server – Scans for malware, SQL Injections, XSS and more with detailed report. The detailed report is
`emailed to you and takes about 24 hours.
`
`Step 2: Locate the Suspicious Code
`
`There are various places where you can look to locate the malware on your website. It’s not always an easy way to
`scan the code on each page of your website chunk by chunk. Sometimes, the culprit is enclosed somewhere in your
`server. Still, there are some places that attackers, target mostly. You'll need ftp/ftps login details to get access to
`these places to start the malware cleaning process.
`
`In case your website is suddenly redirecting to an anonymous website(s), you need to take a look at the following
`areas for suspicious code:
`◾ Core WordPress Files
`◾ Your website’s index file (check both index.php and index.html!)
`◾ .htaccess file
`
`In case your website is triggering visitors for downloads, you should take a look at out the following places:
`◾ Header.php: Current Theme header file
`◾ Footer.php: Current theme footer file
`◾ Your website’s index file (check both index.php and index.html!)
`◾ Your theme’s files
`
`You can also take advantage of the Google Diagnostic Page to figure out specifically what part of your website has
`been compromised. Is it only 1 page ? One directory? Or the entire website?
`
`Step 3: Dig Deeper: Pretend You’re a Bot or User Agent
`
`Sometimes running tests to analyze if your website is infected with malware would put your own machine in dan-
`ger. So, to bypass this, you can use cURL CLI (Command Line Interface) to pretend you're a Google bot or a user
`agent.
`
`You can enter the following command to emulate a bot through an ssh client:
`
`$ curl –location -D – -A "Googlebot" somesite.com
`
`Once you enter this, you should look for something that doesn’t make sense in the code. So, bits which are in a dif-
`ferent language than your own or content that looks like gibberish in general. Yes, you’ll need to recognize html at
`the least, here. Something in an iFrame or script tag have to grab your attention, too.
`
`You can also use this little code to emulate a user agent(again through an ssh client):
`
`$ curl -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" http://www.somesite.com
`
`You can edit or replace the "browser" tag which is referenced here depending on your needs.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 8 of 12
`
`A few different commands you might want to get familiar with are Grep and Find which work through an ssh client.
`These commands will help you to discover where the hacking took place on your website, so then manually you can
`remove the malicious code that placed you on Google's Blacklist.
`
`Here's a list of useful resources to speed up the process of cleaning your site on the terminal.
`◾ Command line
`◾ SSH
`◾ What's My User Agent?
`
`Step 4: Removing Bad Code
`
`In case your website has been injected with malware, you'll need to remove the malicious scripts that caused the re-
`directions to the abusive websites. If the attackers created new pages with malicious code, you can remove them
`from Search Engine Results altogether by going to Google 's Search Engine Console and using the Remove URLs
`Feature.
`Next you should update the theme, plugins, and install any new core updates that are available. Make sure every-
`thing is as up to date as possible. This will reduce your website’s vulnerabilities.
`
`Finally, change all of the passwords on your website. And I mean all of them! Not just the WordPress Administrator
`Password, you also need to reset the passwords for your FTP Account, Regenerate WordPress Salt Keys, Database
`(s), Hosting, and anything else related to your website to ensure the security.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 9 of 12
`
`Re-generate WordPress Salt Key
`
`Read more about our WordPress Hacked Fix Services.
`
`Step 5: Resubmit Your Site
`
`If your website was blacklisted due to malicious redirections, and it’s been removed from Google's search results,
`you need to submit your site for review. Otherwise, Google won't know that you’ve taken meaningful steps to reme-
`dy the trouble.
`
`If your website was involved in phishing, you’ll need to submit a put up a reconsideration request through Google
`Webmaster Tools(it's now called as Google Search Console). I’m going to assume your website is already added, so
`when you’re logged in, click on Search Traffic >> Manual Actions. You should then be prompted to submit a review.
`
`Plugins to Help Test and Clean Your Site
`
`Here are some WordPress plugins which can detect infected files:
`◾ Theme Check
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 10 of 12
`
`◾ iThemes Security
`◾ Acunetix WP Security
`◾ Vaultpress
`Keeping Your Site Secure
`
`In order to keep your site secure you need to make sure you follow the guidelines found below:
`◾ Have your WordPress site core files updated.
`◾ Have your themes and plugins updated.
`◾ Use a Safe Secure WordPress Hosting Service, if possible choose one which can Manage your WordPress Site
`instead of just from Hosting it.
`◾ If you choose to use a reseller hosting account under a non WordPress Friendly Hosting Provider then you
`should avoid adding sites as addons under your main account. You can setup those sites in a separate site ac-
`count.
`◾ Remove any inactive themes or plugins you don't plan to use in your site.
`◾ Review your WordPress plugins and themes and make sure all of them are recently updated by its develop-
`ers, if not you should seek some alternatives and remove them from your WordPress Site.
`◾ Never install nulled themes or plugins.
`◾ Keep one or two admin accounts, downgrade the rest of your admin users into an author or an editor.
`◾ Remove all dev/demo setups of your WordPress installation outside your public directory.
`WordPress Malware Removal Services
`
`FixMyWP has successfully cleaned more than 2000 WordPress sites already while its success rate is 100%. If you
`don't have time or the expertise to scan and clean your WordPress site from a Malware Redirect hack then we can
`clean it for you.
`This is a priority service that will restore your WordPress Hacked Website in a day or less while we are going to offer
`you a 30 day guarantee period. If your website is hacked again during the guarantee period we will clean it Free of
`Charge.
`
`Read more about our WordPress Hacked Fix Services.
`
`About
`
`Latest Posts
`Makis Mourelatos
`WordPress Security Engineer at FixMyWP
`WC Athens 2016 co-organizer, WP Support and Security Aficionado, Wannabe
`Kitesurfer.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 11 of 12
`
`Comments (6)
`
`Reply
`
`Lynn Dye
` January 2, 2017 at 5:15 pm
`Very comprehensive article. I like all the resources you gave along with warnings site owners may get when their site gets com-
`promised.
`
`Reply
`
`Fix My WP
` January 2, 2017 at 7:11 pm
`Thank you Lynn
`
`Reply
`
`Areti Vassou
` January 18, 2017 at 8:45 pm
`Great and free info for a very important issue! Thank you for this professional article!
`
`Reply
`
`Vũ Minh Chiến
` February 13, 2017 at 6:05 am
`Thank you very much!
`
`Reply
`
`Nashrudin
` August 14, 2017 at 7:24 pm
`Awesome article
`
`Apple Valley Solar Contractor
` August 28, 2017 at 12:40 pm
`It’s amazing for me to have a web page, which is useful in favor of my experience.
`thanks admin
`
`Reply
`
`Leave a Reply
`
`Your email address will not be published. Required fields are marked *
`
`Message
`
`

`

`Case 3:17-cv-05659-WHA Document 470-3 Filed 05/13/19 Page 12 of 12
`
`Name*
`
`Email*
`
`Website
`
`POST COMMENT
`
`ABOUT US / TOS / PRIVACY POLICY / AFFILIATES TERMS & CONDITIONS © 2013-2017 FixMyWP.com.
`This website is not affiliated with or sponsored by Automattic or the WordPress Open Source project
`
`