There is a new website hack going around (well, new to me). Here is how to tell if you are hacked, and what to do to fix it!
Then all of a sudden, they stopped coming in.
Now, obviously this is completely normal, so I didn’t think anything of it, until someone wanted the URL and out of laziness I did a google search rather than grab the link directly from my blog … and I saw this weird thing:
Initially I blamed Cloudflare, or the SiteGround caching. I mean, the page itself was fine.
Fortunately my friend Hakan had seen this hack before.
To check your search results, go to Google and enter
Then see how your search results look.
In my robots.txt there was a line inserted that tells robots where to find an additional site map.
On my site they direct bots to check “/.well-known/acme-challenge/style/theme/upload/temp/temp/18.xml”
Deleting that entry, and setting the file to read only (chmod 444, or remove write access using FTP), seems to have cleared it up, as well as nuking the entire “/.well-known/” folder.
It gets worse
Unfortunately all the sites on my hosting account, including this one, were impacted, which makes me believe one of them (they are not all mine) had a dodgy plugin, theme or other vulnerability.
So I have asked that the other sites get their own host, and have signed up to Sucuri so they can keep an eye out rather than have to check all the time myself!