Hacked WordPress Site
Hacked WordPress Site
As WordPress is one of the most popular CMS on the web it is quite often targeted for attacks, as it has the largest market share it is targeted by hackers. As such WordPress is quite often updated to try and block any vulnerabilities that are discovered, this is why one of the most important things to do when running a WordPress based site is to keep WordPress and its plugins fully up to date. Doing this will ensure that any weaknesses found by hackers can't be exploited, as 99% of the time a hack will be perpetrated through the Application/CMS the website is running rather than the server itself.
A few of Indicators of a hack include:
- Website is blacklisted by Google, Bing, etc..
- Website has been flagged for distributing malware
- Readers complaining that their desktop AV's are flagging your site
- Contacted that your website is being used to attack other sites
- Notice behaviour that was not authorised (i.e., creation of new users, etc...)
- You can visibly see that your site has been hacked when you open it in the browser
If you have noticed any of these then you should move onto the next steps:
Scan your website
When scanning your website you have a a couple of options, you can use external remote scanners or application level scanners. Each are designed to look and report on different things. No one solution is the best approach, but together you improve your odds greatly.
Application Based Scanners (Plugins):
Remote Based Scanners (Crawlers):
There are also a number of other related security plugins available in the WP repo. The ones annotated above have been around a long time and have strong communities behind each of them.
Scan your local environment
In addition to scanning your website, you should start scanning your local environment. In many instances, the source of the attack / infection begins on your local box (i.e., notebook, desktop, etc...). Attackers are running trojans locally that allow them to sniff login access information to things like FTP and /wp-admin that allow them to log in as the site owner.
Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice extends to both Windows, OS X and Linux machines.
Be Mindful of Website Blacklists
Google Blacklist issues can be detrimental to your brand. They currently blacklist somewhere in the neighbourhood of 9,500 to 10,000 websites a day. This number grows daily. There are various forms of warnings, from large splash pages warning users to stay away, to more subtle warnings that pop up in your Search Engine Result Pages (SERPs).
Although Google is one of the more prominent ones, there are a number of other blacklist entities like Bing, Yahoo and a wide range of Desktop AntiVirus applications. Understand that your clients / website visitors may leverage any number of tools and any one of them could be causing the issue.
It's recommended that you register your site with the various online webmaster consoles like:
Improve your Access Controls
You will often hear folks talking about updating things like Passwords. Yes, this is a very important piece, but it's one small piece in a much larger problem. You need improve your overall posture when it comes to access control. This means using Complex, Long and Unique passwords for starters. The best recommendation is to use a Password Generator.
Remember that this includes changing all access points. When we say access points we mean things like FTP / SFTP, WP-ADMIN, control panel (or any other administrator panel you use with your host) and MYSQL.
This also extends beyond your user, and must include all users that have access to the environment.
It is also recommended to consider using some form of Two Factor / Multi-Factor authentication system. In it's most basic form, it introduces, and requires, a second form of authentication when logging into your WordPress instance.
Some of the plugins available to assist you with this include:
Reset all Access
Once you identify a hack, one of the first steps you will want to do is lock things down so that you can minimise any additional changes. The first place to start is with your users. You can do this by forcing a global password reset for all users, especially administrators.
Here is a plugin that can assist with this step:
You also want to clear any users that might be actively logged into WordPress. You do this by updating the secret keys in wp-config. You will need to create a new set here: the WordPress key generator. Take those values then overwrite the values in your wp-config.php file with the new ones. This will force anyone that might still be logged in off.
Find and remove the hack
This will be the most daunting part of the entire process. Finding and removing the hack. The exact steps you take will be dictated by a number of factors, including, but not limited to, the symptoms provided above. How you approach the problem will be determined by your own technical aptitude working with websites and web servers.
To help in the process though, we've included a number of different resources that should help you in the process:
- Did Your WordPress Site Get Hacked?
- How to Clean Your Hacked Install
- How To Clean a Hacked WordPress Site
- How to Cope With a Hacked Site
- Four Malware Infections
- How to Clean a WordPress Hack
It might be tempting to purge everything and start over. In some cases that's possible, but in many instances it's just not possible. What you can do however is reinstall certain elements of the site with little regard to impacting the core of your website. You always want to make sure you reinstall the same version of software your website is using, if you choose an older or newer one you're likely to kill your website. When reinstalling, be sure not to use the reinstall options in your WP-ADMIN. Use your FTP / SFTP application to drag and drop the versions. This will prove much more effective in the long run as those installers often only overwrite existing files, and hacks often introduce new files... You can replace the following directories safely:
- /wp-admin
- /wp-includes
From there, it's recommended that you be more diligent in updating and replacing files as you move through wp-content as it contains your theme and plugin files.
The one file you will definitely want to look at is your .htaccess file. It's one of the more common files, regardless of the type of infection, that is most often updated and used for nefarious activities. This file is often located at the root of your installation folder, but can also be embedded within several other directories on the same installation.
Regardless of the type of infection, there are will be some common files you will want to keep an eye on during your remediation process. They include:
- index.php
- header.php
- footer.php
- function.php
If modified, these files can usually adversely affect all page requests, making them high targets for bad actors.
Leverage the Community
We often forget but WordPress is a community based platform, this means that if you're in trouble someone in the community is likely to give a lending hand. A very good place to start if you're strapped for cash or just looking for a helping hand is the WordPress.org Hacked or Malware forum.
Update!
Once you are clean, you should update your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.
Change the passwords again!
Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now. Again remembering to use Complex, Long and Unique passwords.
Secure your site
Now that you have successfully recovered your site, secure it by implementing some (if not all) of the recommended security measures.
Restore
If you've tried all of the above and are still having issues but know when the site was last fine you can restore your site to an earlier point in time (14 days, or 28 days via upgrade)
Updated 4 months ago