tips for fixing a hacked wordpress site - wordcamp sydney 2016
TRANSCRIPT
1
Tips For Fixing a Hacked WordPress Site
Vladimir Laskyhttp://wpexpert.com.au/
WordCamp Sydney 2016
2
Bring Back Memories?
3
Wordfence’s 2016 Survey on How Sites Were Compromised
4
7-Step Recovery Strategy
1. Assess The Damage2. Identify Sources of Replacement Data3. Remove Infected Data and Restore from
Replacement Sources4. Disinfect What Cannot Be Replaced5. Reconstruct What Cannot Be Disinfected6. Harden the Security of the Website
7. Repair Damage to Reputation
5
Common Hurdles that Delay Repairs
Obtaining SSH/FTP Access to Client’s Hosting Server
– Especially when client is not owner/administrator of their hosting service
Obtaining Original Installation packages for Premium Themes and Plugins
– Especially when site was built by someone else– Often cheaper & faster to re-purchase plugins or
themes. Usually ensures renewed support & upgrades
6
The Goal
Ensuring complete disinfection– There can be no remaining malicious scripts or
exploits that can be used to easily compromise the site again
7
1 - Assessing The Damage
8
Identifying The Infection
Sucuri Site Check– https://sitecheck.sucuri.net/
Google Webmaster Tools– https://www.google.com/webmasters
If WordPress admin is still accessible, vulnerability scanning plugins like Wordfence
– https://wordpress.org/plugins/wordfence/
9
Sucuri Site Check Example
10
Wordfence Scan Functionality
11
Wordfence Scan Settings
12
2 - Identifying Sources of Replacement Data
13
Recovering Website Content & Stylesheets
Past Website Backups (Files and Database) Cached Version of the Website in Google Search
– E.g. to see the most recently cached version of website.com, visit google.com and perform the following query:
• site:websitehostname.com
Archive.org (also called Internet Archive or Wayback Machine)
14
Example - Accessing Google’s Cache
15
Example - Wayback Machine
16
Recovering WordPress Itself
The latest version of WordPress can always be downloaded from this URL:
– https://wordpress.org/latest.tar.gz
Previous versions can be found here:– https://wordpress.org/download/release-archive/
17
Recovering Website Themes & Plugins
Common Download Locations for Free Plugins:– WordPress.org Theme and Plugin Repositories– GitHub– Theme/Plugin Author’s home page
Premium Themes/Plugins– Ask clients to search their emails for
• original theme/plugin installation packages• login details for theme/plugin marketplaces i.e. Envato
– Sometimes original theme/plugin packages have been left on the server by a previous developer
18
Disinfection
19
What is Secure Shell (SSH)?
Allows you to access a UNIX (Linux) shell on your hosting server - similar to the Command Prompt under Windows
SSH access must be enabled by your web host Some hosts enable by default, others require a
special request, a minority forbid it Recommended Windows SSH Client is PuTTY
– http://www.chiark.greenend.org.uk/~sgtatham/putty/
20
21
Why use SSH?
Saves time spent in uploading/downloading files to/from the web host
Lets you run many useful UNIX/Linux shell commands to help quickly locate and repair damage
Avoids triggering infected PHP code within your WordPress installation
22
Common Infectious Payloads:
Shell code (a back door for the hacker)– Often appears as strangely-named PHP files with
obfuscated content
JavaScript code to run in the visitor’s browser that:– retrieves content from external sites (often spam or spam
links)– attempts to trigger vulnerabilities in the visitor’s web
browser
The attacker boasting about their achievement
23
Precautions When Making Changes
Backup the site files and database before making any changes
– cp –pa public_html prevOR
– tar zpcvf prev.tar.gz public_html
Also make backups during each step of disinfection process just in case you make a mistake and have to revert
24
WordPress Files That Are Often Infected:
Root Folder– wp-config.php– wp-load.php
Anywhere within the installation:– .htaccess– index.php– index.html
Within directory /wp-content/– Theme templates– Plugin Files
25
Disinfecting with Wordfence
Wordfence has the ability to compare and replace WordPress core files, theme files and plugin files with official repository versions
Powerful, but still often misses things Cannot help with custom/premium themes and
plugins Should always be followed up with manual
disinfection procedures
26
Replace WordPress Core Files
Move WordPress core files/folders within the website’s root folder to a quarantined location
– Folder wp-includes– Folder wp-admin– Files matching wp-*.php (except wp-config.php), index.php,
xmlrpc.php
Download the latest WordPress into a temporary folder and move the new copies of the core files/folders into the website’s root folder
27
Inspect Site Content Folders
Any remaining issues are likely to be contained within the folder /wp-content
Be suspicious of:– .php files with unusual names– ANY .php files within wp-content/uploads (should not normally be there)
Index.php outside of the root folder files should normally only have something like:
– <?php// Silence is golden.?>
– Their purpose is to prevent users from being able to list the directory contents
28
Finding Files Modified Between Two Dates
Between two dates:– find . -type f -newermt 2010-10-07 ! -newermt 2014-10-08
Between two dates & times:– find . -type f -newermt "2014-10-08 10:17:00" ! -newermt
"2014-10-08 10:53:00"
This command will find and move the files to “destdir”:
– find srcdir -type f -newermt 2014-08-31 ! -newermt 2014-09-30 -exec mv -i {} destdir/ \;
29
Comparing Site Files With A Good Version
The utility diff compares two files/directories and displays lines of text that differ between them.
Comparing with a good version from a backup or installation package may reveal the infection, allowing it to be manually removed with a text editor
– E.g. comparing the theme folder with one from a backup• diff –qr mybackup/wp-content/themes/mytheme
public_html/wp-content/themes/mytheme
– E.g. Comparing an installed plugin with a downloaded package• diff –qr downloads/myplugin public_html/wp-content/myplugin
30
Searching Contents of Files for Infections
To search within a directory for files containing a search string (regular expression):
– fgrep –R foldername “searchstring”
These PHP functions are often present in obfuscated code, so searching for them by name can identify its presence:
– base64_decode– gzinflate– eval
31
Infected Widgets
On occasion, some attacks may result in malicious JavaScript code is inserted into text widgets
Look through your widgets for anything that should not be there
32
Disinfecting .htaccess
.htaccess contains settings that override the default behaviour of the Apache web server
Malware often overrides the web server’s error handler with its own actions
Detailed topic, but you can delete the .htaccess file in the root folder and recreate it by going to Settings->Permalinks and selecting “Save Permalinks”
If you are using a page caching plugin that modifies .htaccess, you may need to reconfigure or save its settings again.
33
Example of Obfuscated PHP Code
34
Failsafe Disinfection (Last Resort)
Record the installed plugins & themes by:– Accessing WordPress admin or– By inspecting contents of /wp-content/plugins and
/wp-content/themes Use the WordPress Exporter plugin to export page, post and
menu content into an export file– https://en-au.wordpress.org/plugins/wp-exporter/
Quarantine the entire WordPress root folder Setup WordPress from scratch, install the required plugins and
themes, import content from the previous export file– https://codex.wordpress.org/Importing_Content
35
Common Disinfection Hurdles
A theme/plugin with a security vulnerability is no longer maintained
– Hire a developer to audit the code and fix its security weaknesses
– Replace with a newer theme/plugin that provides similar functionality
36
Reconstruction
Common Reconstruction Tasks– Reconfiguring Off-the-shelf Plugins & Themes– Rewriting Theme stylesheets and re-uploading
graphics– Reconfiguring widgets– Reposting content
37
Security (Re)Hardening
Reset users’ passwords Change the MySQL database password Update WordPress, Themes and Plugins to latest
versions– May require renewal of support for Premium themes/plugins
38
Beware of UTF-7 Encoding
From WordPress Admin go to Settings->Reading Is this visible?
An attack has weakened WordPress’s character encoding settings to facilitate future XSS (Cross-Site Scripting) attacks.
Change this setting back to UTF-8
39
Repairing Damage to Reputation
Remove Google warnings by submitting a reconsideration request in Google Webmaster Tools that outlines:
– That you have disinfected your site– What you have done to prevent a recurrence, e.g.
Updated software to address security vulnerabilities, installed a Web Application Firewall (WAF)
Inform users & readers of your site
40
More Information
Wordfence’s article “How Attackers Gain Access to WordPress Sites”– https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/
Google Webmaster’s help for hacked sites:– https://www.google.com/intl/en/webmasters/hacked/
Slides from My Previous Security Talks. Old but good – Wordcamp GC 2011:
• http://slidesha.re/tr2XA5• Covers the “Three Pillars of Security”, the aims of attackers and other WordPress security plugins
– WordCamp Sydney 2012:• http://www.slideshare.net/wordcampsyd/securing-your-wordpress-website-vlad-lasky-wordcamp-syd
ney-2012
Questions and Comments:– http://wpexpert.com.au/contact-us/