I’ve been hacked!

I’ve been hacked!

I’ve been hacked! Three of my WordPress sites were recently infected with Malware. The attack vector was via a vulnerable plugin called Ultimate Member. I wanted to take the opportunity to remind WordPress developers/users/hobbyists the things to consider when protecting your sites and dealing with these types of issues.

In the case of the above, I was able to quickly remove the code which had been uploaded to the ‘UPLOADS’ folder, a single line of PHP having the potential to cause untold amounts of damage. Thanks to D9 hosting for alerting me too, I should have been more on the ball with this, and am surprised I’d not spotted the out of date plugins earlier – my bad.

Is WordPress secure?

A common myth is the WordPress platform itself is inherently insecure. This isn’t true. There are currently no known back door’s in WordPress. It’s supremely stable & well coded, updated regularly and really does present a solid secure platform. It’s the bolt on functionality by way of plugins, badly put together forms and such like which all open up attack vectors to allow those nasty bastards into your site & server.

Backdoor you say?

The term ‘backdoor’ refers to a method of bypassing any normal authentication process and gaining entry to the system. A backdoor will be typically implanted during the first infection – this will then survive any clean-up effort. So you really have to be diligent when cleaning up your infected site.

Where to find the backdoors?

They can typically be placed anywhere;

Theme Files – One thing I like to do is remove unused themes once I’ve built the site. Themes are often survived during core WordPress updates so bare this in mind. If you’ve got old themes like TwentyOne installed, get rid of it. I recommend deleting all inactive themes.

Plugins – A classic reason why you should ALWAYS UPDATE YOUR PLUGINS. I often don’t, and it’s bitten me in this case. Plugin’s are also survived after WordPress updates so you should definitely 1) minimize the plugins you use 2) redact plugins you don’t use 3) don’t use plugins which look suspect.

Upload Directory – there should be just images in here, usually a lot of them separated by many folders, month and date. The issue with this is it’s really easy to slip in the odd PHP file so ensure you check this folder and maybe use inline monitoring to check when this folder is touched. I often toggle the permissions of the folder off/on when I want to use it and then back again for a tight approach to security.

Wpconfig.php The ‘meat and veg’ of your WordPress installation. Ensure you check here, it’s always useful to back this up separately.

Includes folder – /wp-includes is a folder people often don’t bother looking in but it’s well worth it as often those little hacker toe rags will upload multiple back doors to ensure their access.

In this instance, the infected file was called .love-is.php which is pretty easy to spot. Often though, it’ll be called something like php-5.ini.php or hello.php (maybe to look like a file belonging to the Hello Dolly plugin?) so you can be really stuffed and it’ll be like looking for a needle in the proverbial!

So how can I fix this mess?

There’s a number of things you can do,

Wpconfig.php – its easy to install a fresh WordPress install and AB compare the untouched file with your potentially infected one. Strip out anything which looks wrong.

Themes – you can delete all inactive themes. There’s no need for them to be there and you remove an attack vector in the process!

.htaccess file – occasionally the .htaccess file is meddled with and has your site redirected to porn for example, (this happened to me on mariodecristofano.com). You can simply delete this file and it’ll recreate itself.

Database – use a plugin (yes I know), if you don’t know what you’re doing with SQL and scan the dBase for bad code. This location is easy for hackers to exploit . Exploit Scanner is a good choice

Check check & check again!

When you think you’ve cleaned up your site, check it from other computers, logged out, other browsers & devices. Often, the hack may not present itself to logged in users so ensure you check thoroughly.

If you’re still unsure after all this, simply delete your site and start again!

Other things you can do, (fromWP beginner.com)

1. Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.
2. 2-Step Authentication – If your password got compromised, the user would still need to have the verification code from your phone.
3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
5. Password Protect WP-Admin – You can password protect the entire directory. You can also limit access by IP.
6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.

Mario DeCristofano

35 year old Digital native, grumpy, occasionally sweary & always passionate, I write about IT, technology & the things which interest me. @mariodc on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *