Fixing Wordpress after Hacking
INTRODUCTION
WordPress is an increasingly popular CMS - it powers roughly 26% of the web, and that percentage is even higher if we look at only websites that use CMS solutions - 59.4% - so WordPress is the most popular CMS out there.It has a large community, free themes, and, above else it supports most modern SEO standards out of the box. The downside of that popularity is its code - the code is open for reading to any person who has a hacker mindset.
HACKING TECHNIQUES
The WordPress core code is updated constantly by the WordPress dev team, and security holes are promptly sealed when they are found. So basically, the main security hole isn't in its core files but in code additions -small pieces of code that we can attach to our WordPress website in order to offer more functionalities to admins and visitors - plugins.There are quite a few available plugins out there (49,090) and their developers don't belong to the WordPress dev team, so the plugin code isn't checked for security holes by the WordPress team. These holes need to be closed by the plugin developer, if he or she is able to find them.
In reality, if you are a blog owner and you install some plugin(s), you may have unwittingly just created a backdoor for a hacker to gain access. Hackers tend to find WordPress instances which use vulnerable plugins (or vulnerable versions of those plugins), and hack them.
This technique is the most common one, but there is one more method that I need to mention - a brute force attack. By default, WordPress admin panel login credentials are entered on the same address - /wp-admin or /wp-login.php or /wp-login. A hacker just needs to set up brute force software and wait for a breach.
There are other techniques as well, mostly concerning file access permissions(.htaccess, exploiting xmlrpc, sql injection, etc), so any decent WP developer should know this and implement techniques to avoid these exploits.
STEPS FOR FIXING A WORDPRESS SITE
You must start with the assumption that every website is different, every developer is different, content and functionalities are different, so your remedy will differ for each case as well...FIRST THINGS FIRST...
- Damage assessment
- Investigate
- Fixing
FIXING HACKED WORDPRESS PROCEDURE
As I've mentioned before, you should determine how far you need to go. Maybe the website doesn't need all of these steps to be fixed, but here it goes...Common ways of fixing WordPress include these steps:
- You can freely delete every WordPress-related folder and file except the /wp-content folder and the, /wp-config.php file (which stores global variables that may be used by the theme, plugins, etc. - needs examination), or any other root placed file that has nothing to do with WordPress. Just inspect them and make sure they are not infected.
- Open wp-content folder
- Scan entire folder with an antivirus, log any quarantine/deleted file(s), and find a way to fix/replace them or to inspect them manually
-
- Open plugins folder, then make a list of every used plugin. After that, delete them and download them again. Note: it's important not to visit the website until after you finish replacing all the plugins - if you do, you might activate the malware/virus again and infect the freshly downloaded files
- Open the wp-content/themesp folder and then open the active theme folder (there could be multiple themes if the active theme isn't a standalone but a child of another one). If you have a proper backup, copy the new files from the trusted backup, or inspect each theme file found in those folders and confirm that there is no suspicious code in there (in the php files). You can detect suspicious code with ease - different code style, hacky methods, code in the wrong place... something like that.
- Open the wp-content/uploads folder and scan it with antivirus software. Log any quarantine/deleted file(s) and find a way to fix/replace them or inspect them manually. The uploads folder should contain media files, so any *.bat, *.php, *.exe should elicit further inspection. These types of files can be found here, by website configuration, but this isn't a good practice (they are executables), so please check them before deletion (check if they are in database or check if they are hard linked in *.php/*.html theme files somewhere)
- Inspect database
- Check if there are users in the wp_users (note: wp_ prefix can be something else) table and inspect all these users. You might have to delete some of them if they are suspicious. You'll find them in the wp_users table, but you must delete them from the wp-user table and wp_usermeta table.
- Optional: check the wp_posts table and wp_postmeta table to see if there is something unusual there
- Open wp-config.php file
- Inspect it - make sure everything is ok with the file
- Optional - change database prefix to something else
- A sql query is needed to update wp_ tables to some other prefix
- Please use only letters and lower case!
- Update $table_prefix php variable with the new prefix
- Optional - update salt keys - visit https://api.wordpress.org/secret-key/1.1/salt/ and paste new set of keys
HACKED WORDPRESS - THE AFTERMATH
Hey, why just stop there? We can do even more:- Ensure that at least one plugin from the security section is installed and enabled. My recommendation - Wordfence (https://wordpress.org/plugins/wordfence/)
- Optional: move login form from /wp-admin or /wp-login.php or /wp-login to somewhere else. This can be done by using a plugin for this, by altering .htaccess manually, by giving access to the login form only to a specific ip or ip range, or by adding basic auth before showing the login form
- Do regular backups
- Tighten the .htaccess file - there are plenty of tutorials online showing what you can do to tighten up WP security through htaccess
- Disable directory browsing
- Optional: remove unused metatags
- generator
- wlwmanifest
- EditURI
- pingback
- Optional: remove server signature