Any reasonably popular software will eventually become the target of malicious exploitation, whether for fun or profit. WordPress, of course, is no exception to this phenomenon. With 27.5% of websites relying on this popular engine.
Knowledge of how to prevent yourself from becoming the victim of such malicious activity, and subsequently, the continued need to repair your WordPress site becomes an invaluable amateur developer’s skill. It is important to note that deliberate attacks on WordPress sites are rare and usually employ different tactics – namely, defacement and DDoS attacks. Typical WordPress hacks are opportunistic, “drive-by” attacks which target outdated plugins, old themes, and neglected installations.
The basic strategy of cleaning most WordPress installations can be separated into several simple stages:
In short, it is easier to prevent vulnerability exploits than it is to repair a compromised WordPress installation. Here are the main actions which lessen the risk of exploits:
- Regular updates – Drive-by viruses that can scan for readily available information on vulnerable WordPress websites. Its theme or plugin versions – update all of it.
- Reducing the attack area – Delete all unused themes and plugins – don’t keep liabilities.
- Strong passwords – Most users have very short, memorable passwords that are easily cracked by a standard desktop PC in under an hour at best. Check your passwords now and use computer-generated nonsense or a personal quote. Beware of passwords that take only a billion years to decipher.
- Choosing a good host – Some corner cutting and poor server management may lead from one infected website to thousands at a time.
- Minimizing backdoors – Don’t share your password with anybody – leaked password lists and files can be used to infect dozens of websites quickly.
1. Identification: Know What to Look For
Usually, first hacking signs are vague, Google Webmaster messages, alien content in pages or unrelated Google search results.
Most popular clues:
- SEO-jacking / SEO Spam – Using site’s authority to promote products or rank said products higher.
- Malicious redirects – Redirect to other services or product pages.
- Boarding – Spamming vulnerable WordPress installations with torrent links.
- Alien content – Using WordPress vulnerability to make posts to blog page.
- Comment spam – Spamming unmoderated content with links to product/service/scam websites – usually done by scripts.
Now you know the problem, do a backup and clean everything.
The site can go down upon exploit file deletion, user login, FTP user deletion. Keeping regular backups may prove crucial. It is possible to restore a couple of weeks of old backups and update before another hack occurs, but in most cases, this is not likely.
Here are some backup methods:
- Offsite backup – Make a backup of your files from CPanel/FTP and backup your database with phpMyAmdin or other hosting tools;
BackUpWordPress is an excellent plugin that makes file and database backups weekly;
When all else fails – scrape the site. It will not protect the admin functionality of the site, but you will have a working facade to display to regular users. This is the only option for websites that work only from the cache.
3. Cleaning + Cleaning Tools
It is best to clean sites on a local machine (on a local server). Local cleaning gives such UNIX tools as FIND, GREP, and Regex. Merely searching for ‘eval’ or ‘base64_decode’ may provide enough power to deal with most viruses.
Irrelevant of where you are doing the cleaning – live site or local machine, the path is straightforward:
- Update everything – This will close all old loopholes and prevent access in case of bugs and known vulnerabilities.
- Delete everything unused – Most of the time I found old unused but active plugins to contain backdoors, old themes (yeah, it’s you Twenty Fifteen) is the host of the problem.
- Replace wp-admin and wp – includes folders as they usually contain new backdoors and harbor vulnerabilities.
- Scan with both Wordfence or Anti-Malware (GOTML) plugins – Usually, one works better than the other depending on the situation; that’s because one is searching for new malicious files and encodes, other scans for patterns and weird strings. Note that Anti-Malware is triggered by some json, base64 and other default WordPress files. Sometimes simple online scanners can do the trick for small scripts.
- Reset the passwords – Check for suspicious users, delete all old users and resend new passwords to still relevant accounts. Also, change the FTP password.
Note the scanning process in the last two points will be more accurate when wp emojis are disabled.
Be sure to check the database for several mentions, sometimes the whole database needs to be checked, and only necessary data tables should be imported back to the new database.
After all scans turn negative, it’s time to host back new website. Either delete or archive all files with cryptic name like _infected-2017may-archive.zip and put up the new files and database. Be sure to check Google and resubmit site for the spider – some spam links may be present for months to come, there are no quick ways to get rid of that.
4. Post-Containment: Make Sure It Works
Come back to your site in a day, a week and maybe a month to be sure it is updated and has no new spammy content or redirects. Scan with Wordfence and Anti-Malware to be sure nothing suspicious is picked up. Check your backups and update WordPress at least every Friday leaving work or every Monday beginning the week.
Decontaminating neglected WordPress installations can be a grueling task of hours of sifting through oddly-resized hundreds of .jpg images, but this is all there is to it.