WordPress Site Hacked? Start Here.
WordPress is our CMS of choice for most small- to mid-sized businesses. There are a slew of benefits, from putting web content management in the hands of non-technical staff to providing a platform to launch a site in a short timeframe.
It does come with some downside, though. When a platform is built and maintained via the community (a.k.a. open source), security can be a rather significant concern.
Botnet Attack on WordPress
Starting the week of April 8, site owners around the world learned a hard lesson – many of them were stunned to learn that they had their WordPress site hacked.
We saw it with one of our client sites. On Tuesday, we lost the ability to setup or remove users, or even edit our own profiles. The rest of the site appears to be operating normally, but the admin functions do not.
Later in the week, we learned of a massive Botnet Attack. This one is a doozy. It has spread very fast, and is clearly using compromised client and servers to further expand its footprint. Those systems are running processes behind the scenes that are attempting to hack any WordPress site on the web. If your web host has been slow to respond, it’s because they’re all hands on deck trying to remediate the impact of this Botnet. Take a moment to read more about how sophisticated this whole attack is via the link above.
How Was Your WordPress Site Hacked?
The vast majority of compromised sites were hacked using Password cracks. Since WordPress creates the “admin” username by default, the botnet is trying to login to the admin dashboard using that ID. Coupled with a database of the 1,000 or so most commonly used passwords, the botnet can test random passwords from multiple IP addresses (using all the systems they have already taken over) until they hack into the system.
Whether your WordPress site has been hacked or not, change the admin password immediately. Use something that meets recommended security standards, as follows:
- Is at least eight (8) characters long
- Mixes in upper and lower case letters
- Includes special characters and numbers
- Does not use three consecutive letters or numbers, e.g. “abc123”
- Avoids using common words in the string such as “password” or “login”
In some cases, you may not be able to login at all once you are hacked. If that is the case, look to your host first to help get your access back. Then you can try some of the ideas in the next section.
Self-Service WordPress Hacking Remediation
Regardless of whether you were impacted by the recent Botnet or not, there are common places where hackers will place code to open a backdoor to your website or simply take it over.
Check Your Themes
Questionable code can be hidden in the themes you have installed within your WordPress installation. Hackers tend to avoid the active theme, because their malicious code will be overwritten when you next update the theme.
Instead, check to see if you have some inactive themes installed, but dormant. This is where you are more likely to find hacked code. If you never plan to activate a theme again, delete it. That removes the easy hacking opportunity from the equation.
Audit Your Uploads
You can access a full list of media files uploaded to WordPress via an FTP client or your File Manager in the control panel at your host. Drilling down from the root directory of your website, open up “wp-content”. In that folder, you will find another subfolder titled “uploads”.
The Uploads folder includes more subfolders sorted by year and month. You will need to search through all of these folders for filetypes that do not make sense in the uploads folder. You should find only media types such as .jpg or .png. If you find any .php files under “uploads”, delete them at once.
Review All Of Your Plugins
Plugins are a huge benefit of using WordPress. But since they too are open source, the potential for vulnerabilities due to the code in a plugin is huge.
First, make sure all of your plugins are updated. If you have a list of plugin updates that you have been putting off for months, stop procrastinating. This could very well be the way they got in.
Second, delete any plugins that you don’t need. We often engage with clients who use WordPress as their CMS, only to find that they have installed upward of 20 plugins. In most cases, they are using 5-7 of those plugins for important functionality. The rest are just opening you up to security concerns.
While you are at it, consider the following plugins that can help improve your security in the future:
- Limit Login Attempts – This plugin only allows a pre-specified number of attempted logins from a single IP address. It can lock them out from trying again if they fail to login after that number of attempts (i.e. a “brute force” attack). If you use this, be sure to let all users know they should reset their password, rather than trying to get in a dozen times. Otherwise, they could get locked out for 24 hours.
- Securi – Although this is a premium plugin, it has been touted as a great way to handle hack attempts. They specialize in website scanning and malware removal. You might want to give it a shot before calling a consultant to help out.
Double Check the htaccess File
In some cases, the hackers will simply insert unwanted redirects into your htaccess file. For those of you adept at managing htaccess, remove them. For everyone else, tread carefully. One small error in your htaccess could cause very undesirable consequences, such as blocking crawlers from spidering the site.
Which brings us to the next section…
When to Bring in a Professional
If you try all of the above and still cannot make progress, engage with the support team at your web host first. They can often fix or replace files that have been compromised. In some cases, the answer may as simple as to flash back to a previous backup of the site. They should be able to help you determine the options you have available.
Assuming the host cannot solve the problem first, there comes a time when you need to hire a WordPress expert. If you are lucky, they will be able to remediate the problem using the existing code. Otherwise, you may be stuck reinstalling a clean code base and securing it from there.
Keep in mind that this is not a creative project. You need someone with a deep knowledge of both WordPress and php, as well as topics such as security, authentication, and user permissions. Whatever path you take, best of luck in rebounding from having your WordPress site hacked.
Image Source: Flickr