Wordpress Hacking Help
by Jo Shaer, on November 24, 2014
Wordpress is one of the most popular website platforms in the world, but it is also one of the most frequently targeted by hackers. Most Wordpress websites are under constant hourly attack by both automated software "bots" and real human hackers.
Two of our websites here at Lollipop Local were the subject of such an attack recently. First they sent out lots of spam emails and then, the secondary phase, was to send all Android users to a site in Russia which may or may not have contained malware.
As soon as we became aware of the issue, the sites were taken offline and then began the long job of trying to disinfect them. But, of course, this needed to be done as quickly as possible because a site that is not showing online is not bringing in new customers.
Approx 30,000 new websites are successfully hacked every day
Although most of these attacks are unsophisticated and easy to repel, a worryingly large proportion of these attacks are actually successful and result in a website being taken over for illegal purposes - such as sending spam, tricking people into downloading malware (viruses, trojans, etc.) onto their computers, or launching automated "bot" attacks on other websites.
It is very difficult to accurately calculate the number of compromised websites in the world, but some industry-leading security companies estimate that approximately 30,000 new websites are successfully hacked every day. A large percentage of these will be WordPress sites that haven't been "hardened" or kept up to date.
[Tweet "Approx 30,000 new websites are successfully hacked every day"]
There are sevaral reasons for this depressing statistic. Unfortunately, in its default state (i.e. if it is left in its standard, out-of-the-box configuration), Wordpress isn't very secure or ultimately resistant to this constant barrage of attacks. This vulnerability is further exacerbated by other frequently encountered factors, such as:
1. if either the core WordPress system files or the theme files or 3rd party plugins aren't constantly monitored and kept up to date when updates are released;
2. if insecure, easy to crack passwords are chosen by users who have access to the admin area;
3. if more users than necessary are granted top-level administrator access to the admin area;
4. if certain security-hardening techniques aren't used to enhance the web hosting configuration.
5. if users logging in to the admin area don't make sure that their own laptops, desktops, networks, etc. are secure and malware-free
How come my site was cleaned but now has been re-hacked?
Once a site has been compromised and is under the control of hackers or the malware they've installed on the site, sophisticated stealth techniques are often used to hide the infection and ensure that, if any attempts are made to clean the site, enough of the infection is left active enough to re-infect the site at a later date.
This is a very common situation and many Wordpress sites have to be cleaned more than once, or re-installed from scratch, to finally get rid of the infection. If the source of the original hack came from the computer of one of the Wordpress admin users, then it can be virtually impossible to keep the site secure until the computer being used to login is also cleaned of any malware.
Wordpress Hacking Help
In attempting to disinfect a website, we perform the following steps:
1. take the site offline and restrict external access so that only one person is able to view or manipulate any of the site files. This means that our efforts aren't actively being watched and hampered by any hackers.
2. take a complete backup of all the site's data, images etc. before wiping the hosting clean of every single file - both infected and clean ones. Don't just re-install over the top of the existing infected Wordpress installation and plugins, start again from scratch with a clean slate.
3. closely inspect the main hosting control panel to see if there are any tell-tale signs of stealth techniques being used to re-infect the site. Remove these.
4. reinstall Wordpress and all the 3rd party plugins being used on the original site from official, secure sources. Install and configure security and monitoring plugins that: a) reduce the danger from the most common types of Wordpress attacks, and b) monitor the site for specific types of suspicious behaviour, keep logs of this behaviour and alert specified users if such behaviour is detected. Closely monitor the site to try to detect any potential re-infection).
5. Add security-hardening instructions to the site's hosting configuration files. These will help reduce the sensitive information leaked by default by all Wordpress websites, and will also restrict access to the more security-sensitive areas of the site.
6. Compare every file in this fresh, secure version of the site with the corresponding file from the hacked version - to know which files have been infected to make sure that these are not copied back to the new site when restoring the original data.
7. Then, before restoring the hacked site's page content (text, images, links, etc.), inspect each page's code - by hand - as a final attempt to make sure that no malicious code is still lurking there, ready to be reactivated.
Security measures for the future after a hack
Take this opportunity to review the access needed by all the previous users - i.e:
1) Do they need access at all?
2) If so, do they need full administrator access, or will lesser permissions be suitable instead?
3) Strong user passwords should be used at all times - i.e 12 characters or more and a mixture of upper and lower-case, numbers and punctuation marks.
If your site is kept up to date with all the latest updates for Wordpress, any themes and any plugins, and users are careful to use strong passwords and keep their own computers malware-free, any website has a much better chance of remaining hack and malware-free for the foreseeable future...
Find out more about our web design services