I’ve just got off the phone from a customer in Bath who’s suddenly become unable to edit their WordPress powered website and found my details via Google (it’s nice to know when some of your Search Engine Optimisation goals are starting to generate meaningful traffic). I expect the articles on WordPress security peaked their interest…
Like any good web developer, my first port of call was a quick dive into the html source code. And sure enough I found the dreaded meta generator tag announcing to the world their site was running an outdated version of WordPress. Now there are plenty of other ways of finding insecure installations of WordPress, and I’ve never been a big fan of the “Security through obscurity” school of thought, but it doesn’t help to announce the fact you aren’t maintaining your site as assiduously as you should. WordPress should disable this feature by default IMHO. Scanning further down the html source I saw hundreds of links injected underneath the closing </html> tag, wrapped in some css to be hidden from human viewers. So it’s clear, the site’s been hacked, but what should you do now?
The first thing to do is get an immediate dump of both the database and the ftp server contents the site is hosted on. Once you have that in place, it’s time to get a little forensic. A little Googling for the symptoms you are experiencing never hurts. The next step is to try to sanitise the files from the FTP server. However this gets tricky if you don’t have a pristine copy of the Theme files that were used to create the site. If you do, you can use a tool like diff to check for anomalies between the source files and the files from the hacked website.
Then I’d start to look through the database for external links or other such unusual content in the wp_posts table. You can often achieve this more quickly if you have a text editor and a mysql dump file. If the database has been hacked, you’ve got to be meticulous in cleaning it out. Remember that the hacker may well have either created a new login user, so don’t forget to delete all the users and create new ones, with new passwords.
I’d then install that database on a local web server that isn’t accessible from the internet and setup a clean installation of WordPress on a local webserver. Run the WordPress update wizard. Then download clean versions of all the plugins that have been used in your site and install them.
Next step is to install the custom theme and thoroughly check it for problems with the patched version of WordPress. Harden the theme and installation as much as you see fit.
The last step is to reset all your FTP, MYSQL and WordPress passwords and run a thorough check on your computer for viruses, trojans or other malware. With WordPress it’s most likely they bruteforced their way in, but you could have a keystroke or ftp logger sending your details to some nefarious hackers…
Finally, once you’re happy that you have as secure an install as possible, upload everything and push it live. Then monitor the site carefully for a few days or weeks. Look in the server logs for visits to unusual pages or strange querystrings in urls.
WordPress is unfortunately a target for hackers, simply because it provides such a large attack surface, with millions of installs and thousands of inexperienced users. If you keep youR installation patched you should avoid most problems, unless you’re really unlucky and get hit during a “zero-day” attack.
If your business or website depends on WordPress and has been hacked, but you don’t understand how to sanitise it, why not give us a call and we can help you with your WordPress security issues.