Category: WooCommerce / WordPress
My WordPress website has been hacked. What should I do?
Any WordPress website could be hacked, and when it happens, you may be tempted to panic. Don’t. Calm down and just read how to:
- identify that your website has been hacked,
- take appropriate steps to clean it,
- make it more secure, and finally,
- prevent your website from being hacked again in the future.
How to recognize that your WordPress website has been hacked?
Sometimes it’s obvious. Your website has crashed and you can’t log in. The website redirects you to another page or its content has been changed. A store payment form or gateway has been replaced with another one. Your hosting provider has warned you. Your website has been blacklisted by Google or you’ve received an email alert from a security plug-in.
But in many cases, you are unaware of a threat, as many malicious scripts try to hide and function as long as possible. That’s why every website owner should use a scanner regularly. For example, one of the following: [https://geekflare.com/online-scan-website-security-vulnerabilities/].
The basic question is why someone hacked your website?
There are many reasons, but in most cases it’s all about money. Hackers use phishing to steal money from bank accounts, ransomware to make you pay to unlock the server or to not release compromised data, or they simply use your server to mine cryptocurrency.
In very few cases you can be a target if a hacker wants to get you personally. For example, if you publish controversial content.
When your WordPress got hacked. Search and destroy! Start by looking for a virus. Every malware is just a code, so it has to be stored somewhere in the file system or database.
1. Search for recently modified files on the server
The best way to find recently modified files is to access the server via SSH. Then you can use the “find” command, for example:
find /path/to/your/website/root -type f -newermt 2021-02-01
to search for files with a specific date.
Check also the contents of the files and examine the code. You should focus on functions like eval, exec, system, preg_replace, move_uploaded_file, base64 or hash code like this:
var _0xf19b=["x6Fx6Ex6Cx6Fx61x64","x67x65x74x44x61x74x65"
But be careful. The above functions can be used in the regular code of WordPress core files and plug-ins, so you need to check what they really do.
2. Check WordPress core files
Compare the WordPress core files in the root, wp-include, and wp-admin directories or download a new copy of the same WordPress version and check the number of files and their size. It’s a simple but efficient step, as WordPress does not update itself. But remember to make sure it is the same version! You can use the diff command to compare:
diff -r /path/to/your/website/root /path/to/fresh/wordpress/copy/
And when you find something, check the contents of those files.
3. Check plug-ins
Most successful attacks use insecure plug-ins. And, if you are lucky enough to observe the virus in action (redirects, replacements, etc.), you can try to disable plug-ins one by one to see if the problem persists. If you find an infected plug-in, simply compare its code to a “clean” version of the same plug-in.
4. Use information from Google
Use notifications, if your website has been blacklisted by Google. You can also use the Google developer tools [https://developers.google.com/search].
5. Check Database
Searching the file system is easier than searching the database. But in the case of WordPress, malware can unfortunately be found in the database too.
To search the database, you can download a database dump and check it locally. Look for strings that look like the function listed few paragraphs above, suspicious links, and spammy words.
First things first. We need to remove malware and clean the hacked site. Here are some useful tips that will guide you through the process of cleaning a hacked WordPress site.
1. Replace or remove infected files
Do you have backups? You are the lucky one! First of all, make sure the backup is not infected, because a virus could reside in the backup files, and restore a clean version.
If you found hacked files, replace them manually with clean WordPress core files, plug-ins or themes. You can overwrite the infected files via FTP or command line.
Sometimes the virus not only modifies existing files but also creates new ones. Do not forget to remove them!
2. Clean the database
Basically, you have three options:
- The first option available if you are advanced enough, is to manually modify the database dump downloaded from the server. However, make sure that you don’t change the MySQL syntax.
- The second option is to use tools like database Search & Replace.
- The third option is to use database clients like phpMyAdmin, adminer or others. These allow you to edit tables and records in the database through a GUI.
3. Investigate how the malware attacked your website
It’s not enough to remove viruses. If you don’t secure the website, the problem may reoccur within a few hours. Therefore, you have to find out the way your website was hacked.
- If you have identified a virus, search the Internet for information and some tips on how to protect your website.
- Read vulnerability reports such as [https://www.webarxsecurity.com/wordpress-vulnerability/]. Check the plug-ins listed, as you may be using one of them.
- If you have identified the time of the virus attack, search the server’s access logs.
4. Scan your computer with an anti-virus
Also recommend this to all website users who have an account, as the website can be infected during edition by a virus stored on a local computer.
1. Keep WordPress plug-ins and themes up to date
An old version of the software is the most common reason for the infection. Keep your WordPress up to date. You don’t have to update it every day, but doing it once a month seems like a good idea.
2. Change password
Reset your password and recommend it or even require to do it from every user.
3. Remove unused user accounts
Remove all accounts of users who are no longer using the website.
4. Update PHP, MySQL and webservers (Apache, Nginx).
Do not use an unsupported PHP version and update it to a stable one. Check the information on wordpress.org.
5. Set up a firewall
Set up a firewall, if your server does not have one. Do it ASAP!
6. Set up file permissions
The good practice is to prevent users from changing files in root, wp-include, wp-admin directories.
You can also prevent changes in /wp-content/plug-ins and /wp-content/themes to increase security. However, in this case, you’ll be not able to update plug-ins through the admin panel and you’ll have to replace the files manually.
Below are commands to change file and directory permissions:
find /path/to/your/webstie/root/ -type f -exec chmod 644 {} ;
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
Additionally you can add also:
define( 'DISALLOW_FILE_EDIT', true );
in the wp-config.php to prevent users from editing themes through admin panel.
7. Disable xmlrpc
Do not use pingbacks and trackbacks, if you are not publishing or accessing your website remotely. So, disable JetPack, if you are not using it.
You can do this with a plug-in or by adding code to the .htaccess file
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
8. Limit the number of login attempts
Install a plug-in to block logins if the password is entered too many times to prevent brute force attacks.
9. Do not forget about backups!
You need to do backups! It’s a must.
Usually, your web hosting provider does it automatically. Check how long the backup is stored (3, 7 or more days). Otherwise, do it yourself with any plug-in (UpDraft, WP-Backup, etc…).
10. Do not use “admin” username
Never use “admin”, domain name, or website name as a username. Most attacks try to use “admin” first!
11. Use two-factor authentication
Two-factor authentication requires the user to use an additional authentication method to log in. You can use some plug-ins like “Two-factor Authentication” to implement this feature.
12. Monitor changes in files and logs
As mentioned earlier, most viruses modify some files. You can use a bash script to find changes in files and receive an email notification when the changes are detected. You can also use a more advanced solution like https://www.ossec.net/
Security plug-ins
There are very popular security plug-ins for WordPress – such as Securi, WordFence, and iThems Security – with a huge community of fans. They offer advanced solutions to improve security and help beginner users to take care of their websites.
However, there is a debate among WordPress developers whether to use them, as security plug-ins can have some drawbacks, such as poor performance or security issues that some of them have had in the past. Moreover, several developers claim that plug-ins are not necessary if your website is well-secured.
Website firewall
The most advanced type of anti-malware and hack protection are Web Application Firewalls (WAF). They are meant to actively detect and stop dangerous activities before they can reach the site code to exploit a vulnerability and inject any malicious code. Some hosting providers include this kind of security in their standard hosting packages. There are also third-party providers like CloudFlare or SiteLock. WAF solutions typically require some additional monthly or yearly fee, but in exchange, they give you peace of mind and should be considered especially on business-critical websites, where any downtime may lead to lost money or dangerous data breach.
Conclusion
As always, prevention is better than cure. This is why it really surprises us how often we still see people neglecting even the very basic measures to protect their websites. The regular site updates and correct initial setup is the absolute minimum that should be done to secure any WordPress based website. In the case of a simple brochure-like website you typically risk just a few days of downtime and a ban from Google. But if you own an e-commerce site, the worst case scenarios may include theft of your clients’ credit card numbers or leaking their private data to hackers. So beware and take the proper action to protect your site and your clients’ data. In case of any doubts – we at White Label Coders are always happy to help!