Healing hacked website

WordPress is a CMS(content management system), software which allow authorized users, to create & update website content in easy manner. It’s very popular and actually wordpress drives a third of total available websites on the internet. Although it has rivals/competition – free or commercial CMS solutions, this data means that wordpress offers something that others don’t have or there is something in it what others don’t have.

WordPress, in its core is a free software, with a set of default functionalities. Those functionalities can be further improved or new functionalities can be added via different ready to be installed software – plugins.

That actually means, that its code is publicly available, including individuals who are looking for security holes, which can be used to bring website down, or harm it in some other way. I don’t like to write about the things that can happen, I’m just saying that we already tackled quite a few hacked/knocked out websites, so we’ve decided to write down some kind of manual/instructions what to do when your website is hacked, and what you should do to bring it up again.

Security holes

WordPress core code is constantly updated, from time to time wordpress dev team releases new wordpress versions, which introduces new features and bug/security issues patches. So security holes or software / security bugs, which can occur, are promptly sealed by this updates. Although there is a chance that someone find a way to use a weak spot, and to be fast enough to write a software which will scan the web and seek wordpress websites with that specific version, but that is really rare.

Majority of these attacks, from our experience, are using weak spots found in these website addons – plugins. Currently is registered arround 50k plugins, which can be installed & used on your wordpress driven website, and by doing so, installing one of those plugins, can potentially create a backdoor for a hacker to harm your website, or steal your data. WordPress plugins, can go stale. Plugins and wordpress core must be kept up to date.

Brute force technique, is one of techniques which is used by attacker. Idea behind this is to try to combine a large number of common usernames and passwords, and if after some time correct combination is used, attacker will gain access to wordpress dashboard. Although anyone can try several combinations, that’s actually benign form of this technicque – special software is written with one purpose, combine common username with passwords and automatically fill in appropriate fields and submit the login form.

File upload fields – are also one of potential weak spots. Using these fields, harmful script can be uploaded to a server. After successful upload, it can be ran by attacker, either by accessing it over url, or by  some other means. This technicque can threaten all files hosted on specific server.

Input fields – are also convenient for mysql injection method. Using quotes, you can actually, on unprepared websites, intercept MySql statement, statement which is used to INSERT gathered data by that input field, or form where input field is placed,  and after interception, you can write your own MySql statement, for example to erase default wordpress table, or its rows – DELETE FROM wp_posts. So, you need to change table prefix – don’t keep default table prefix wp_.

We just wanted to go through some of most common techniques, so you can find out more about mindset behind these attacks. So we’ll not focus now on source of the problem, which led to malfunction of your website, we’ll now cover fixing a wordpress after successful hacking.

Exploration phase

Every website is a story for itself, it uses themes written in one or other way, and because of that, I can’t give you what you should do exactly for your specific case, but we can group these efforts in some general steps:

• damage control – dig in and catalog everything suspicious / symptoms – for example database is dropped, or server files are infected with some virus, some files are deleted, other ones are altered, etc.
• exploration – after damage control, try  to find out as much as possible about attacker, about attack technique, about the way attack was carried out (analyze server logs). That’s actually important step before going to fixing part. In this way you’ll be able to find out more about the attack, maybe something additional you haven’t find out in first step and what to do after you fix your website, to prevent same attack in the future. These attacks are mostly random/generic/identical, so you won’t be alone hit by it, and rarely someone targets only your website.
• bringing the website up again – after first two phases, you’ll find out what is broken, and what is needed to bring it up again, and what we should do to protect it from same attacks in the future.

Fixing wordpress after hacking – standard steps

1. Catalog all your plugins(inside wp-content/plugins folder) and their versions & states(active / disabled), and delete them all, just to be safe
2. Delete folders wp-admin i wp-includes and all other files inside root folder of your website (the same folder where are wp-content, wp-includes, wp-admin folders), but backup wp-config.php, so you can easily copy/paste your website config in new wp-config.php, you’ll obtain from fresh wordpress instance.
3. go inside wp-content folder and delete everything except themes, uploads and mu-plugins (it’s possible that this one you don’t have, this is optional folder). Scan complete wp-content folder with some antivirus software, just in case (once you transfer all website files from a server to your pc).
4. Manually analize following files:
   • [root]/wp-config.php – this file is found in a fresh wordpress instance, as wp-config-sample.php. Once you download fresh & latest wordpress instance, you can copy/paste data from your previous wp-config.php. You should only copy/paste needed data, like  DB_NAME, DB_HOST, DB_USER, DB_PASSWORD and everything else  your website uses.
   • [root]/wp-content/themes – delete all themes that aren’t used, and if you have some theme backup, copy/paste theme folders from there, and if you don’t have backup, you’ll need to go through every file and analyze if everything is ok. If you don’t know how to do this or what to look for, you’ll need to contact someone who does.
   • [root]/wp-content/uploads – go inside this folder and delete everything that isn’t valid document(pdf, docx, xlsx …) or image or video material – you’ll know what you have uploaded. This folder, by default, consists of folders with years, and inside every year are folders with months. Don’t delete them, open them and see if everything is ok inside them. If you find files that ends with something strange or executable like bat, exe, php – delete them or see if you need them, but it’s most likely you will need to delete them.
   • [root]/wp-content/mu-plugins (if this folder exists, analyze it , and if you find out  something strange – delete it)
5. Optional & recommended step: inside wp-config.php file, change default database prefix, for example if there is “wp_” there change it into something else (search for php variable named $table_prefix  ), just have in mind, that you’ll need to do some DB search & replace for everything to work after this change, where you would look for old prefix “wp_” and change it for “prefiks2_” for  example.
6. Optional step: change salt keys – there is online generator of these keys – salt key generator, all you need to do is to copy/paste them inside your new wp-config.php file on proper place – you’ll find inside that file where to place them.

or like I’ve already mentioned, take complete website back, database & files, from previously generated backup… Now you can see what are benefits of regular backups, and how much time or money it can save you. In this case, where you have backup, you would only need to go through Exploration phase before bringing the website up – don’t skip it!

What else can be done?

Why we should only stop on clearing the consequences caused by hack atack:

• Install some security plugin and configure it properly like wordfence.
• Install recaptcha, version 3 or version 2 and add it on every  form, even on login form (easily with wordfence plugin, mentioned in step 1)
• Optional – move these paths /wp-login.php, /wp-admin, /wp-login to something  more secure or custom, like /john-doe-login-place , to pump up protection from brute force
• Generate regular backups – database & files, or just database if your files are placed on some file repository(github/bitbucket), you should alse keep those repos up-to-date, from time to time, in that case. Adjust backup rate with your website updates. There is no need to have backup on day-to-day basis, if you add new contents to your website once per month. Once the website is hacked, and you decide to import back backuped database, all the possibly stale data from a backup will replace fresh data in your hacked database – so you could loose latest articles possibly. It’s on you to determine best backup interval.
• Strenghten your .htaccess – there are a lot of tutorials online how to do so, or install plugin from step – 1
• Disable folder scanning – it’s possible that if you hit folder without index.html or index.php over url, that all the contents of that folder will be shown in the browser.
• Optional: clear the metatags from website pages that shows additional info about your wordpress installation like:
  • generator
  • wlwmanifest
  • EditURI
  • pingback
• Optinal: remove server signature response (Apache, php 7.4, mysql 5 …)

Conclussion

Keep your wordpress and plugins updated, see how much people already installed specific plugin, check if that plugin is a proper match to your wordpress version, keep your  themes updated, and don’t keep or use themes that are dependent on specific plugin version(not latest one). If you develop your own theme, think of security during development, and your website will remain standing after attacks. If not, go back to the start of this article and read it again.