Your WordPress Site is and is not Hacked - You don't know until you check
IS AND IS NOT
You must assume your site is both hacked and not
hacked until you open the box and ﬁnd out.
WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 —Version 2.2
Not a security expert, but I play one on WordPress.tv
Ask WP Girl @askwpgirl
WHY DO HACKERS HACK?
Deface sites for fun
Add spammy links to bad web
neighborhoods (SEO spam)
Hijack site to add spam, porn,
gambling, pay-day loans content
Steal sensitive information to sell
Distribute malware to personal
Use server resources for
WHAT DO HACKERS
Create admin account
Inject malicious code into content
Add malicious code to existing ﬁles
or new ﬁles
Redirect your website
Gravity Forms hack
WHY SHOULD YOU CARE?
Blacklisting or Phish Tank
TYPICALLY, ONLY THE
MOST SEVERELY HACKED
SITES WILL BE
SUSPENDED BY HOST
Many hacks are hidden
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
Revolution SliderGravity Forms
Database of all vulnerable plugins and themes: https://wpvulndb.com/
LOW HANGING FRUIT
Vulnerabilities immediately published on the web
Hackers write bots to exploit vulnerabilities
Website owners are oblivious: they don’t update, use weak
passwords, install tons of plugins, use not-great web hosting
“SPOT THE HACK” GAME
A - Scan Site
B - Look at files on server
C - Find the hacked code
1 - Backdoors
PHP ﬁles uploaded to your server and accessed remotely. Severely
affect site and server performance. Not easy to ﬁnd.
IT'S VERY COMMON, THAT
BACKDOORS DON'T HAVE
ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S
IMPOSSIBLE TO DETECT
THEM BY ACCESSING THE
INFECTED SITE FROM
OUTSIDE. ~ SUCURI
2 - Drive by Downloads
Script injected on website generates links to malware sites or
downloads malware from your site to visitors’ computers.
Easy for scanners to detect.
3 - Pharma Hack
Spam links injected onto web pages only visible to search
engines. Difﬁcult to scan for because cloaked.
4 - Malicious Redirects
Redirects trafﬁc from your website to another typically by
modifying the .htaccess ﬁle, sometimes only when viewed by a
particular device or browser, like a phone
Hacked .htaccess file
DIY HACK RECOVERY
Via SFTP (preferred) or FTP
everything. Good to
examine later for
details of hack if
3 Upload fresh:
Why are people from
Thailand and Romania
accessing a strangely
named PHP ﬁle
Check raw access logs via cPanel
db12.php, css.php, dirs35.php????
Audit Activity on Site
Check WordPress core integrity
using Sucuri plugin https://
plugins/gotmls/ to check
Look for modiﬁed dates,
unusual names, ﬁle types
that don’t belong
Compare ﬁle list to original
Commonly hacked ﬁles: .htaccess,
Any ﬁle can be hacked!
Finding PHP Back Doors
Hmmmm? PHP in a CSS folder?
Finding and Removing Malicious Redirects
Listen to when someone tells you that they tried to
visit your site and couldn’t and ﬁnd out which browser
or device they were using at the time.
SimulateUserAgent.asp to verify
Scan with Sucuri’s SiteCheck
Check all the .htaccess ﬁles on the server and remove
Use Google Search Console!
Google Webmaster Tools/Search Console
Search Queries – you can spot queries irrelevant to you site.
Links toYour Site – you can ﬁnd suspicious incoming links here.
Internal Links – this report can help reveal rogue sections of your site.
Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress
users, FTP, web hosting, control panel
Scan computer for viruses!
See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK
If hackers got admin access to site or database,
you might have to nuke the entire site from orbit
— it’s the only way to be sure
site clean up and
REQUEST SITE REVIEW
If Google blacklisted your site or marked it for phishing
scam, you will need to request a review after you are
certain you’ve cleaned up all hacked ﬁles:
UPDATE UPDATE UPDATE
Timely updates are critical for security.
Tools: iControlWP, MainWP, InﬁniteWP, Jetpack, ManageWP
SECURE YOUR LOGIN
Enable Two-Factor Authentication:
Avoid logging in on
public WiFi Networks
RUN A TIGHT SHIP!
Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow users to register (Settings > General)
Always hold comments for moderation and use spam
ﬁltering (Akismet plugin)
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Managed WordPress Hosts:
Limit login access
Block bad URL requests
with a Firewall
Security through obscurity is not security
IP addresses don’t matter and should not be used as the
foundation of aWordPress security policy
My favorite security plugin: https://wordpress.org/plugins/wp-simple-ﬁrewall/
Does all the above and more.Will notify you of vulnerable plugins.
Common wisdom is to backup your site
Backups are to your site what major medical health
care coverage is to your health
Usually only helpful in case of a disaster
SECURE YOUR COMPUTER
Scan for viruses and trojans
Be careful about downloading stuff!!!!
http://sucuri.net - free scan, hack recovering, site monitoring,
great posts on how to clean up speciﬁc hacks
About the banking hack: https://www.proofpoint.com/es/node/327
Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc
One-on-One consulting third Friday
of every month at Boulder Digital Arts
Six-week theme customization course
in Colorado and online.
SEO and Best Maintenance Tips