Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Identifying a Compromised WordPress Site


Published on

This talk was originally delivered at the Melbourne WordPress Developer Meetup in July 2016. Rather than the common talks on hardening and prevention, this presentation covered how you can identify a WordPress website is compromised, and some of the early warning signs.

Published in: Software
  • Login to see the comments

Identifying a Compromised WordPress Site

  1. 1. Identifying a Compromised WordPress Site @chrisburgess #wpmelb
  2. 2. Prevention is the holy grail, however it’s not the topic of this talk.
  3. 3. You can’t always prevent, so you must detect.
  4. 4. Even if we’re doing everything possible to harden and maintain our installations, we should still care about security to monitor our high value sites.
  5. 5. Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable. Now, go do something useful about it. -- Bruce Schneier
  6. 6. The following examples are often the first signs of a successful attack.
  7. 7. Ahrefs and Google Search Console
  8. 8. Real example of anchor text from Ahrefs
  9. 9. Real example of a malicious plugin.
  10. 10. Real example of a malicious plugin.
  11. 11. This shouldn’t be the first sign of a compromised site. There are usually plenty of early warning signs.
  12. 12. But first…
  13. 13. Links to the Quora Article • banks-website-using-WordPress-What- security-measures-should-I-take • wordpress/ • matt-mullenweg-weighs-in-on-security- concerns
  14. 14. h"ps:// measures-should-I-take/answer/Karol-Krol?srid=uD68
  15. 15. Let’s ask another question. Is Linux secure? Is Django secure? Is iOS secure? Is MySQL secure? Is Drupal secure? Is Node.JS secure? Is <insert browser> secure? Is Android secure? Is Rails secure? Is Windows Server secure? Is Shopify secure? You get the idea… This can get subjective, since some have a much better track record than others, and some are designed with security as a priority.
  16. 16. So.. banks aside, what would constitute as a high value target?
  17. 17. High traffic sites, anything with Personally Identifiable Information (PII), software vendors, service providers?
  18. 18. Credit card numbers aren’t the only form of sensitive information.
  19. 19. It’s really easy to say “something isn’t secure”.
  20. 20. It’s much harder to actually build something that is secure (knowing that there’s no such thing as absolute security).
  21. 21. The best answer is that if security is important, you need “people” working on it.
  22. 22. The Internet is a hostile environment. We need to have a healthy respect for this fact.
  23. 23. The current dilemma…
  24. 24. Hosting Providers
  25. 25. Plugins
  26. 26. Systems and Services
  27. 27. Users
  28. 28. Good Developers
  29. 29. Good Support, Ops and SysAdmins
  30. 30. A high value business needs good people, from all of these disciplines, working together.
  31. 31. h"p://
  32. 32. Real example of a malicious file
  33. 33. You can’t rely only on tools, they won’t always detect a compromise.
  34. 34. Most WordPress security tools work by using signatures. For context, Kaspersky AV for Windows currently has around 500,000 signatures.
  35. 35. Scanning your site with online tools work only if your site has active malware, is defaced or blacklisted.
  36. 36. If a site has been compromised, it cannot be trusted.
  37. 37.
  38. 38.
  39. 39.*
  40. 40.*
  41. 41. Isolation Look out for a shared web root, addon domains in cPanel, or other web apps in subfolders.
  42. 42. We’re going to assume a fresh WordPress install, or restoration from a clean backup is needed
  43. 43. Places/things to check… •  Content/files (htaccess, index.php, sitemap.xml, anything custom) •  Running processes •  Running scripts, open files (look at full paths in processes) •  Memory •  Cron jobs •  Database •  Date and timestamps •  Suspicious plugins •  Suspicious directories/files •  Sitemaps/SERPs •  WordPress Admin Users •  Other users in GSC/WMT •  Code audit
  44. 44. Checking Content •  grep •  Screaming Frog (useful for finding JS) •  Sucuri SiteCheck • •  Safe Browsing Site Status (Google)
  45. 45. Once the server has been compromised, it cannot be trusted.
  46. 46. Tools for Detection •  System Monitoring •  Integrity Monitoring •  Firewalls •  IDS/IPS •  Malware Scanners •  Logging
  47. 47. System Monitoring •  Resources (Bandwidth/CPU/RAM/IO) •  Logins •  Processes
  48. 48. Integrity Monitoring •  git •  wp-cli •  Any diff tools •  Plugins •  Tripwire (and similar)
  49. 49. wp-cli’s Verify Checksums $ wp core verify-checksums Success: WordPress install verifies against checksums. Thanks to @davemac for this Kp!
  50. 50. Firewalls •  Network Firewalls •  Web Application Firewalls •  Security Services
  51. 51. IDS/IPS •  Typically at the host level •  OSSEC
  52. 52. Malware Detection •  Security Plugins •  Commercial AV •  Public Site Scanning •  Google Search Console •  ConfigServer eXpliot Scanner (for WHM/ cPanel) •  Maldet/ClamAV
  53. 53. Logging •  /var/log (access, error, php) •  Centralised Logging or Log Shipping (Papertrail, Loggly, Splunk, Logstash etc.) •  Audit trails (Stream/WP Audit Trail etc.)
  54. 54. WPScan WordPress Scanner
  55. 55.
  56. 56. Use a security plugin (or manually harden)
  57. 57. Final Words… Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.
  58. 58. Prevention and Response Hardening/Prevention: • Hardening_WordPress Post-hack/Response: • to-do-after-a-website-hack/
  59. 59. • – – •  Verizon DBIR •  verizon-insights-lab/dbir/ •  Sucuri •  WP White Security •  OWASP
  60. 60.
  61. 61. Thanks and stay safe! @chrisburgess #wpmelb