Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
You’ve Been Hacked:
What Now?
KEANAN KOPPENHAVER
@KKOPPENHAVER
HTTP://LEVELUPWP.NET
Who Am I?
• Developer at doejo
• Been working primarily on WP projects for the
past 3 years
• Sites large and small
People on the internet are rude.
Part 1 | Discovery
Your host may tell you.
You may see some strange
behavior
• Published posts you didn’t write
• Menu links you didn’t create
• Images you didn’t up...
(Check with anyone else who
works on your site)
Google may tell you
Mysterious redirections
Part 2 | Recovery
https://codex.wordpress.org/
FAQ_My_site_was_hacked
Backup Now
• Some hosts will disable/take down your site
when they find out you’ve been hacked
• Peace of mind during the ...
Restore from your
backup
You’re un-hacked!
Questions?
KEANAN KOPPENHAVER
@KKOPPENHAVER
HTTP://LEVELUPWP.NET
No backup?
Run local scans
• Some server infections start with your local
environment, make sure that’s clean first
Start from scratch
• Difficult to identify everything, even the smallest
backdoor could let attacker back in
• Fresh (sepa...
Post-mortem Site Scan
• Sucuri Site Scan
• WordFence Site Scan
• Command-line diff-ing (on files that aren’t
supposed to c...
Change everything
• wp-admin password
• DB password
• FTP/SSH password (maybe use public keys
instead?)
• Hosting admin pa...
define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' );
define( 'SECURE_AUTH_KEY', 'D&ov...
Part 3 | Prevention
Strong Passwords
• Use a password manager (1Password, LastPass)
• Don’t share passwords between services (WP,
MYSQL, FTP) ...
Updates
• WP Core
• Plugins, plugins, plugins (update and clean up)
• Themes (update and clean up)
Get a Security Plugin
• WordFence
• Sucuri
• iThemes Security
Hardening WordPress
https://codex.wordpress.org/
Hardening_WordPress
Specific Tips
• Don’t give the WP user root access to MySQL
• Change the default table prefix
• Hide the WP version
• Chan...
Questions?
KEANAN KOPPENHAVER
@KKOPPENHAVER
HTTP://LEVELUPWP.NET
Your WordPress Site Has Been Hacked: What Now?
Upcoming SlideShare
Loading in …5
×

Your WordPress Site Has Been Hacked: What Now?

320 views

Published on

You find some blog posts on your site that you didn’t publish. Or you get an email from your host telling you your site is sending out spam email. Or maybe you were just browsing your site and you found a file that doesn’t look quite right.

In this talk, we’ll cover everything from the basic steps to take (changing passwords, locking down your theme, and enforcing proper file permissions) to finding the affected portions of your site (checking core, theme, and plugin files against WP.org versions) and removing the malicious code. We’ll also touch on general security practices that can prevent breaches in the future.

Keanan Koppenhaver is a Digital Product Developer and Consulting Engineer with doejo, a WordPress VIP Partner Agency.

While at doejo, he has worked on baking WordPress into the publishing workflow of one of the largest investment news publications in the United States, a WordPress-backed real estate investment portal, and many other projects large and small.

He is passionate about mentoring other developers as well as teaching people that WordPress can be more than just a blogging platform. Keanan writes about all these topics and more at http://levelupwp.net.

Published in: Technology
  • Be the first to comment

Your WordPress Site Has Been Hacked: What Now?

  1. 1. You’ve Been Hacked: What Now? KEANAN KOPPENHAVER @KKOPPENHAVER HTTP://LEVELUPWP.NET
  2. 2. Who Am I? • Developer at doejo • Been working primarily on WP projects for the past 3 years • Sites large and small
  3. 3. People on the internet are rude.
  4. 4. Part 1 | Discovery
  5. 5. Your host may tell you.
  6. 6. You may see some strange behavior • Published posts you didn’t write • Menu links you didn’t create • Images you didn’t upload
  7. 7. (Check with anyone else who works on your site)
  8. 8. Google may tell you
  9. 9. Mysterious redirections
  10. 10. Part 2 | Recovery
  11. 11. https://codex.wordpress.org/ FAQ_My_site_was_hacked
  12. 12. Backup Now • Some hosts will disable/take down your site when they find out you’ve been hacked • Peace of mind during the restore process • Useful even if (especially if) you already have an existing backup
  13. 13. Restore from your backup
  14. 14. You’re un-hacked!
  15. 15. Questions? KEANAN KOPPENHAVER @KKOPPENHAVER HTTP://LEVELUPWP.NET
  16. 16. No backup?
  17. 17. Run local scans • Some server infections start with your local environment, make sure that’s clean first
  18. 18. Start from scratch • Difficult to identify everything, even the smallest backdoor could let attacker back in • Fresh (separate) install, bring all content over via WP Export
  19. 19. Post-mortem Site Scan • Sucuri Site Scan • WordFence Site Scan • Command-line diff-ing (on files that aren’t supposed to change)
  20. 20. Change everything • wp-admin password • DB password • FTP/SSH password (maybe use public keys instead?) • Hosting admin panel • SECRET KEYS (to kick out logged in users)
  21. 21. define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );
  22. 22. Part 3 | Prevention
  23. 23. Strong Passwords • Use a password manager (1Password, LastPass) • Don’t share passwords between services (WP, MYSQL, FTP) or installations
  24. 24. Updates • WP Core • Plugins, plugins, plugins (update and clean up) • Themes (update and clean up)
  25. 25. Get a Security Plugin • WordFence • Sucuri • iThemes Security
  26. 26. Hardening WordPress https://codex.wordpress.org/ Hardening_WordPress
  27. 27. Specific Tips • Don’t give the WP user root access to MySQL • Change the default table prefix • Hide the WP version • Change the default login URL (/wp-admin) • Don’t use admin as your username • Block login attempts
  28. 28. Questions? KEANAN KOPPENHAVER @KKOPPENHAVER HTTP://LEVELUPWP.NET

×