WordPress's popularity has made it a prime target for hackers. Each day countless self-hosted WordPress sites are damaged or taken down, usually by automated attacks exploiting known vulnerabilities. Many WordPress site administrators only learn way too late about the important of pre-emptive security hardening after they have become victims of an attack and have suffered the consequences - loss of visitors, search engine ranking and damage to data. Vlad Lasky from Aussie WP Expert shares his strategies and approaches to recovering compromised WordPress sites. Common ways in which WordPress sites are compromised Assessing the damage Determining the means of infiltration Recovering the WordPress installation Preventing reinfection Restoring Search Engine ranking

1. 1
Tips For Fixing a Hacked WordPress Site
Vladimir Lasky
http://wpexpert.com.au/
WordCamp Sydney 2016

2. 2
What Your Client Wishes They Had
 A Time Machine
 Hindsight
 Website & Database Backups

3. 3
General Recovery Strategy
 Assess The Damage
 Disinfect Site
 Replace Data
 Recover Data
 Secure Website
 Check For Reinfection

4. 4
What You Need
 WordPress Admin Account Details
 cPanel Login
 Secure Shell (SSH) Access

5. 5
Files That Are Often Infected:
 .htaccess
 index.php
 index.html
 wp-config.php
 Theme templates
 Plugin Files

6. 6
Files That Are Often Infected:
 Anywhere within the installation:
– .htaccess
– index.php
– index.html
– wp-config.php
 Within wp-content
– Theme templates
– Plugin Files

7. 7
Common Infectious Payloads:
 Shell code (a back door for the hacker)
– Often appears as strangely-named PHP files
 Spam to be shown to site visitors
 Javascript code to pull in content from external
sites or to attempt to trigger vulnerabilities in the
visitor’s web browser
 Boasts about the attacker’s hacking prowess

8. 8
Finding Files Modifed Between Two Dates
 find . -type f -newermt 2010-10-07 ! -newermt
2014-10-08
 find . -type f -newermt "2014-10-08 10:17:00" ! -
newermt "2014-10-08 10:53:00"
 find srcdir -type f -newermt 2014-08-31 ! -
newermt 2014-09-30 -exec mv -i {} destdir/ ;

9. 9
Searching For Obfuscated Code
 Searching for obfuscated code
– base64_decode
– gzinflate
– eval

10. 10
Identifying The Infection
 Sucuri Site Check
 Google Webmaster Tools
 If website still accessible, vulnerability scanning
plugins like Wordfence (or similar plugins)

11. 11
Recovering Site Content
 Old Site Backups
 WordPress Export
 Google's Cache of the site
 Archive.org (also called Internet Archive or
Wayback Machine)

12. 12
Conclusion
 Slides from My Previous Security Talks:
– Wordcamp GC 2011:
• http://slidesha.re/tr2XA5
• Covers the “Three Pillars of Security”, the aims of attackers and other WordPress security
plugins
– WordCamp Sydney 2012:
• http://www.slideshare.net/wordcampsyd/securing-your-wordpress-website-vlad-lasky-
wordcamp-sydney-2012
 Questions and Comments:
– http://wpexpert.com.au/contact-us/