Tips for Preventing and Dealing with WordPress Hacks
Posted by Chis Radu on 15 February 2019 10:22 AM
One of the biggest challenges our Technical Support department faces is dealing with hacking incidents. In spite of our various levels of protection, hackers can still get through. They know how to target vulnerabilities in software and have ingenious ways to appear as legitimate users and site visitors. The more sophisticated hackers also do a good job of covering their tracks. This article discusses hacks to CMS systems, which comprise the majority of incidents, and offers some tips and techniques for preventing and dealing with WordPress hacks.
WordPress is the most popular software in the world for websites. Joomla! and Drupal are also very popular. Because of their open architecture, and widespread use, these three Content Management Systems (CMS) are the #1 target of hackers. The vulnerabilities of these CMS is usually not in the core software itself, but rather results from poor coding in third party add-ons (plugins, themes, etc). There have even been cases where bad actors purchased a popular plug-in, and then embedded a Trojan horse or vulnerability to be exploited later.
As mentioned earlier, hacking is often due to poor programming which leads to code that is vulnerable to exploits. Such exploits are known as backdoors.
A backdoor is commonly referred to as a method of bypassing normal authentication and the ability to remotely access the server while remaining undetected. Some backdoors will allow hackers to create hidden admin usernames that they can use to access the server. More complex backdoors can allow the hacker to upload and execute any PHP code sent from the browser. Some backdoors even have their own UI (user interface) which allows the hacker to impersonate the server. This level of access allows them to send emails, execute MySQL queries and perform other bad acts. What makes backdoors so dangerous is that the hacker can control the entire server.
Where is the backdoor code hidden?
*** Word of advice - You should NEVER use cracked themes, as these are often “patched” with a backdoor.
Plugins – The plugins folder is one of the most used locations for hackers to keep their files in. The reason behind that is simple:
*** Word of advice: Upgrade your WordPress plugins on a daily/weekly basis.
Upload Directory - Another place to look for backdoors is the upload directory. Site owners rarely look in the upload directory. Site images and used in posts reside here. The upload directory can contain hundreds or thousands of images, making it the perfect hiding place. Another downside with the upload directory is that it is writable, making it the perfect target. A very large number of backdoors we find are in the upload directory.
*** Word of advice: Use a security monitoring plugin such as Sucuri. iThemes, or WordFence.
wp-config.php and wp-include - We also find infected code in the wp-config.php. This is a highly targeted file by hackers. The includes folder (wp-include) is also a good place to hide the backdoor. Many hackers will not just leave one backdoor file, but will place them in more than one location. Once the initial backdoor was uploaded, hackers will add another one (or more) to ensure they still have access in case of a cleanup. We often find the backdoor to be disguised as a WordPress file. For example wp-users.php was uploaded in wp-includes. In the normal WordPress installation there is user.php but no wp-user.php in the wp-includes folder. Usually the infected code is after the first php opening tag and it has encrypted code.
*** Word of advice: When in doubt if your wp-config.php file is infected, you can use the wp-confing.php file from a clean WordPress install. Make sure to keep the database connection details.
Random Named PHP Files - We also find the backdoor as a PHP file with a random name generated such as wxshIjduoy.php, which is obviously not a word and without a meaning.
You may encounter such names wp-content.old.tmp, data.php, wp-app.php or php5.php. It does not necessarily have to be a PHP file. In some cases there was an application hidden within a GIF file and that GIF file was hidden within a legitimate image directory. Tracking down such incidents can be a little trickier and requires a lot of skills, including debugging and troubleshooting skills.
Recommendations in Dealing with WordPress Hacks