Malicious Code Guide : Wordpress problems
WORDPRESS HACKING MALICIOUS CODE AND OTHER ATTACKS
Sadly there are loads of script kiddies out there who will see hacking your new Wordpress website as a challenge. Even more worrying the tools are readily available to anyone who can type "hack wordpress video" into a Google Search box. Try it now to see what we mean.
If your website is attacked the chances are it will start "doing odd things". This may be a simple BRAG PAGE such as Free MyHomeland Now, through mass mailing to more sinister tricks like attacking foreign powers or creating infected drive-by webpages.
No matter how trivial this infection seems outwardly, Calco UK Hosting (and almost all other hosting companies) will, without hesitation, SHUT DOWN YOUR WEBSITE at this point. This information is in our AUP and Terms and Conditions
Looking at the problem pragmatically though Calco tends to be sympathetic to these events and will typically send out the closure notice email with any possible fixes we may be currently aware of.
We then refer people to this web page where they can maybe understand better what has gone wrong and how they can fix the problem.
WEBSITE INFECTION OF WORDPRESS AND JOOMLA INSTALLATIONS IS VERY, VERY COMMON!
WHAT IS A WEBSITE CLOSURE NOTICE?
Our systems automatically detect malevolent code activity and prevent execution of ANY file on that domain. We do not delete or otherwise alter the files which allows the owner of the site to verify what we are telling them is happening. They can then download the corrupted files by FTP and work on the site locally (and hopefully safely) on their own computers.
HOW MALICIOUS CODE GETS INTO A WORDPRESS WEBSITE
Plugins :
WORDPRESS PLUGINS are REALLY easy to install and offer advanced functionality, however they are full of VERY complex code and as such can’t really be checked by anyone but a specialist programmer. Generally these are free plugins but not always. A worrying aspect is that generally they don’t trigger right away, but prefer to lie dormant for a while so that its difficult for the site designer to know which element of the website is problematic.
Q. How do I know if a Plugin is safe?
A. You dont.
You should try to obtain your plugins from a reputable source which have some sort of guarantee of safety.
Themes:
WORDPRESS THEMES are a major source of infection. Unless you go through the files one by one you are unlikely to spot any problems until its too late.
Q. How do I know if a Theme is safe?
A. You dont.
You should try to obtain your plugins from a reputable source which have some sort of guarentee of safety.
Weak Security
Because Wordpress is a universal framework available everywhere, with the underlying code available and the install routine generall set to DEFAULT. For example ... hackers have little difficulty in finding the CONFIG file as in the default install its always in the same location and therefore an easy target for hackers.
The CONFIG FILE contains the location and password for your Wordpress database!
EXAMPLE
An example of the ingenuity of hackers is where the data for the hack is stored in an image file! This is partly how the sejeal infection operates. It's currently targetting old installations of Joomla. So if you own a site running on Joomla 1.5 - update it safely to the most recent version by getting an experienced programmer to do this work for you.
A recent study on wpmu.org has shown that of the top 10 "Free Wordpress Themes" Sites in Google, only 2 produced themes that tested clean - one of which was Wordpress.org and the other contained themes that lacked full functionality.
THATS ONE IN THE TOP TEN THAT WAS FULLY FUNCTIONAL AND NOT FULL OF MALWARE OR HIDDEN LINKS
HOW TO KNOW IF YOUR WEBSITE IS HACKED OR INFECTED
The simplest and most common method is where the front page of your website changes to a Political Notice or a Bragging page saying "You were hacked by etc. etc."
Or you will be notified by your hosting company that there is an unusual level of activity within the folders and files of your website. Possibly mass emailling.
Your website is shut down and you have received a email notice from the hosting company.
You run a scan (see below) and a problem is revealed. Similarly you may already have software installed on the server to monitor website activity and files (Stop The Hacker etc)
HOW TO PREVENT A HACKED WORDPRESS WEBSITE
You could try one of the following plugins
WP SECURITY SCAN PLUGIN
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
- Passwords
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
WORDPRESS FIREWALL PLUGINS
Some so called Firewall plugins claim to prevent suspicious behaviours
TAC (Theme Authenticity Checker) WP Plugin : Install then Go to Appearance -> TAC in the WordPress Admin
This is the one we use.
WordPress Firewall uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration.
BlogSecurity's WPIDS plugin will install PHPIDS, an added security layer for PHP applications.
OSSEC is an open source app for the server which monitors files for change
GOOGLE SAFE BROWSING
You could try checking a database such as Google's Safe Browseing Database is listed below.
Simply change the site=google.com/ to your own site eg. site=calcouk.com/
However if your hosting company is monitoring effectively, they will have switched off your website before it is scanned as "BAD" by Google. You can force a scan in Webmaster Tools if this is was previously set up for your website
http://www.google.com/safebrowsing/diagnostic?site=google.com/
SECURI
Sucuri offers a scanning service and cleanup service (paid currently just under 90 dollars) .
They will however check if any of the following are CURRENTLY present on your website for FREE.
- Blacklisted
- Malware
- Malicious javascript
- Malicious iFrames
- Drive-By Downloads
- Anomaly detection
- IE-only attacks
- Suspicious redirections
- Spam
Their website is here :- Sucuri
GOOD PRACTICES THAT WILL HELP PREVENT JOOMLA, WORDPRESS & OTHER CONTENT MANAGEMENT SYSTEMS BEING HACKED
When you log into Wordpress - DO NOT use ADMIN as the user (the top box of the log-in page)
Change this to something like John556 or Mary328
Also : Make sure your password is a good mix of upper case, lower case, numbers and symbols
DO NOT use the names of football teams, people's names or place names.
A BAD Password Example: LIVERPOOL2013
A GOOD Password Example liVerPuLL&20&13
HOW TO KNOW IF YOUR WEBSITE IS HACKED OR INFECTED
Update Wordpress regularly
Do not use simple passwords
Do not use dubious souces of software.
Try to verify that your THEME or PLUGIN has some sort of VIRUS FREE GUARANTEE or CODE CHECKED status
Use only reputable companies who actually MAKE the plug-in or theme and NOT re-sellers who list thousands of free code, plugins or themes.
Then run a security audit using ...
WP Security Scan
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
Passwords
File permissions
Database security
Version hiding
WordPress admin protection/security
Removes WP Generator META tag from core code
You can also (reasonably easily) whange the table_prefix from WP_ which is the default. This can block some SQL injection attacks.
Finally you may wish to move your WP-CONFIG.PHP file to a place not normally checked by hackers and NOT the default location to which it was installed.
The official Wordpress Hardening Security Web Page is listed below. It includes how to move the wp-config.php file.
http://codex.wordpress.org/Hardening_WordPress
You can search the web for more information using tags such as HARDENING WORDPRESS INSTALLATIONS
LEGAL WAIVER
Legal Waiver :
This page is not professional advice. It is simply information we find useful when fixing Wordpress installations. You use this information at your own risk. Calco UK Ltd accept no responsibility or liability for the consequences resulting from using this information.
WORDPRESS IS BACKED UP - ISNT IT?
All Calco UK Wordpress Installations on 1st Choice Platform come with a TWO STEP back-up for Wordpress.
1. Go to your control panel and click back-up & Restore (top section). Click FULL Backup (or partial if you know what you are doing) and follow the instructions to download the zip file back-up.
2. On the same page as above you will have seen a small note that says .. Please note that this only backs up the web site files (as available via FTP). This means, for example, that databases are not backed up here: you can modify and back them up from the databases page. Click this link and follow the instructions. Download your Zip file and keep it safe.
BACK UP REGULARLY AFTER CHECKING YOUR WORDPRESS SITE IS FULLY FUNCTIONAL!