Recovering from a Hacked WordPress Site

(…another in a series of posts mostly for myself – so I’ll have a place to remember things….but maybe the random visitor will find something useful here.)

One of the sites I visit is a Q&A forum type place about WordPress development. And there is always a question about ‘how do I fix a hack of my WordPress site?’.

If you ask the googles, you’ll find lots of answers; some are actually good answers. Some aren’t. So I thought I’d put down what I would do if I was in that situation. (I’ve had to do this before, for other sites and clients.)

Step 1: Secure Access

If your WP site gets hacked, someone got into the site somehow. Doesn’t really matter how they did. So my first step is to secure access to the site.

This means that I will first change the password on my hosting place. Strong passwords, of course, and one that I have never used before (or will use elsewhere).

Next, I look at the external access to my files. This means looking at all FTP user accounts, and changing the ones that I use to develop or access the site. (Or in the case of client sites, their access.). And looking for user accounts that I don’t recognize. Those will get immediately deleted. Then I will create a brand-new FTP user account, again with a strong password. All other FTP accounts will get deleted.

Then I look at the credentials for the WP database. I’ll change the password for that database. If the site is well-visited, I might create a new database user, assign it to that database. The access rights for that database will be limited; nobody gets all of the possible database rights.

Since I have changed (or added) the database credentials, I’ll go into the WP config file where those credentials are stored and change it to the new account. A quick check then to ensure that the site still works. If it is OK, I’ll delete the old database user account.

Just for grins, I’ll also change the passwords for any email accounts on that site. That is probably not needed, but couldn’t hurt. I’ll just have to remember to notify those email accounts of the change. Most of my sites are single-user (me), so that’s usually not a big deal

Step 2: Update everything

Next, I’ll log into the admin area of the site. I’ll create a new admin-level user, give it a strong password (of course), and then log out and log in with that new user account. Once logged in, I’ll delete the old admin account.

While in the user accounts area, I’ll create a user called ‘admin’. Strong password, but that account gets the lowest privileges. (Some hack attempts like to try to use the user called ‘admin’. So, I let them try.)

Next, I’ll look at any other user accounts. If there are several or more, I’ll screenshot the list, and then reduce their access levels to the lowest privileges. I’ll fix that access later when things are cleaned up.

Now, into the Admin, Update screen and reinstall the latest version of WP.

The next step is a bit more time-consuming – deleting and reinstalling all themes/plugins. Not just installing, delete everything first, then reinstall as needed. Hopefully, I’ve remembered to keep the number of active (and inactive) themes and plugins to the minimum. (Usually a good idea not to have plugins that aren’t active. Just delete them.)

To reinstall all plugins, I have to delete them first. Many may have some complex settings screens, so screenshots of those are done (and printouts if needed). Once I’ve documented all plugin settings, I’ll deactivate and then delete them all – using the option (if presented) to delete the files associated with the plugins.

This may break the site, of course, or at least not make it work like it normally does. So I may do this during low-activity times. (Some of my sites are always low-activity, so I just ‘do it’.)

After all plugins are fully removed, I start reinstalling the ones that are needed, using my reference screenshots/printouts to re-set the options for each as needed. I only use plugins from the WP repository, even the ones that I write. That way, I make sure that I get the most current version of the plugins – even though I check and update plugins (and themes) daily.

Once I have finished with all of the plugins, I do the same for themes. Screenshot the settings, delete the themes (files included), then reinstall from the WP Theme Depository. Put back all the settings (from my screenshots) as needed.

In both cases, I may use my FTP client to look at the theme and plugins folders to make sure that they have actually been deleted. Then I’ll reinstall.

A check of the site to make sure it works OK completes this step.

Step 3 – Investigate

Now I have (with any luck) a clean WP install, with current (and clean) themes and plugins.  I need to make sure that anything left over is not going to cause a problem.

First, I check the htaccess file. I know what that file should look like (look at the WP Codex for help), so I make sure that the file is how it is supposed to be.

Next, I use my favorite FTP program (WinSCP) to log into the site – after changing the user/pass to the new one. I then poke around all of the site folders for files that I don’t recognize. I usually sort by date (oldest first), and look for files that are earlier than today. Remember that I reinstalled everything, so everything that is valid should have today’s date stamp. I don’t rely on that date sort, though, I look at all of the files; the date sort is just the first pass through all the files.

And I look at all site folders, not just the root folder. Rouge files will jump out because of their name or datestamp. I sometimes move those rouge files into a non-site folder in case I want to look at them later. As I move files, I make sure the site is till working properly.

Step 4 – Product (ecommerce) and other files

I take a look at all of the media files on the site, on the off-chance that one of them is compromised. But usually those aren’t a problem.

What might be a problem is ecommerce/product files. It may be that a product file is the compromised access point. I’ll look at every single product, every single field for that product, to make sure that all is well. That can be a bit time-consuming, but so can a re-infection if a product is the infection point.

Step 5 – Posts and Pages and Comments

It may be that a post or page has some rouge code in it. Now, by default, WP will not execute code inside a post/page. But, on the off-chance it does, I want to ensure that all posts/pages are OK. Depending on the site, I may use a SQL command or two to look for indicates of code inside a page/post. If it is a smaller site, I’ll just look at all posts/pages. I may sort by date, if I am aware of the approximate date that the hack got into my site.

It’s not likely that a Comment will be the infection point, since I do have some protection against spammers – via my own plugins  (FormSpammerTrap for Comments) and Akismet. But a quick look at Comments is a good idea. I set up the anti-spam features to immediately discard all potential spam, so usually don’t have a problem with that.

Step 6 – Final Cleanup

By this point, the site should be back to normal. I’ve been checking the site as I go through each step, looking for indications of continued infection.

If I had to reduce privileges on user accounts, I put those back to normal.  And I make sure that backups are in place and working. Not just the database, but all files (WP, themes, and plugins).

Winding Up

The above steps are a really good start at cleaning up a site. Some would argue that a ‘Nuke from Orbit’ – starting from scratch by deleting everything, but that may not be an option for most sites. My procedure takes a bit of time (many hours – more than 8, usually), so it’s not easy. (And, if I am doing it for a client, it’s not inexpensive.)

But, I’ve been successful in site cleanups before with this process.

What do you think? Add your ‘thinky bits’ in the comments.

Database Cleanup for Security

Several of my web sites use custom databases. Some of those web sites are gone (on purpose). But the databases were still there.

So I spent a bit of time deleting some unused databases and database users. It’s a security thing: there might be some personal information on some of the databases, and deleting unused data is a ‘good thing’.

Database security is important. Here are a few things to think about:

  • Do you have unused databases anywhere?
  • Is there public/personal information in the data tables?
  • Have you secured the user rights to those databases — not giving full access to a user out of convenience?
  • Do you have backup copies of the databases?
  • Are databases that contain personal information encrypted?

Any other considerations? Let me know in the comments.

FormSpammerTrap for Comments WordPress Plugin

My new WordPress plugin to block form spammers/bots is now publicly visible at https://wordpress.org/plugins/formspammertrap-for-comments/ . It blocks comment spam from ‘bots’ with a simple technique. It doesn’t have captchas, hidden fields, silly questions, or other things that don’t work. It just looks for ‘human activity’ on the comment form, and if a ‘bot’ tries to submit a comment, they immediately get sent to my FormSpammerTrap web site.

It uses the same techniques that I use for comment forms (more info about that here and here and here ), but now it is a WordPress plugin, so it is quite easy to install and configure. And it is quite effective…I’ve never gotten any ‘bot’ spam on any site that I have installed it.

The whole plugin coding process was interesting, and a good learning process. I’ve already got some enhancements in mind for newer versions. But I was quite proud of myself for getting this one to work…and that it is now available among the millions of other WordPress plugins.

Getting and Staying Safe

You’ll find lots of places that will advise you on safe computing. Here’s my quick advice.

  • Install all Windows updates
  • Install Microsoft Security Essentials – free antivirus program. If you already have an antivirus program on your computer, and it is current, go ahead and use that. If it has expired, just uninstall it, then install MSE from the Microsoft Protect site (www.microsoft.com/protect) . After installation, get any updates, then do a quick scan of your computer. Do a full scan later; they take a while. If MSE finds anything, delete it. (BTW, some good computer safety tips on that site.)
  • Install Personal Software Inspector from Secunia (www.secunia.com). It’s free. It will keep all of your other programs current. Do a scan, update everything.
  • Uninstall Java. Look for it in Control Panel, Add/Remove Programs. It is probably not needed on your computer. (Some business applications use it; if so, make sure it is updated.)
  • Change all of your online passwords. Don’t use the same password everywhere. Don’t use dictionary words. This is important, especially on financial sites.
  • If you access your financials on-line, don’t do it at a public place. Do it at home, where you have a password for your wireless Internet. (You do have your home wireless password-protected, right?)
  • Be careful about clicking on any links in emails or Facebook or other social sites. Be careful when any place asks you for your user name and password. Make sure it is legit.

So there’s some quick tips about getting and staying safe.

Oh, and one other thing. Your data is important. I use Carbonite to automatically back up all of my data without any effort on my part. Use this link: http://refer.carbonite.com/a/clk/1Tjw3f (Disclosure: I get a finder’s fee if you sign up, but there is no additional cost to you. I’ve been a Carbonite user for more than two years, and am very satisfied.)

Insecure FileZilla FTP Program

I manage several web sites, among them WordPress-based. And other sites I manage/own are PHP-based. So I often need to transfer files from my laptop to the hosting site. To do that, I use an FTP client program called FileZilla.

At least, I used to.

And the reason for ‘used to’ could be helpful to you.

One of the sites I manage has an intermittent problem with some injected malware. Usually, it is a small bit of code that uses an ‘iframe’ (sort of inserted content on a web page) to hide content that does search click-jacking. That’s when the code displays a search results page, then ‘clicks’ links on the page to earn search-click revenue. The actual search page is not displayed, but the ‘clicking’ happens.

So that injected code gets displayed on every WordPress page on the site. Which means that somehow the WordPress code on the site host is being modified by malware.

It’s not clear how the code gets modified, but one way is by a compromised FTP account. The hacker somehow gets the FTP login and password for a site, then looks at that site for PHP files that can be modified with an insertion of the malware code.

And the only way to figure out that the site has been compromised is to take a look at the page code, which can be quite complex. Or you can look at file dates on the host, but that can take quite a while.

Now, I keep my computer systems current with patches. I do Window patches as soon as they are released. I have Secunia’s PSI program which automatically patches my non-MS programs. I’ve got a good anti-virus program.  And I use strong passwords everywhere.

But even these good security practices can be bypassed with a ‘zero-day’ attack. And that’s what I think happened. Some malware got into my system somehow. And this particular bit of malware tries to compromise my FTP program.

And it turns out that FileZilla, the FTP client on my computer, stores FTP user names and passwords in a clear-text file in an easily accessed location.

What. The. ???!!!

Why would they do that?

Yes, the program is open-source, so someone can easily figure out where the FTP user/passwords are stored. But there is no reason not to encrypt the file that contains the passwords.

No reason at all.

It is a major vulnerability. One that the FileZilla developers continue to ignore.

And FileZilla is very popular. Millions of downloads.

Each and every one is vulnerable to malware attack that will get your FTP user credentials.

What. The. ???!!!!

And that’s why FileZilla has been removed from my computer. And banned from any computer I own or manage.

But I still need an FTP client. Yeah, I could do it all manually, but a FTP GUI is just convenient. So I need an alternative.

And that alternative is WinSCP (available here http://winscp.net/eng/index.php ).

It’s pretty easy to use. Has a nice GUI. Allows for multiple FTP site settings. Will save the FTP user credentials. Is open-source, and free (donations accepted).

And has an option to have a ‘master password’, that, if enabled, will encrypt the file that stores your FTP user credentials.

So far, it is working fine, and appears to be a good and secure FTP client.

Which is why WinSCP is on my computer.

And FileZilla isn’t.

I recommend the same conclusion for your computers.

 

(Added 25 May 2012) Note that if you do uninstall FileZilla, the password file is not removed (even after a restart). You will need to remove it manually.

Careful

Windows Update time. Do it.

Then install Secunia’s Personal Software Inspector. Run it. Update as needed.

And you Mac guys. You are not safe from viruses any more. Deal with it.

Saving Your Data

An important part of information security is making your data available, and keeping that data available. Loss of data can be a minor inconvenience, or it can kill your business. And it is not just businesses that need to worry about data loss.

Think of your personal data. All of those pictures on your camera, your phone, your laptop, or your computer. Or even the non-electronic data like printed pictures, slides, important papers, journals — the list is almost endless. Protecting that data from different kinds of loss is important to a business, and to individuals.

And there are lots of ways to back up that data, no matter what it is. On a personal level, you can copy files to CD/DVDs, or to an external hard drive (USB thumb drive, external hard disk). Those are valid solutions. But only if you remember to do them. And then there is the storage issue. Where do you keep these backup copies? Keeping them in the same physical location protects the data — until there is a flood, or a fire, or tornado, or a theft, or … well, the possibilities for data loss have not been fully mitigated.

One of the solutions I have used for a couple of years is an on-line backup service. The service I use is from Carbonite (www.carbonite.com), and costs $59/year for unlimited, automatic on-line backup. Tree important words in that statement. Unlimited backup takes care of all of my files at the same basic cost. Automatic means that I don’t have to worry about doing it. And the third important part is “on-line” — the data is stored off-site in ‘the cloud’.

With Carbonite, everything is automatic. I install the software on one computer at home (they have a multiple-computer plan also). I designate the folders to back up. The Carbonite software automatically copies my files to their servers, over my Interwebs connection, and does it with a minimal impact on my other on-line activities. If I make a change to a file, that changed file is added to the backup list.

And it is all done automatically. It meets the requirements for keeping my backups current; the files are available if I need them; and I don’t have to remember to do anything.

But what about the multiple computers around your house? You may have a couple of laptops or  desktops at your house. How do you keep all of your computers backed up?

With Carbonite,  you have to pay for one yearly subscription ($59) for every computer you back up. If you have multiple computers at home, that can start getting expensive. A bit of adjustment on your end will fix that.

In my case, the desktop computer downstairs is Carbonited. That computer, plus our two laptops, are all networked together. So a process of copying data from laptops to desktop gets our laptop files as part of the Carbonite backup. That’s done with the free Microsoft SyncToy, which syncs the files from laptop to desktop.  It’s pretty fast (much faster than a straight copy command), since it only works on files that have changed.

So my important personal data is backed up with Carbonite. There are other services that perform similar functions; some have better pricing for multiple computers. But my data is safe from a local (home) disaster, and it is mostly hands-free.

Poor Kenneth

Got this in my email today:

Hi,

Just writing to let you know our trip to Madrid, Spain has been a mess. We were having a great time until last night when we got mugged and lost all my cash,credit card cellphone It has been a scary experience, I was hit at the back of my neck with a club. Anyway, I’m still alive and that’s whats important. I’m financially strapped right now and need your help. I need you to loan me some $$, I’ll refund it to you as soon as i arrive home.Write me back so i can tell you how to get it to me.

Regards, Kenneth

This is quite sad. Poor Kenneth. Stuck in a foreign country, no cash, no credit cards, so he can’t get home. I should send him some money to help out.

Except I don’t know a Kenneth. Even if I did (and this scam sometimes is from a name you recognize), not a good practice to send money to someone without verification. Unless you don’t care if you ever see that money again.

These types of messages might come to you from you “cousin” or “granddaughter”, and might include information that seems valid. But it is a scam.

Be careful out there!