Investigating a hacked WordPress site

With WordPress there are a few good ways to speed up the job of troubleshooting a hacked site and speed may be of essence with something like this. I asked the client when there were first signs of the malicious content or behavior – believe me it’s actually very useful to know the exact date & time you first experience the issue as you’ll see later. So, if that time information is not available or cannot be remembered viewing the server error logs promptly could give you some more information. Armed with that information and presuming you can get into the site’s admin dashboard you try the following fairly standard actions to help uncover the culprit and mitigate further issues:

• Disable all plugins
• Switch to default theme
• Use Theme Authenticity Checker

The Theme Authenticity Checker plugin does a quick scan of all installed themes for unnecessary code – typically this code consists of statements or functions like “eval( blah blah);” code injected somewhere in any of a themes files. Pay attention to anything TAC highlights – perhaps removing un-needed themes. For any theme that is highlighted as containing potentially malicious code you’ll need to edit the affected file or remove and re-install the theme files from the originals. That’s a drag if you’ve made theme modifications but it means you can revert to being back online. In one of the cases here I was re-enabling the plugins one at a time and I found that a plugin was causing one issue (preventing the blog from displaying) and by removing it from the plugins folder I could continue.

However, perhaps your blog site is non-functioning and you can’t get into your site’s admin dashboard? Well, now’s the time you use FTP or SSH connect to the server hosting the website. Remember I said how useful it is to remember the date & time you first noticed the hacking / issue? Well, here’s where you can navigate to the following folders and look for files that have been changed around the same date/time:

• wp-content
• wp-admin
• wp-includes
• wp-content/themes/*
• wp-content/plugins/*
• the folder above wp-content – sometimes public_html or public

* The above folder list is not exhaustive but typically this is where the malicious code is to reside

In each of these folders look for other folders or files that have recently been created. These are sure indications that modifications have been made and you need to target those files or folders.

Fixing a hacked site

After searching in the above folders on the clients sites here’s what I found:

• A folder called “backup” and in there was malicious file  ”backup-loader” that had code to display an authentic looking message on the WordPress dashboard.
• An include statement at the top or within the index.php
• A file/folder combination called “__notes/notes” that was included in index.php
• Malicious code in wp-includes/theme.php
• Malicious code in functions.php – an eval statement that referred to a setting in the wp_options database
• Malicious javascript code in the wp_options database

With FTP you can download, use a code editor, and then upload fixed files. With SSH using a code editor directly to removing the malicious code in the php files. Identifying the code to remove was pretty easy as often the code segments looked out of place and therefore easy to remove and test. The wp_options code required the use of a MySQL database client like PHPMyAdmin to manually edit the table and remove the code and the related entry / record to prevent re-infection.

Cleanse and Sanitize

I said before that one of the effects of this hacking was that all the posts and pages had been injected with additional HTML code. Again with a MySQL client I looked through the blog database tables and found that also infected were the “revision” records for each affected post or page. Each malicious link was hidden from view with a CSS “style display:none” command and each link was injected in random locations within the post content. This made cleansing a labor intensive job (I could have possibly written some code to scan and remove but time didn’t permit) as I had to manually edit each post in the database – copying and pasting to a code editor and then pasting it back into the database, view the page or post, view the source to ensure the malicious code was gone.

Check in with Google Webmaster Tools as well to see if Google has identified malware on your site. If it has then follow it’s suggestions as to how to get the information Google stores about the site updated to reflect the current, non-malware, site.

WordPress Security Review

Once your site is cleansed and working you might take a look at further locking down access to reduce the chances of this happening again. Changing your admin and FTP passwords regularly is always good practice but there are more hints and tips in my WordPress Security post.

I successfully managed to fix these sites using the techniques described above – if you ever experience similar incidents then this short guide will help you. I do recommend now after all of this, taking a database backup and upgrading to the latest version of plugins and WordPress as soon as possible.

Thoughts, ideas always welcome in the comments.

*Update* After I completed this project I came across an updated version of Exploit Scanner – more information here. A useful tool to assist in fixing a compromised WordPress installation.

Let’s take a look at the options you can explore to better improve the performance of your blog.

Blog performance break the speed limit

Blog Theme

Review your theme options, widgets and settings. Use firebug to see if all your theme images are loading correctly especially if you’ve experienced issues during a theme upgrade. Review your themes CSS files to see if there are references to images or other files that are no longer required or perhaps are missing. Disable any unnecessary widgets in your blogs dashboard. You may also check out your theme is generating valid code using the W3C Markup Validation Service or check with your theme developer or the support forum for your theme.

Blog Plugins

Simply put – do you need all the plugins activated on your site? Perform a quick plugin audit, comparing what you see on your home page and blog pages with your active plugins. If there are plugins that are active but not used then deactivate them one by one and refresh your blog page to see that it’s still all working. Sometimes going back to basics and deactivating all plugins is the only way to go. Also make sure you have the latest versions of the plugins you decide on keeping.

Blog Hosting

This can play a big part in the performance of your blog. With the big shift from shared (cheap) hosting to still cost effective and high performance VPS offerings like Slicehost (the host I use) and many others, there are more opportunities to gain improved performance by picking the right host. Look at your hosting package and compare the next one up with your existing host.

Blog Optimization

This can offer up some simple and not so simple tips to help you speed up the responsiveness of your blog. There are many tools you can use – Firebug add on in Firefox, Pingdom, YSlow another addon for Firefox and even Google has a performance tool for Firefox. You can even try Is My Blog Working which, along with Pingdom can give you an idea of the time it takes to load your site. You can compare the load time before and after any of the changes you make.

View the server log

This is probably the most technical tip in this post and varies wildly from host to host. I have found that sometimes it can lead you straight to a bottleneck because you see lots of errors being reported and at other times you are swimming through the log struggling to find what’s occurring. Perhaps with this one work with your hosting tech support or a WordPress consultant if you feel you are still struggling with blog speed.

Blog Caching

This is typically performed by a plugin but there are lower level server options available if you’re running on a VPS or non-shared server. Such options include APC – Alternative PHP Cache – and these can improve the server performance and that blends through to your WordPress performance.

Within WordPress there are a number of caching plugins that you can choose to use – WP-Super-Cache and W3-Total Cache. I’ve used both and both can benefit from tuning of their options so be sure to review the options carefully. The basis of these WordPress caching tools is that they generate a single html page of your posts / home page that the web server can deliver to a browser much more efficiently than processing the page on each request. Most of the caching plugins have multiple options for tuning how it should work on your blog – try changing the available options to see if the performance improves.

Blog Security

Blog Security

Securing your blog is important and there are many options that will help you. Now, there’s no substitute for good security but you might not want to put too many locks on the blog such that it takes too much time to do something simple. And each security layer can add a level of performance sapping complexity. Review your blogs security options and pare them down to the minimum necessary or within your security comfort level.

Blog Advertising

Advertising makes the blog world go around (along with B2B opportunities of course) and I’ve worked on one or two sites that have multiple advertising sections and there have been times where the site won’t completely load because it’s waiting for a piece of advertising to load. Review with your advertising contacts/services to see that you have the most optimal code for your advertising sections on your blog.

So, you can see there are many ways you can speed up your blog or at least tweak it for performance in some areas. If there’s a tip I’ve missed but you’ve used and benefited from then please leave a comment!

Working on a client job recently I was asked to review the general security of a site and come up with recommendations on how best to improve the security and reduce the chance of remote malicious activity. My review included these tips below all of which were implemented on the clients site in question.

Server level “hacks”

Hide folder directory listings
To prevent nosy intruders from looking at what plugins or themes you have installed you can quickly install a blank index.html or index.php file in those folders. This will give a blank screen when those folders are accessed directly, hiding your plugin and theme information. If you are creating a blank index.php then put the following code inside:

<?php
// silence is golden
?>

Save this file as index.php and ftp or SSH to your

/wp-content/plugins/

and

/wp-content/themes/

folders.

WordPress Plugins

semi-securelogin reimagined This is a neat plugin that utilizes javascript to encrypt the login password using public and private security keys before it is sent to the server for validation. Useful if you’re blogging on a public, or non-secure / non-trustworthy wifi service. Once the plugin is installed and activated go to Settings, Semisecure Login change the “Number of Bits” to 2048 and click on the Generate Key button and you’re done. It’s not as strong and secure as using SSL for all administrative activity but where SSL is prohibitive I would recommend this plugin.

WordPress configuration changes

Move wp-config.php – this is a simple tip. Relocate your wp-config.php file to the directory / folder one up from your blog. So, if your blog is located in

/var/www/html/wordpress/

then you would move wp-config.php from that folder to

/var/www/html/

It’s that simple providing you’re running WordPress 2.6 or greater. You’ll need ftp access or you can do this through an SSH connection. A great tip giving you peace of mind about your database and other configuration settings.

Add security keys in wp-config.php
First available in WordPress 2.6 and updated in 2.7 these security key settings ensure better encryption of information stored in user cookies when accessing your site. The keys can be anything, preferably difficult and lengthy (they won’t need to be remembered as they are set and forget) and you make the change by editing your wp-config.php file. To save you having to think of four phrases there is a great secret key generator at wordpress.org for you to use and it even makes creates the code for a true copy and paste experience. So, download and edit in your favorite text editor (or edit via SSH) your wp-config.php file, click on the secret key generator and then paste in the 4 lines of code to replace the multiple “define…” statements. Here’s the output I got from clicking on the key generator link:

define('AUTH_KEY','m/if.C66;t%7-~+,lL~x-|~s?Rv5uH?EpsO qc$u}h(`iC19|;}>RifWdX8x6I_v');
define('SECURE_AUTH_KEY', 'J|xwv@Hws vO2rbVV ]WqicA.`,87bc2_otEi&Xdy+!O2-yWI,*3nSB?t%iIhcN,');
define('LOGGED_IN_KEY','6%}M[D(Ymt?CU*PhksOJr@G9us!dg0A&@$X-+KBe&GcfcYUw8v!u+)J)*6Oc?R98');
define('NONCE_KEY','rcsEsaT9rzY)HTo08i2|qKhfl>j^x}u:vb/oC2dZvzhi/_r;>+Lz&-~`$p+w&-tQ');

Removing login error messages – this little tip will quite simply remove the error message from being displayed on the WordPress login page. This tip is theme based (so remember this if you switch themes) and you add one line into the themes functions.php. Here’s the line, place it at the bottom of the file:

add_filter('login_errors',create_function('$a', "return null;"));

Rename the “admin login id” – another simple and effective tip. The default administrator login name in WordPress is “admin” (although for new installations you can change it at install time). This tip works well for existing installations. By changing this to something only you know this will help protect your blog from random attempts to login with administrative privileges. So on an existing blog you’ll need access to your WordPress database and in particular the “wp_users” table. It’s likely you’ll have phpMyAdmin available as a tool to work with your databases. You’ll need to get to the bit that allows you to run a SQL command. Here’s the command:

update tableprefix_users set user_login='newuser' where user_login='admin';

Note: “tableprefix” is usually “wp_” and “newuser” is the name you want your admin login to be. For example : “banana” or “alongadminusernamethatwillbedifficulttoguess”.

If you have any tips on securing your WordPress installation and you are willing to share them please leave a comment.

Sources:

http://wpwebhost.com/securing-your-wordpress-install-the-foolproof-way-part-1/

http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/

It was, however, the right thing to do switching development efforts away from the next feature release to fix the security issues and push out that release promptly. It’s commendable that the fix was released so quickly and with the relative ease blog owners can upgrade their version of WordPress the continued impact of the worm was reduced significantly. I did the rounds of blogs I own and manage and it was a good feeling to address the upgrades quickly.

During the checks and subsequent upgrades I installed and used the WP Security plugin out of curiosity to see if there were areas of my blogs considered “insecure” or “at risk” according to the plugin. A few issues were raised and quickly resolved – how long they’d been there I don’t know, but the plugin certainly helped me in that respect. You can find the plugin here and I thoroughly recommend it as I can keeping your blogs updated with the latest version of WordPress.