“My WordPress has been hacked”

I am not a WordPress guru. I am not a security consultant. I am a person who has to hand out the "It is with regret ...  ...your site has been compromised...  ....please make good, then let me know how it was done and what steps you have taken to ensure this does not happen again."

The replies usually come back as a glossing over of facts, point, impact, and implication - and "I have deleted those files, please close ticket", or "I do not know how to do this, so cannot", or "this must be your fault, fix it now", or of-course where would we be in the hosting industry without "this is unacceptable I am losing thousands."

Sticking stuff, anything, online is hazardous. The background hum of the internet is of badness. Automated, sleepless, mechanised badness. The positive sides to grasp for are that, on the whole, they are not personal. They are however unavoidable. You should expect it. What we have however, in my honest opinion is a pervasive lack of ownership... and that... that vexes me greatly.

 Let us take a fictitious example... it is time we had that talk.... let's have it now, lets imagine ourselves in this unpleasant situation... and not have to have it for real.

Thank you for getting back to me.

I am not a developer. I am a systems / infrastructure / security engineer. Code maintenance falls within your remit regretfully - although obviously we can advise and assist where practical.

The internet is a hostile place. Sticking things online instantly will result in all available doors and windows being rattled. This is just something to accept as opposed to bucking against. Thankfully from the 'sleep at night' point of view - it is not personal, and it is rarely targeted - it is opportunism (unless you are particularly interesting or have irritated the wrong people).

WordPress is great. I use WordPress. I have not done any development since I graduated as a software engineer 20+ years ago - however it repeatedly makes me look competent : ) It is for reasons such as this WP makes up over 20% of the worlds new sites. As such it means that if you are going to learn new compromise skills or are in the business of deploying compromise tools - then WP is the way forward also.

Keeping patched has never been more important. Thankfully these days it is just a few clicks away from automatic core updates, and in the last few weeks automatic module updates.

The arguments for "I cannot upgrade my theme doesn’t work with version x.xx" - we hear that every day. Alas this rapidly becomes a role of the dice as the minutes pass since the upgrade.... the internet is alive around the clock, and automated attacks rattle on without need for sleep or rest. It is a weigh up between a broken theme, fixing the theme, or having a dead site, or your domain name sending out what can only be described as 'questionable content' that your mother would not like. Still people carry on regardless.

So. Here we are.

What I would advise is as son as you have ascertained likely cause (from existing files, dates, times, permissions, logging) is a *complete* erasure of the site in terms of files AND database. Then restore from a known good backup - prior to the first of these attacks, and then straight away, patching that up to date.

This assumes you have a viable backup.

How would this help? This would help because you would be moving back in time to a point before your hosting space was compromised - and then securing the site through patching or other steps to ensure that this did not re-occur. Given that a priority after compromise is likely to be to ensure ease of ongoing access before deploying a number of flexible and productive tools - unless you have been checksumming files within your off box backups.... you are unlikely to spot something like this. As such - a complete removal to a blank canvas and restore from a 'known good' is the go to short of building again from the ground up.

While we are not mean to recommend or endorse third party solutions - there are a number of WP plugins that can assist you both in terms of recoverability options and hardening your instance. Plugins such as All In One WP Security, or WordFence we see a lot used by customers for hardening their installs. I have also seen extensive use of Updraft Plus to backup to external stores, such Dropbox, One Drive and the like. Both of these are free to use. Little things such as renaming the wp-admin and restricting access make a hell of a lot of difference.

As with anything - these are simply layers on top of what should already be good practice, or good practice - or at the very least, as we all live in the real world - calculated risk and exposure.

If you have any further questions do not hesitate to get back to me.

Leave a Reply

Your email address will not be published. Required fields are marked *