So you’ve been hacked…

iwdrm

By now, every person running a WordPress site should be aware of the attack on the popular blogging platform.

If you aren’t aware, this particular attack does not exploit any vulnerabilities in WordPress’ code or weak plugins as we have seen in the past. This time, the threat landscape is the user. Criminals, in this attack, scan the Internet looking for WordPress web sites and use a list of common username and password combinations. Those who leave their username as the default “admin” are particularly at risk because the username part of the credential is easily guessed.

Once the attacker has compromised the web site a backdoor is created so even if the site’s owner gets wise, changing the username and password won’t keep the bad guys out. The site now joins the botnet that attacked it in the first place launching the same password guessing attack against other sites.

Cleaning up the mess

If you know that you site has not been compromised, now is a perfect time to change your WordPress username if you are still using admin. Don’t make it another easily guessed username, make sure it is something unique so that brute force techniques won’t be able to easily guess it. As a matter of fact, go ahead and do that now, we can wait to pick up the rest…

Once you have changed your username, it might be wise to change your password as well. Most likely, you have heard of complex passwords and you may even have used them. A combination of uppercase letters, lowercase letters, numbers and symbols does make it nearly impossible for a brute force password cracker to guess your credentials. The problem is, these passwords are often hard to remember. If you find yourself having to write down your passwords, or if you have to reset them on a frequent basis, you might want to try a passphrase. Something like Mybirthd@yisApril23! accomplishes the same thing but is a bit easier to remember. In addition to being complicated, your passwords should be diverse. You should never use the same password for your WordPress account as you do for your bank account, or eBay.

If an attacker gets this password, he or she may just try it on all your accounts.

If you have been compromised

If it too late and you suspect that your WordPress site has been compromised you are going to have to block the botnet’s ability to control your site, clean your web site of any malware, clean your computer of any malware and then change your user credentials (it may be wise to change all of your passwords, especially if you find malware on your computer).

To restrict wp-admin access from any computer, except your own, you will need to create an .htaccess file in your wp-admin folder. The file should contain the lines:

order deny, allow
deny from all
allow from xxx.xxx.xxx.xxx

Substitute your IP address for the xxx in the example. If you wish to add more IP addresses, simply create another allow from line in the file and include that IP address.

With this done, you can block access to wp-admin but if there is anything else in on your server that is allowing backdoor access, you will have to scan for that. Using a plugin like Sucuri, which requires a yearly subscription, or WP Security Scan, which is free, you can check your blog for malicious files and actively protect your site against them. Once you have installed and run one of these plugins, and after you have found any malware, make sure to run a backup of your site since any prior backups may be infected. More on WordPress security plugins.

Once you are sure that your web site and your computer are malware free go ahead and change your passwords. The reason behind waiting until after a malware scan is that if there are any keystroke loggers present they will send your new credentials back to the hacker who placed them there giving them your new password.

Featured Image from IWDRM

4 comments on “So you’ve been hacked…
  1. Good info. What has happened to a site I maintain for a client is that somehow hackers get into my header.php file and put in all those damn links to medical stuff and naturally sex stuff. Then it shows up on search engines which then flags the site. I keep backups of everything so it only takes a few to run a scan, replace the infected files, maybe kill so javascript and get it back to normal. For the life of me I cannot figure out how they do it? I have a strong password, a strong username, updated plugins and upgraded WP install. I am on a shared sever at GoDaddy and whenever I talk to them about it they never will take responsibility for it so…..and I hear it happens alot there? Anybody have any ideas as to how they do this? It is a mini hack to me, but still annoying and makes me think they could do major damage if they wanted to. Thanks for the great article!

    peace out,
    Mike Logan

  2. I’ve also added a plugin called Limit Login Attempts which you can customize to limit the amount of attempts someone can use from an IP with the wrong password before they are locked out… It’s a free plugin and seems to work fine. Just an added level of security.

    • Thanks Daniel, that’s a good suggestion. Worth noting though that the recent attacks were able to get around this type of security because the attack was launched from a botnet with some 100,000 nodes in it, which means 100,000 different IP addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *

close

Copy and paste this code to display the image on your site