If you are running a WordPress blog chances are it will be hacked at some point due to the many vulnerabilities that are constantly being uncovered in both WordPress and plug-ins. I’ve had hacks several times over the years to this blog and recently just came across another. There was nothing obvious to this hack and I probably would never have noticed it except for google search results for my site returning the disclaimer “This site may be hacked”. Google can detect hacks when it crawls a site and does a fetch as if it detects anything potentially malicious it will flag that site in search results.
I’ve become pretty WordPress savvy, I know my way around the core files, themes and the database very well and can typically spot anything that looks hacked. This one was a bit tough and took me at least 4-5 hours to uncover. As I mentioned the site looked normal but if you looked in the page code I could see spam text and links in there. So determined to find the cause I went through my usual troubleshooting process.
- Get a ftp client like FileZilla and check the obvious files like index.php and .htaccess, I did find a few index.php’s scattered around which looked suspicious so I removed them all except for the one in the root directory but that didn’t fix it.
- Look for .php files that don’t belong, I know the core WordPress files well so I know what shouldn’t be there, didn’t really find anything.
- Check your wpconfig.php file, this one contains your database and other config info an dis a commonly hacked file, mine was OK.
- Check your WordPress tables, I use PHPMyAdmin to browse the db tables, the WP_OPTIONS table is the main config table and is another commonly hacked table. I’ve had malicious rows injected in this table in the past, this time mine was OK. An easy way to look through all your table data is just export it to a .sql file and open it in a text editor.
- Check your plug-ins, I disabled most of them and tested my site and the problem was still there. So that eliminated the plug-ins as the cause. One key thing to check though is to look for hidden plug-ins in the Active Plugins row in your WP_OPTIONS table.
- Replace WordPress core files, I downloaded a copy of 4.4.2 and manually ftp’d the files in the wpadmin and wpincludes to the server to overwrite them with fresh copies, also the wp*.php files in the root directory. That didn’t help in my case.
- Check your theme, I confirmed the theme was the culprit by switching to another theme and the hack disappeared. I didn’t want to replace my theme with a fresh copy as a I did some hacking and customization to it to get it exactly like I wanted it. I did examine all the files looking at date stamps and did notice one way newer then the other, it was a theme-search.php file, when I opened it there was a bunch of obfuscated text in it, definitely looked suspicious. I did have multiple backups so I compared the contents of them and that file was definitely not there before. So I deleted that file but the hack was still there. Next I copied all the theme files from the backup overwriting the current ones and that did the direct. I suspect some of the theme files were altered but in a way that preserved their data/time stamps.
Now that the hack was gone, I went to Google Webmaster Tools and requested a Fetch of my site which basically has the Google bots re-crawl it. A few hours later my hack message in Google search was gone. It’s a good idea to periodically check your blog for vulnerabilities, malicious code and hacks. Here’s some tools to help you with this by checking your site externally:
- Aw Snap – has a good collection of tools and information to both check your blog for malicious code and recover from hacks. The File Viewer will check a website for malicious redirects, malicious scripts and other bad stuff.
- Is It Hacked? -checks to see if your site is cloaked to GoogleBot, has spammy links, funny redirects, or otherwise appears to be hacked. They’ll fetch your site and analyze it for signs of an infection by doing multiple checks, from detecting spam links, hidden text, up to sophisticated cloaking.
- Sucuri SiteCheck – will check the website for known malware, blacklisting status, website errors, and out-of-date software.
- Google WebMaster Tools – add your site as a property and then you can see any security issues that Google has detected when they crawl your site, you can also request a re-crawl (fetch) of your site.
You should also check your site internally as well, external scanning can’t check your files and database so you need a security plug-in to scan internally. Here’s a couple good ones, I wouldn’t recommend having these all active simultaneously but sometimes one scanner will find something that another doesn’t so it’s good to activate and use them one by one and use the one that works best for you:
- Wordfence Security – I liked this one the best, has tons of customization option for scanning and real-time protection. It does vulnerability scanning, user monitoring, anti-virus, firewall, high speed cache and much more. It does a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins, it also checks your WordPress database.
- Theme Authenticity Checker (TAC) – searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code.
- Exploit Scanner – searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
- Sucuri Security – a security suite meant to complement your existing security posture. It offers it’s users four key security features for their website, each designed to have a positive affect on their security posture.
- Anti-Malware Security and Brute-Force Firewall – searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
- All In One WP Security & Firewall – will take your website security to a whole new level. this plugin is designed and written by experts and is easy to use and understand.It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
What was the contents of the code you removed from your template? Do you know how they gained access to edit your template?
A couple tips I’d recommend and use myself is to setup Google 2-factor authentication and also restrict wp-login.php access to only a few trusted IP’s.
Not sure of the other template files as I didn’t want to go through them one by one and just overwrote them from backup. Here’s a look at the theme-search file that was added: http://vsphere-land.com/wp-content/uploads/theme.png
WordFence has some good login security options and auditing, good suggestion on 2 factor, I’ll have to look into that to see if there are any WordPress plug-ins that support that. After a quick look I found these:
Thanks for mentioning us and do let us know if you need more information about how Sucuri services work.