Difference between revisions of "WordPress Site Hacked"

From Hostek.com Wiki
Jump to: navigation, search
(More Information)
Line 3: Line 3:
 
__FORCETOC__
 
__FORCETOC__
  
==WordPress Site Hacked==
+
==Introduction==
Lately there have been more and more hacker attacks on WordPress Sites. This is from exploiting a vulnerability in WordPress Themes and Plugins.
+
  
==What to do==
+
This article explains what to do if your WordPress site is compromised by a hacker and how to resolve the issue.  If you find that the steps in this article are too technically challenging, please contact our support team and explain the situation; and we can offer assistance with getting your site back to normal.
If your WordPress installation on our servers was hacked here are a few things to do.
+
 
 +
 
 +
==Causes==
 +
 
 +
The following are the most common way that a WordPress site gets compromised:
 +
 
 +
* Your desktop or laptop computer gets a virus/spyware/malware application installed, and that application records your login keystrokes on the WordPress site([https://en.wikipedia.org/wiki/Keystroke_logging keylogger]) and sends the username/password to the hacker.
 +
* The WordPress site contains a theme with a vulnerability
 +
* The WordPress site contains a plugin with a vulnerability
 +
 
 +
 
 +
==Remedy==
 +
 
 +
Below are some steps you can take to fix your WordPress site:
 +
 
 +
# Move everything except the /wp-config.php file into a backup directory (you can name it something like /Quarantine or /OLD)
 +
# Create a backup of your MySQL database through PHPMyAdmin (Accessible from your hosting control panel)
 +
# '''NOTE: Steps 1 and 2 are critical.  If anything goes wrong, the backup of your site files and database will allow you to revert the changes.'''
 +
# Download the latest version of WordPress here: https://wordpress.org/download/
 +
# Upload the files and folders from the latest version of WordPress that you downloaded.  This should replace the /wp-admin, /wp-includes, index.php, etc. that you moved to the backup folder in the first step.
 +
# Edit your wp-config.php file and ensure nothing bad was added by the hacker (this can often be a snippet of code added to the beginning or end of the file that shouldn't be there.  If you are unsure, compare the wp-config.php file with the wp-config-sample.php that came with version of WordPress you downloaded in step one)
 +
# Update the MySQL database password and place the new password in the wp-config.php file because the hacker may have gotten the old password
 +
# Log into the WordPress admin (/wp-login.php) and navigate to the 'Users' section.  The hacker may have added some additional users to your site so you should delete any users that you did not add.
 +
# Update the password for all of the valid WordPress users in-case that is how the hacker got into the site
 +
# Go to the 'Settings'->'Permalinks' page and click 'Save'.  This will re-create your .htaccess(Apache) or web.config(IIS) file.
 +
# Copy everything from your old /wp-content/Uploads folder into your new /wp-content folder.  This will bring over any images, audio, and video that were previously uploaded to your site.
 +
# Re-install any plugins and themes you were using on the site.  If you had made modifications to your theme or plugins and need to bring the files over from the backup of the site, be very careful.  The hacker may have injected bad code into your old theme and/or plugin files that will allow them to get back into the site.  You should only move over files that are absolutely necessary and check the content of those files for anything suspicious.
 +
 
 +
 
 +
==Adding extra security==
 +
 
 +
These are some extra steps you can take to lock down your WordPress installation.
 +
 
 +
* Disable file editing through the WordPress by adding "''define('DISALLOW_FILE_EDIT', true);''" to your wp-config.php file - reference: [https://codex.wordpress.org/Hardening_WordPress#Disable_File_Editing]
 +
* Disable direct script execution in both your /wp-content and /wp-includes directories.  The PHP files in these directories should only be used via includes from the core WordPress code and not directly.
 +
* Add Basic authentication to your /wp-admin directory.  This will cause your administrator section to require a double-login, but it adds an extra layer of security to your WordPress admin dashboard.
 +
 
 +
 
 +
==Additional considerations==
 +
 
 +
Here are some additional considerations to take after an event.
 +
 
 +
* Scan the desktop or laptop computer you use to administer the site for malware.
 +
* Update your FTP password.
  
#Restore of your site files to last known working date. If you do not have a backup of your files you can request a restore from our backups by submitting a support ticket at [http://support.hostek.com support.hostek.com]
 
#Update your WordPress Password and FTP Passwords
 
#Update your WordPress Installation to the latest stable version.
 
#Update your Themes and Plugins to the latest stable versions.
 
#Scan your local computer for Viruses and Malware.
 
#Check your .htaccess file for malicious code. You can use notepad++ to edit your file. [http://notepad-plus-plus.org/download/v6.2.html Download Notepad++]
 
  
 
==More Information==
 
==More Information==
  
 
https://codex.wordpress.org/Hardening_WordPress <br>
 
https://codex.wordpress.org/Hardening_WordPress <br>
[http://wordpress.org/support/topic/site-got-hacked-lost-admin-privelages wordpress.org/support/topic/site-got-hacked-lost-admin-privelages] <br>
 
 
[http://codex.wordpress.org/FAQ_My_site_was_hacked codex.wordpress.org/FAQ_My_site_was_hacked]
 
[http://codex.wordpress.org/FAQ_My_site_was_hacked codex.wordpress.org/FAQ_My_site_was_hacked]
  
 
[[Category:WordPress]]
 
[[Category:WordPress]]
 
[[Category:Security]]
 
[[Category:Security]]

Revision as of 20:10, 30 May 2017

IMPORTANT NOTE: Be sure to keep your WordPress install up to date AND keep your themes and plugins up to date.


Introduction

This article explains what to do if your WordPress site is compromised by a hacker and how to resolve the issue. If you find that the steps in this article are too technically challenging, please contact our support team and explain the situation; and we can offer assistance with getting your site back to normal.


Causes

The following are the most common way that a WordPress site gets compromised:

  • Your desktop or laptop computer gets a virus/spyware/malware application installed, and that application records your login keystrokes on the WordPress site(keylogger) and sends the username/password to the hacker.
  • The WordPress site contains a theme with a vulnerability
  • The WordPress site contains a plugin with a vulnerability


Remedy

Below are some steps you can take to fix your WordPress site:

  1. Move everything except the /wp-config.php file into a backup directory (you can name it something like /Quarantine or /OLD)
  2. Create a backup of your MySQL database through PHPMyAdmin (Accessible from your hosting control panel)
  3. NOTE: Steps 1 and 2 are critical. If anything goes wrong, the backup of your site files and database will allow you to revert the changes.
  4. Download the latest version of WordPress here: https://wordpress.org/download/
  5. Upload the files and folders from the latest version of WordPress that you downloaded. This should replace the /wp-admin, /wp-includes, index.php, etc. that you moved to the backup folder in the first step.
  6. Edit your wp-config.php file and ensure nothing bad was added by the hacker (this can often be a snippet of code added to the beginning or end of the file that shouldn't be there. If you are unsure, compare the wp-config.php file with the wp-config-sample.php that came with version of WordPress you downloaded in step one)
  7. Update the MySQL database password and place the new password in the wp-config.php file because the hacker may have gotten the old password
  8. Log into the WordPress admin (/wp-login.php) and navigate to the 'Users' section. The hacker may have added some additional users to your site so you should delete any users that you did not add.
  9. Update the password for all of the valid WordPress users in-case that is how the hacker got into the site
  10. Go to the 'Settings'->'Permalinks' page and click 'Save'. This will re-create your .htaccess(Apache) or web.config(IIS) file.
  11. Copy everything from your old /wp-content/Uploads folder into your new /wp-content folder. This will bring over any images, audio, and video that were previously uploaded to your site.
  12. Re-install any plugins and themes you were using on the site. If you had made modifications to your theme or plugins and need to bring the files over from the backup of the site, be very careful. The hacker may have injected bad code into your old theme and/or plugin files that will allow them to get back into the site. You should only move over files that are absolutely necessary and check the content of those files for anything suspicious.


Adding extra security

These are some extra steps you can take to lock down your WordPress installation.

  • Disable file editing through the WordPress by adding "define('DISALLOW_FILE_EDIT', true);" to your wp-config.php file - reference: [1]
  • Disable direct script execution in both your /wp-content and /wp-includes directories. The PHP files in these directories should only be used via includes from the core WordPress code and not directly.
  • Add Basic authentication to your /wp-admin directory. This will cause your administrator section to require a double-login, but it adds an extra layer of security to your WordPress admin dashboard.


Additional considerations

Here are some additional considerations to take after an event.

  • Scan the desktop or laptop computer you use to administer the site for malware.
  • Update your FTP password.


More Information

https://codex.wordpress.org/Hardening_WordPress
codex.wordpress.org/FAQ_My_site_was_hacked