We here at ArtDriver love WordPress and use this content management system (CMS) quite often for our clients’ custom web development projects. It’s no secret, that the global web community also loves WordPress given the fact that it is the most popular CMS based on the CMS usage statistics gathered by BuiltWith.
Because WordPress is so popular, it’s become one of the key targets for hackers who constantly try to find WordPress vulnerabilities and break the WordPress software architecture security to exploit a wide network of WordPress sites for evil purposes (in most cases hackers inject their malicious code into WordPress sites for black hat SEO purposes (link injection, redirects, etc.) or for creating phishing sites to collect users’ personal data or credit card information).
Case Study - How Our WordPress Site Was Hacked
In this blog post I will describe a case study about how one of our corporate WordPress sites had been attacked by a hacker for 4 weeks in a row and what steps we’ve taken to protect ourselves. We hope that those who have been attacked by the same hacker can take the appropriate steps and share their prevention strategies to make the attacker’s efforts useless from this point on.
On August 13, 2013 we received an official email from a DMS (Detect Monitoring Service) Agent from a fraud protection company (I am not including the name and website of the company due to their confidentiality clause in the email signature, but must mention that they position themselves as the Inc 500 Fastest-Growing Company). The email read:
Hello,
Please, help us with this case.
This is an official email from COMPANY NAME. You are hosting a phishing site against one of our bank clients in South America in the following URLs:
http://www.xxxxx (hosted by you)
You should disable this URL in order to prevent further frauds to the affected bank and get all the evidence for a forensic analysis in case that the authorities ask for it.
Thanks for helping make the internet safer.
Frankly, we were quite stunned that our site was hacked this way and such a big bank name was involved. The first thing we did we deleted the phishing site from a subfolder under our domain and then responded to the fraud protection company that emailed us with the following message:
Thanks for your email! We just erased this website from our server. looks like someone hacked into our site and uploaded those files. I am not sure how this has been done and if you can advise, that will be highly appreciated. We have a VPS with GoDaddy.
What can we do to prevent this from happening again?
The DMS agent responded with a brief email:
Reset passwords, look for virus and identify security holes in the server.
I appreciated the response but felt that it would be nice if they sent us some more details on what measures to take, so that their client’s reputation is protected (which would make their fraud protection service offering even more valuable than it is). In any case, that first response was the only response from them to our emails given the fact that they sent about 10 more phishing site notifications while our site had continued being hacked by the same attacker (an email from the same DMS agent came in every time there was a new instance of the phishing site being injected into our server) jeopardizing the same bank client’s reputation over and over again.
We also reached out to GoDaddy explaining the problem and offered to pay for their premium support to look into this, but their response was the following:
Thank you for contacting Server Support. This is not something that our Expert Hands team can assist with. They do not assist with security issues on your websites. However, we do offer a product that may assist you with this. Our Website Protection Site Scanner identifies malware links and security gaps on your website that could allow a hacker to steal information, vandalize your site or infect your customers.
Please contact us if you have any further issues.
Needless to say, we’ve been a GoDaddy client for a number of years now spending thousands of dollars on their products, but in the end, their support was useless here. We did follow the their email advice and purchased their Website Protection Site Scanner service; however, a couple of days later our site was hacked again even though the Website Protection Scanner showed that we did not have any vulnerabilities.
Finally, we figured out that there is noone else out there who can help us out, and it is about time for us to dig into the problem and sort it out ASAP.
Here is a step-by-step strategy that we've taken to prevent our WordPress site from being hacked again (well, at least by the same hacker who’s been given us troubles for the last month):
1. Reset Passwords
We reset our passwords to FTP, /wp-admin and web hosting cpanel making them secure by using small and capital letters, numbers and special characters (e.g. !~}@#...).
2. Amend File Permissions
We amended our file and folder permission on the server making sure we had them set the way it is recommended by WordPress, i.e. file permissions set to 644 or 640 and folder permissions set to 755 or 750. The only folder that may need to be set to 777 is your uploads folder, and if you set it to 777, make sure you monitor what is being written to that folder.
Here is a brief overview on how to change your file permissions.
3. Update WordPress Software
We always update our WordPress software to the most recent version as soon as it comes out.
4. Update Plugins, Delete Unused/Untrusted Plugins
We’ve gone over the list of all plugins installed on our site and deleted the ones that were not active. We also deactivated and deleted the plugins we thought were not reputable enough (we looked at the number of comments, rating and press coverage to determine the reputability). Finally we updated all active plugins to their most recent versions.
5. Hide WordPress Version Info
It is a small step but it helps to protect your WordPress version info. The less information you give to hackers about your system the more difficult for them to break your security. To hide your WP info, go to functions.php in your theme folder and add the following lines of code:
// hide version information from head and feeds
function complete_version_removal() {
return '';
}
add_filter('the_generator', 'complete_version_removal');
6. Use WordPress Security Keys
In wp-config.php there is a place where you can enter encrypted security keys for information stored in your cookies. Go to https://api.wordpress.org/secret-key/1.1/ to generate your keys and update your wp-config.php.
7. Change Your Author Nicknames
Our site accepts guest blog posts, so we register new users to blog for us. Bots scrap WordPress sites to find author tags and then use the author names as usernames to guess the password using brute force attacks, and therefore it is critical to hide the usernames of your users. To do that, go to your user page and change the box “Display Name Publicly As:” to something different that the user’s username.
Also, make sure you delete the default username “admin”. You can either create a new username with the admin privileges and then login under it to delete the admin user or you can change the admin username in the database directly and then reset your password.
8. Rename WordPress Database Prefix
The default prefix is wp_. If you are just installing WordPress, make sure you change the prefix to something unique. If, however, you’ve already installed WordPress, you should be very careful changing the database prefix. I recommend using a security plugin Acunetix to change the prefix.
9. Setup Regular Backups
It goes without saying that a regular backup plan should be setup for your WordPress site. You can use paid services such as VaultPress or CodeGuard, do manual backups or install a free backup plugin of your choice.
10. Protect Your wp-login.php
This one is a very critical step for protecting your site from an unauthorized user login. Hackers use all means possible to get a hold of your admin credentials, login to your WordPress admin area and then do whatever they want to your site. There are many ways to protect your site here (limit login attempts, deny certain IP addresses, etc), but the best option here is to prevent anyone but you to login to your wp-admin by denying the access to wp-login.php to all IPs accept yours. If you are running Apache, you can simply add the following code to your .htaccess file to accomplish this:
# Restrict WP Login Pages to Your Own IPs
<Files wp-login.php>
order deny,allow
Deny from all
# Whitelist your IPs
allow from 111.111.111.111
allow from 222.222.222.222
11. Track & Review Your Log Activity
You can install a log tracking plugin of your choice (e.g. Aryo Activity Log) and then monitor the logs. Thanks to this step, we’ve discovered that our site was undergoing a brute force attack - you can see this from the screenshot below (every couple of seconds our login page is hit by an intruder’s machine trying to guess the password, and they’re using different IPs):
12. Install WordPress Security Plugin
If you do not want to get into nitty gritty of your server setup, you can install one of the best WP Security plugins - Better WP Security (Note: I am not affiliated with them), which can do most of the job for you.
13. Host Your Site With WordPress Specialized Web Hosting
One more good advice is to host your WordPress site on a web hosting that specializes in hosting WP sites. These hosting companies are normally more expensive that regular shared web hosting firms, but they are worth the buck if you want peace of mind. One of the best WordPress web hosting companies is WPEngine.com. Their plans & pricing:
14. Other WordPress Security Related Resources
Here is a list of good articles that advise how to harden your WordPress security:
Advanced WP Security by WPSecure
Not recommended WordPress plugins by WPEngine
How to Search For Backdoors In a WordPress Site by Canton Becker
Common WordPress Malware Infections by Smashing Magazine
Hardening WordPress by Bastian Grimm
Conclusion
WordPress is very vulnerable if you do not take appropriate preventive measures. Do it sooner rather than later and do not rely on third-party help unless you do not know how to protect your site yourself.
For those of you who have read this post till this sentence, I thought I’d reward you with the phishing sites’ names that were injected into our site. Possibly, they’ve been bothering you as well, and we can join forces to fight the hacker together. Here they are:
- bancoestado.cl
- corpbanca.cl
- santader.cl
- bancochile.cl
The hacker injected the above sites into various folders on our server and then linked to them from this site - srf.ae (not sure if these guys are aware of the links to various phishing sites on their site, but they brought over 150 visits with an average visit duration of 6 minutes per visit).
Has your WordPress site been hacked? What steps did you take to protect yourself? Please share your story in the comments area below.