Hacked and back to good – preventing WordPress from getting hacked again

:

UPDATE 4 – In case you’re looking for the Cliffs Notes on WordPress security – or, what I learned from restoring a site:

Step 1: until you’re off of the default settings, assume that every hacker is circling like a herd of sharks. You might think that a hacker cares about how popular your site is, or how many posts you have. I’m here to say if it can happen to me, it can happen to you too. The way these things are written, they’re looking for backdoors, workarounds, and any other vulnerability they know about. Your Alexa ranking has nothing to do with the bot’s decision-making process.

Step 2: see what your viewers see. I didn’t get an e-mail alert or a notice that something was awry; I noticed a link leading to a pill site, which led me down this whole rabbit hole.

UPDATE 4 – In case you’re looking for the Cliffs Notes on WordPress security – or, what I learned from restoring a site:

Step 1: until you’re off of the default settings, assume that every hacker is circling like a herd of sharks. You might think that a hacker cares about how popular your site is, or how many posts you have. I’m here to say if it can happen to me, it can happen to you too. The way these things are written, they’re looking for backdoors, workarounds, and any other vulnerability they know about. Your Alexa ranking has nothing to do with the bot’s decision-making process.

Step 2: see what your viewers see. I didn’t get an e-mail alert or a notice that something was awry; I noticed a link leading to a pill site, which led me down this whole rabbit hole.

Step 3: the sooner you start, the sooner you’re done. I’ve been told you can’t plugin your way to security. That may be so – but then again, perfect security is impossible in this world. Haven’t you seen Die Hard 4?

There are many many security-related WordPress plugins out there – I certainly couldn’t vouch for them all – but these are the ones I’ve come across and/or played with during the last couple of days. Geek level 1 is turning your computer on; geek level 10 is writing machine code for hidden operating system files inside a command terminal.

  • Exploit Scanner brings back lots of false positives, but appears sensitive enough to catch hacks on a number of levels. Good for seeing whether you’ve picked something up. Geek level: 3 to run, 6 to understand the results.
  • WP Security Scan is relatively helpful for checking your current security status. There’s a built-in tool to change the prefix of your database tables (from “wp_” to something else), but I couldn’t get it to work. See update #2 for a link to a manual way that worked for me). Geek level: 4.
  • EZPZ. This is actually a dead-simple backing up tool – exactly the sort of thing you might need to do before you’re hacked, and after you’re sure you’re clean again. If self-hosted, your cPanel or other back-end server tool has some backup tools as well. Geek level: 2.
  • Login LockDown – prevent someone trying to brute force guess a password by locking them out after a number of incorrect attempts. Geek level: 2.
  • Search & Replace – a very powerful way of finding something across your blog – front end and back end. For the more geeky among us, it executes a standard SQL query, so backing up your database before starting is a good idea. Works as promised, although the result is only as strong as your input (tell it to find ‘blog’ and replace it with nothing and you’ll be finding yourself in a heap of trouble. Geek level: 4.
  • Secure WordPress (HT to Simon) fixes a lot of small, almost invisible options that only the geeks and hackers would notice. They seem like the equivalent of changing your bike lock from the default combination of ’0000′ to something a bit more random – at best, it looks to make things a little more difficult for something to hack. Geek level: 3 (the plug-in does the work for you).

A couple other tools I’ve made use of or looked into:

Step 4: it starts and ends with you. The plugins are tools – it’s how you use them that determines their effectiveness. If you haven’t been hacked, now is a great time to generate a new password and put a clean backup in a couple of different places. If you see any unusual activity, there’s quite a bit of talk on the internet about nipping it in the bud.

____________

UPDATE 3 – OK, the site is back to normal. Carry on with your normal viewing :) Older posts may have a larger-than-normal thumbnail – not sure how that happened, but it’s been manually corrected with the newer posts. I’ll be keeping a close eye on the site to see if anything else pops up, but for right now it’s time to get back to writing.

____________

UPDATE 2 – One common way to tighten up your WordPress site is to change your database table prefix. By default, it’s “wp_” – and apparently easy to hack because no one ever changes it. I owe thanks to Semfer Fi Web Designs for providing some excellent directions for accomplishing manually. The geek scale is about a 8 1/2 – somewhere between editing theme files and writing one of your own.

The bottom line: changing your database table prefix to a random string of numbers and letters is equivalent to ripping out that crappy window lock and installing a brand-new deadbolt. It doesn’t clean up the mess in the house, but it prevents someone else from getting in without a lot of work.

_____________

UPDATE 1 – I’ve done my best to nuke the offending links (and most of the text) through searching-and-replacing on the backend. If you see anything wonky, let me know ASAP. If this happens again, I can always nuke it altogether and re-upload what needs to be uploaded. FWIW, this sucks.

______________

Well, folks, it looks like some nefarious hacker has had their way, and my site has gotten hacked. Thanks to a vulnerability in WordPress, PHP, some other coding thing, or the guy sitting behind the keyboard, virtually every post from the beginning to a couple days ago has a randomly-inserted link to an online pharmaceutical website. I’ve gone into full-cleanup mode, changing password, disabling things, yadda yadda yadda – so bear with the site for the next few days. If you see any weird links, DON’T CLICK ON THEM. Your feeds are fine, your computers are fine (well, at least my blog didn’t infect it with anything), and your visits are fine. If you see anything exceptionally wonky, e-mail me at chrisinsouthkorea AT gmail DOT com. I’ll try to have everything sorted out in the next few days to a week.

Creative Commons License © Chris Backe – 2011

This post was originally published on my blog ,Chris in South Korea. If you are reading this on another website and there is no linkback or credit given, you are reading an UNAUTHORIZED FEED.

Share on Facebook



Leave a Comment