Fix hacked WordPress website

Fix hacked WordPress website

Jan 25, 2021 – 8 min read

Imagine the following scenario. You have a website based on WordPress. A sunny morning you wake up with a cup of coffee and you realise that your website has been hacked. All your plans for the day are gone.

Surely that’s not a very pleasant experience! If you want to avoid such scenarios read the manual below.

Intro

In this article I will speak about hacked WordPress websites and how to fix one. Before we dive into the topic let’s answer one important question. How to recognise that my WordPress website has been hacked?

Well, there is no exact answer to this question but I will go through a few symptoms indicating that your WordPress most probably has been hacked.

  • Your Website is Often Slow or Unresponsive.
  • Bad Links Added to Your Website.
  • You are Unable to Login to WordPress.
  • Suspicious User Accounts in WordPress.
  • Unusual Activity in Server Logs.
  • Unaccessible Directories. Let’s say your website has a forum or a blog accessible with the following URL’s mywebsite.com/forum or mywebsite.com/blog. If your website has been hacked, these directories may no longer be accessible. Quite scary if you have tens or hundreds or articles and posts.
  • Unknown Files and Scripts on Your Server. Open the main directory containing the files of your website.
    • Check the directory and some of the subdirectories for files with strange names (e.g. weiuhw.php, kwqguy.php).
    • Open wp-config.php, index.php (located in the main directory and some of the subdirectories). If your website has been hacked some of these files may contain strange code similar to the one below.
/* G78wxn */
include ('/2x2/23gbc/x1xg/x3gbz/x112e/12z2z'.php);
/* G78wxn */
$jjBweiu4m = 'JInx892n9x2';
$HU389NHx42 = HU389NHx42('4589hwef43');

If your website has some of the symptoms above, it’s definitely advisable to start a diagnostic, identify issues and fix them. My personal opinion is that even if you don’t experience any of these issues, it’s worth the efforts to do a quick diagnostic and take precautions measures and prevent potential hacks.

Step by step I will go through ways to diagnose, find and fix issues caused by hackers as well as taking some precautions measures. Before we start don’t forget to back up your website (files and database)!

0. Restore from a backup

If you have backups for your WordPress site, then it may be best to restore from an earlier point when the site wasn’t hacked. If you can do this, then you’re golden.

1. Remove unknown files and fix scripts

In this chapter we will review the following directories.

  • main WordPress directory
  • wp-admin and wp-includes
  • wp-content

Open the main directory. It should contain files and directories similar to those listed below.

.htaccess
index.php
license.txt
readme.html
robots.txt
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-snapshots
wp-trackback.php
xmlrpc.php

Check for files with suspicious names (e.g. ewfhxe.php, kxbubs.php) and delete them. Open index.php and wp-config.php and remove any suspicious code you see.

The next step is to check the version of the WordPress site. If you use Debian distribution of Linux, use the commands below.

cd /var/www/mywebsite
cd wp-includes
cat version.php

Search for a line of code similar to the one below.

$wp_version = 'X.Y';

Now when we know the version of WordPress (X.Y), let’s download a fresh copy.

cd /var/www/
wget https://wordpress.org/wordpress-X.Y.tar.gz
tar xfz wordpress-X.Y.tar.gz
rm wordpress-X.Y.tar.gz

Open the main directory of the WordPress site and delete the directories wp-admin and wp-includes. They contain hundreds of files which means that finding the infected ones would be very hectic. We can simply delete and replace them with fresh copies from the WordPress distribution we’ve just downloaded.

cd /var/www/mywebsite
rm wp-admin wp-includes

The next step is to add fresh copies of wp-admin and wp-includes but also copies of all files which are in the main WordPress directory (e.g. wp-comments-post.php, xmlrpc.php, wp-mail.php). The reason we replace the files is because they also may be infected.

cd /var/www/wordpress
rm wp-content
mv wp-admin ../mywebsite
mv wp-includes ../mywebsite
cp * ../mywebsite
cd ../
rm -R wordpress

Make sure that all directories and files have the right access configuration and ownership.

chown -R www-data:www-data mywebsite
chmod -R 0755 mywebsite
cd mywebsite

The next step is to open wp-content folder and:

  • Check some of the sub-directories (e.g. plugins) for files with suspicious names and delete them.
  • Check the index.php files containing suspicious code and erase it.

This folder contains hundreds of thousands of files which means that it’s nearly impossible to check everything manually but it’s still good to do some initial manual work in order to be sure that we’ll be able to login to the admin panel. In the next chapter we’ll use a WordPress plugin to complete this process.

Open .htaccess which is located in the main directory of the WordPress website and check for traffic redirects (Note: Do this only if you use Apache Web Service). Sometimes hackers use this technique to bring traffic to another website.

The last step is to open the admin panel and do the following:

  • Check if the administration panel fires any PHP errors. If there are errors caused by a particular plugin, open /var/www/mywebsite/wp-content/plugins/PLUGIN_NAME and deactivate it by changing the name of the directory.
  • Open “Plugins” from the main menu, select all plugins and update them.

Let’s move ahead!

2. Use a WordPress plugin to identify unknown files and fix broken scripts

The plugin we’ll use is Wordfence Security.

Login to the admin panel, choose “Plugins” -> “Add New” and type Wordfence Security in the search field. Install and activate the plugin. After you complete the installation choose “Wordfence” -> “Scan” from the main menu.

What this plugin does is to scan all directories and files of you website and find potential security breaches (e.g. files with suspicious names, suspicious code). But before we start scanning be sure to make the configurations described below.

  • From the main menu choose “Wordfence” -> “Scan”.
  • Click “Manage Scan” which is right below “Scan Type”.
  • In section “Basic Scan Type Options” choose “High Sensitivity”.
  • Be sure all general options are selected.
  • In section “Performance Options” choose “Use low resource scanning (reduces server load by lengthening the scan duration)”.
  • Press “SAVE CHANGES” and “Back to Scan”.

Now when we’re ready start the scanning by clicking “START NEW SCAN”. This may take a while from 5-10 minutes depending on the resources of your machine. Once the process is completed scroll down and check section “Results found”. Worfence will prepare a list of potential security breaches and suggestions how to fix them. Follow the instructions they give!

3. Scan your website vulnerability with WPscan

Simply put WPscan is a security scanner written in Ruby allowing you to scan vulnerabilities of your WordPress site.

To install WPscan, use the command below. Please note that you are required to install Ruby on your machine.

gem install wpscan

If you’d like to do the installation on Docker, check their official GitHub repository – https://github.com/wpscanteam/wpscan.

Once you are ready with the installation, open the Terminal and type the following command (Note: replace mywebsite.com with the website you’d like to scan).

wpscan --url mywebsite.com

The scan may take up to one minute. Once it’s ready go through the generated report. Here are a few things to consider.

WordPress version

Hide the WordPress version of your website. You can do that with various security plugins (e.g. All In One WP Security).

WordPress API

Deactivate WordPress API. If you do not use the API provided by WordPress it’s advisable to disable it. You can do that with various security plugins (e.g. Disable REST API).

XML-RPC

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. A complete list of actions you can do via XML-RPC can be found here https://codex.wordpress.org/XML-RPC_WordPress_API.

If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress. Because some of the plugins you use may use XML-RPC, it’s not advisable to disable it completely.

You can use the WordPress plugin REST XMLRPC Data Checker to disable part of the features provided by XMLRPC. To do that:

  • Open the admin panel and choose “Plugins” -> “Add New”.
  • Type “REST XML-RPC Data Checker” in the search field.
  • Install and activate the plugin.
  • Form the main menu choose “Settings” -> “REST XML-RPC Data Checker”.
  • Click on “XML-RPC” tab.
  • Make sure the following checkboxes are selected:
    • Disable XML-RPC API interface
    • Apply the complete WordPress formatting to the post content body
    • Remove X-Pingback HTTP header
    • Apply trusted methods criteria (and check those features you would like to be allowed). Check if any of the activated plugins require particular XML-RPC method.
  • Press “Save Changes” when you’re ready.

After doing the changes above use the following link to validate them – orilliadentist.com/xml-rpc-validator

Plugins and themes

Deactivate and delete plugins you do not use. Sometimes plugins have security breaches and hackers use that. From that point of view, the less plugins you have, the better.

Also, delete themes you do not use.

WPscan offer much more! To learn more check the documentation they provide – github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation or type:

wpscan --help

4. Change WordPress security keys and salts

WordPress salts, along with their companion security keys, are a cryptographic tool that helps secure your WordPress site’s login.

Specifically, salts and security keys secure information in the cookies that WordPress uses to log you in.

See, once you log in to WordPress, you have the option to stay logged in so that you don’t need to enter your username and password every single time. To accomplish this, WordPress saves your login information in cookies, rather than using PHP sessions.

That’s super convenient for users, but it also opens the potential for a security issue if someone were able to hijack your browser’s cookies.

Therefore, it’s important to change your WordPress salt keys from time to time.

  • Open the main WordPress directory of your website.
  • Open wp-config.php file, scroll down and search for code similar to the one below.
 * @since 2.6.0  
*/ 
define('AUTH_KEY', '@/uN-XapJ+M[CQh~5+6LJQi$I+}Y`>R#*)g pb5sP(DJo rd8 1wTL3[E`=XeBGu'); 
define('SECURE_AUTH_KEY', '?CyZ(h>@sn[K/3^_x(M3RugSy~roy3rs?tW`#n)*aFJ#.Rr+damiE5(SEMpV?Q-j'); 
define('LOGGED_IN_KEY', '-I$)g(|f7-vLoW7-hJ}>7af&pgX*~9>agvi`DB5?)vzb/<2-v;$Aq!Ay+0,lHp>w'); 
define('NONCE_KEY', '*[Q (-|F#9TD29|[email protected]_Drs%z.8Zp55~PNrx-qnHLG%N!yHRjDSOl]Uyo,%/}=$Z'); 
define('AUTH_SALT', '}5t6sooDU3FJ*1MsvJ.R1Z.0-Zs1<9#3i:eEGRDd*8+!J,eU5}fZQ3M-**iu?yv)'); 
define('SECURE_AUTH_SALT', 'f87?e9G4|uu~nu6([email protected]@b%]K}4{N:a.y0Pmvf;~6-*&kEjiIxV?qiBP#P<Vs'); 
define('LOGGED_IN_SALT', '`hA5%;`Us!UH0MtV}Oj0Goj T(+5Z`#unGn/[31Nt6>_MkfIG!a6;)E2OtL9rKA%'); 
define('NONCE_SALT', 'F/BpI_WD,z4%]eFCGQiIs#(a(?%*.2_/cJ{ B[@OO*6uHVf}aU38yi?%4gQ]r{gq'); 
/**#@-*/

To generate new keys open the following links – https://api.wordpress.org/secret-key/1.1/salt/. Copy and replace the old ones. Save and close wp-config.php.

Before you login to the admin panel, clear the browser cookies.

5. Scan all internal and external links on the website

Sometimes hackers place links in your content that lead your visitors to different websites. Use Google Analytics and check where your website is sending traffic and remove any suspicious links you encounter.

The alternative is to open Google and type the following keywords “scan all links on a website”. Click on a few of the suggested tools and scan your website.

6. Additional measures

Remove unused user accounts

Yes. Remove all unused user accounts. Less accounts, less worries.

Change credentials

Change the password of all WordPress and database users as well as the password you use to access your server and hosting account.

So far, so good. I wish you a good day and never to be hacked!

If you need assistance with your website or you have suggestions for improving the content, don’t hesitate to contact me.

No Comments

Post A Comment