PDA

View Full Version : Wordpress theme infected?



jamesray50
08-15-2013, 10:39 AM
My wordpress has been infected and I didn't even notice it. An associate notified me of this and is trying to fix it, so far has not been able to. In the meantime she has switched me to a temporary theme until she can figure it out. She said there was a brute force attach on Wordpress a few weeks ago. I didn't hear anything about that. Has anyone here been affected by this? This lady has taken me under her wings and keeps my Wordpress and plug-ins updated. Had she not been monitoring my website I would have never known, would I? Is there something I should be doing to keep something like this from happening again? Per her instructions I have changed my password to a more complicated password but was wondering if there was anything else I should be doing?

Thanks,

Business Attorney
08-15-2013, 11:05 AM
I have not seen recent references to a brute force attack, but attacks on my wordpress sites are pretty regular.

Here are some protective actions you can take:

1. Don't use "admin" for the username of your admin function. Someone needs both your username and password to get into your site. When you leave "admin" as a username you have given them half of the key to your site. Now they only need to work on the other half.
2. Don't install any themes where you are not comfortable with the source. I frequently get phishing emails where they want me to click on a link address that goes to the themes folder of an unsuspecting website. Offering a free theme is an easy way for a hacker to install a trojan horse.
3. Apply all updates to WordPress, plugins and themes immediately. Often the updates include security fixes. A couple of years ago I was hacked because a theme used an older version of timthumb, an image resizing script.
4. Don't install plugins of unknown origin.
5. Uninstall and delete all plugins and themes you are not using. The more stuff you have sitting in your WordPress installation, the more likely it is that someone will find a hole.
6. Use a very strong password, preferably at least 8 characters long and consisting of both letters, numbers and characters like "Th!5!5MyPa55w0rd"
7. Do not use the same password for multiple purposes
8. Change the password occasionally (I don't often follow this particular advice myself if it is a very strong password that I never use in a public setting, but it is still good advice)
9. Be careful of using your password on public computers or over unsecured networks such as public WiFi. When it comes to WordPress hacks, this is not likely to be the source of the problem since most attacks originate on the other side of the planet, but it is still good to be wary.

Harold Mansfield
08-15-2013, 11:29 AM
I have not seen recent references to a brute force attack, but attacks on my wordpress sites are pretty regular.

Here are some protective actions you can take:

1. Don't use "admin" for the username of your admin function. Someone needs both your username and password to get into your site. When you leave "admin" as a username you have given them half of the key to your site. Now they only need to work on the other half.
2. Don't install any themes where you are not comfortable with the source. I frequently get phishing emails where they want me to click on a link address that goes to the themes folder of an unsuspecting website. Offering a free theme is an easy way for a hacker to install a trojan horse.
3. Apply all updates to WordPress, plugins and themes immediately. Often the updates include security fixes. A couple of years ago I was hacked because a theme used an older version of timthumb, an image resizing script.
4. Don't install plugins of unknown origin.
5. Uninstall and delete all plugins and themes you are not using. The more stuff you have sitting in your WordPress installation, the more likely it is that someone will find a hole.
6. Use a very strong password, preferably at least 8 characters long and consisting of both letters, numbers and characters like "Th!5!5MyPa55w0rd"
7. Do not use the same password for multiple purposes
8. Change the password occasionally (I don't often follow this particular advice myself if it is a very strong password that I never use in a public setting, but it is still good advice)
9. Be careful of using your password on public computers or over unsecured networks such as public WiFi. When it comes to WordPress hacks, this is not likely to be the source of the problem since most attacks originate on the other side of the planet, but it is still good to be wary.


That's a good list.
I would add to install a security plug in that allows you to change the destination of your log in page. Every hacker knows that WordPress' default log in page is /wp-admin, so that's where they look to get in.
Change that page to a different URL, and they won't know where to look.
Here's one that lets you do just that:
WordPress › Better WP Security « WordPress Plugins (http://wordpress.org/plugins/better-wp-security/)

It has a lot of other settings that are very useful for keeping your site secure.
But, be careful with it. Either do a little reading about how it works, or have someone set it up that knows what they are doing so that you don't lock yourself out of your own site.

jamesray50
08-15-2013, 03:10 PM
Thank you both for replying. I will do everything you both suggested.

billbenson
08-15-2013, 04:16 PM
Jeff (MyItGuy) had a process for building a program to check for changes in your installation. You could have someone build something similar if nothing already exists.

Alternatively, do a nightly backup so you can do a restore the next day. This won't alert you if you have been hacked howerver.

Someone correct me if I'm wrong on this, but the db is far less frequently hacked than the program files.

Harold Mansfield
08-15-2013, 04:22 PM
Jeff (MyItGuy) had a process for building a program to check for changes in your installation. You could have someone build something similar if nothing already exists.

Alternatively, do a nightly backup so you can do a restore the next day. This won't alert you if you have been hacked howerver.

Someone correct me if I'm wrong on this, but the db is far less frequently hacked than the program files.

Most hosts have automatic backup daily and weekly.
The database can get infected, but it's rare that it gets hacked. They would have to have access to your hosting account or your MyPHPAdmin credentials.

MyITGuy
08-15-2013, 11:36 PM
Jeff (MyItGuy) had a process for building a program to check for changes in your installation. You could have someone build something similar if nothing already exists.

I still need to create that script so I could share it with you/everyone...since the one I created was for use by another application.

As an alternative, you can look to some of the monitoring solutions out there such as Pingdom or Status Cake that have site scanning built in to some of their checks.


Alternatively, do a nightly backup so you can do a restore the next day. This won't alert you if you have been hacked howerver.
Just be sure that these files are downloaded frequency, and DO NOT rely on the host to retain them for you. I've seen so many issues where people lost their sites because they did not care for/validate these backup files.



Someone correct me if I'm wrong on this, but the db is far less frequently hacked than the program files.
Not necessarily, the first thing some of these hi-jacks will do is create a backdoor into your database (I.E. Their own unique Admin ID/Password) and dump your data so they can download/analyze it on their own time.

Wozcreative
08-17-2013, 10:23 AM
I've had this happen before. Your hosting account should be able to back track to when it wasn't infected. Otherwise you will need to change all the passwords and remove the buggy code from all the pages that have been updated (you will know they are infected if you have some .php files in your FTP that have a VERY recent time-stamp on it).

billbenson
08-18-2013, 08:53 AM
I've had this happen before. Your hosting account should be able to back track to when it wasn't infected. Otherwise you will need to change all the passwords and remove the buggy code from all the pages that have been updated (you will know they are infected if you have some .php files in your FTP that have a VERY recent time-stamp on it).

That's a lot of files to weed through with something as big as wordpress.

Harold Mansfield
08-18-2013, 10:04 AM
Recent time stamps happen whenever there is an update.
If someone has actually gained access to your site and has placed malicious code in it it's usually hidden in the header.php, footer.php, sidebar.php or index.php. Other wise it could be a plug in or code that you have added that has the vulnerability.

It could be something that was dormant, like as with free themes who insert links or code in the footer.
It could be an approved comment with a malware link.

There's actually too many ways to list, but it's usually low level hackers and spammers and it's usually always in the same places.

Gabe
08-18-2013, 12:52 PM
The easiest way to do it is just use premium hosting instead of the cheap stuff. A premium host will take care of all of that stuff for you. Sure, it's more expensive, but when it comes to your business it's worth it. I recommend WP Engine (just under $30/mo.) and I've been using them since 2011, but there are other options as well. They take care of security (if you get hacked, they fix it free), backups, CDN, caching, and other stuff. Sure, it may be more than you need, but peace of mind is worth a lot. I use WP Engine for all of my clients.

Wozcreative
08-18-2013, 02:15 PM
That's a lot of files to weed through with something as big as wordpress.

Find and replace.

vangogh
08-19-2013, 11:07 AM
For those who weren't aware of the attacks, I posted about them a few months ago (http://www.small-business-forum.net/wordpress/8580-brute-force-attacks-wordpress-underway.html). I'll usually post something in the WordPress forum here when something like this happens. Harold usually does too. A few other members have also been known to do the same.

Harold Mansfield
08-19-2013, 11:14 AM
Spent all day Sunday dealing with a hacked site. Stupid me, I didn't catch it sooner because there were problems with previous webmaster who still had access and I assumed they were being malicious.

It was only after I installed Better WP Security and watched the logs that I saw the Russian and Ukraine IP addresses and figured it out.
They were litterally doing and undoing things as fast as I was fixing them. Like it was some kind of game.

If I could just get my hands on one hacker one day....doesn't have to be the exact one that has cause me problems, any one will do...I'd be a happy camper.

Wozcreative
08-19-2013, 11:41 AM
Spent all day Sunday dealing with a hacked site. Stupid me, I didn't catch it sooner because there were problems with previous webmaster who still had access and I assumed they were being malicious.

It was only after I installed Better WP Security and watched the logs that I saw the Russian and Ukraine IP addresses and figured it out.
They were litterally doing and undoing things as fast as I was fixing them. Like it was some kind of game.

If I could just get my hands on one hacker one day....doesn't have to be the exact one that has cause me problems, any one will do...I'd be a happy camper.

The russian hack is actually just some type of script, they aren't doing it manually. The script will keep updating the files with their hack until you change/remove and update your passwords. Chances are your computer or someones computer had FTP info saved in your FTP client and a script you either downloaded or accidentally came across somehow stole that saved FTP and then the russian hacking software just ran with it.

It's not a random guy targeting your site specifically to mess with you and changing files as you change them for fun.

Harold Mansfield
08-19-2013, 11:53 AM
The russian hack is actually just some type of script, they aren't doing it manually. The script will keep updating the files with their hack until you change/remove and update your passwords. Chances are your computer or someones computer had FTP info saved in your FTP client and a script you either downloaded or accidentally came across somehow stole that saved FTP and then the russian hacking software just ran with it.

Yeah, I've done all of that and more. The problem has been alleviated. I'm just pissed about it.


It's not a random guy targeting your site specifically to mess with you and changing files as you change them for fun.
Every now and then you can tell when it's a person. But yeah, The others I can tell are scripts because the actions are the same as other sites that have had the same problems.

vangogh
08-20-2013, 02:14 AM
The russian hack is actually just some type of script

Is the gumblar hack? I ran into it a few years back. One of my clients was hit with it and unfortunately it was a PR firm with a number of sites that all ended up being infected. It was a pain to clear out, especially if you missed a single file, because it would be back in its entirety a couple of days later. I've helped others fix variants of it since then.

In general having a theme or site infected is one reason why it's good to maintain a relationship with someone who works on the site. Granted not everyone can spot an attack, but I know I've found a few before they had a chance to do anything while working on sites for clients. When you're working in the files often enough you can recognize code that doesn't belong and once you have a feel for how attacks work in general you can more easily spot rogue code.

With WordPress you want to keep everything updated from WordPress itself to all your plugins. There are a few security plugins like the one Harold mentioned you can install to check on the health of your site too. Automattic offers a service called VaultPress and one of the higher levels of membership will perform security scans of your site. It's a monthly fee of $40 at that level, though.