My Wordpress website has been hacked!

My Wordpress website has been hacked!

A look at Wordpress security, how to spot a comprised site, how to fix it, and how to prevent future attacks. Presented to the March 2013 London Wordpress Meetup.

912b25b29adebb2075c139b0b9e22dee?s=128

Chris Skitch

March 21, 2013
Tweet

Transcript

  1. 3.

    Overview • How do I know if my site has

    been hacked? • How was it hacked? • How do I fix it? • How do I stop it happening again? Friday, 22 March 13
  2. 5.

    Friday, 22 March 13 Defacement - possibly geo/time/browser specific eg.

    defaced website may appear only to IE users in North America. Therefore can easily go unnoticed.
  3. 6.

    Friday, 22 March 13 An entire Phising site may existing

    in your wp-uploads folder without you knowing.
  4. 9.

    How was it hacked? • Password compromised • Unvetted Plugins,

    Themes and Scripts • Wordpress vulnerabilities (core / plugins / themes) • Why Wordpress? Friday, 22 March 13 Common points of entry - Password compromised - brute force - email interception - phishing - Unvetted Plugins, Themes and Scripts i.e. downloading from File Hosting sites (rapidshare etc) - Wordpress vulnerabilities (core / plugins / themes) - Microsoft syndrome - Wordpress today is a massive target - http://w3techs.com/technologies/overview/content_management/all - Vulnerability example - TimThumb http://ma.tt/2011/08/the-timthumb-saga/
  5. 10.

    How do I fix it? • Run a scan •

    Restore from clean backup • Change passwords • GWT - request malware review Friday, 22 March 13 1. Run a security scan 1. security scanner comparison (Sucuri vs Wordfence) 2. demo Wordfence 2. Restore from clean backup (delete site first) 3. Change passwords (FTP/MYSQL/Wordpress) 4. Google Webmasters Tools - request malware review
  6. 11.

    Wordfence Demo Friday, 22 March 13 Common malware 1. malicious

    .php files 1. new files 2. modified files 2. .htaccess (can be used to deliver payloads) 3. !! Site may have been compromised months prior to defacement!! 4. Scanners - sucuri.net vs wordfence
  7. 12.

    How do I stop it happening again? • Ensure good

    backups • Google Webmasters Tools Notifications • Download from reliable sources • Use child themes • Remove unused plugins and themes • Wordfence security settings • Keep updated Friday, 22 March 13
  8. 14.

    more info • http://codex.wordpress.org/ FAQ_My_site_was_hacked • http://wp.smashingmagazine.com/ 2012/10/09/four-malware-infections- wordpress/ •

    http://blog.sucuri.net/2012/12/website- malware-reality-of-cross-site- contaminations.html Friday, 22 March 13