Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to clean a Hacked WordPress website
Search
makmour
May 18, 2019
Technology
0
29
How to clean a Hacked WordPress website
Makis Mourelatos - 2019 Athens WordCamp Workshop
makmour
May 18, 2019
Tweet
Share
More Decks by makmour
See All by makmour
Detect and Remove WordPress Malware Redirect
makmour
0
80
The WordPress X-Files
makmour
0
66
How to Detect and Secure a WordPress Hacked site
makmour
0
120
WordPress Hardening Rules 101
makmour
0
87
WordPress Security 101 Seminar - WordPress security real cases of hacked sites
makmour
0
18
WordPress Security 101 Seminar - WordPress Security: real cases of hacked sites
makmour
0
34
Developing a WordPress Startup
makmour
0
34
How to protect your WordPress site from DDoS and bruteforce attacks
makmour
0
32
Other Decks in Technology
See All in Technology
datadog-distribution-of-opentelemetry-collector-intro
tetsuya28
0
190
UDDのススメ - 拡張版 -
maguroalternative
1
670
広島発!スタートアップ開発の裏側
tsankyo
0
130
いま、あらためて考えてみるアカウント管理 with IaC / Account management with IaC
kohbis
2
560
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
8.5k
o11yツールを乗り換えた話
tak0x00
2
1.7k
JOAI発表資料 @ 関東kaggler会
joai_committee
1
170
なごミュ@SPAJAM2025 第二回予選
1901drama
0
110
プロジェクトマネジメントは不確実性との対話だ
hisashiwatanabe
0
180
コミュニティと計画的偶発性理論 - 出会いが人生を変える / Life-Changing Encounters
soudai
PRO
7
1.2k
AIは変更差分からユニットテスト_結合テスト_システムテストでテストすべきことが出せるのか?
mineo_matsuya
5
2.9k
2025新卒研修・Webアプリケーションセキュリティ #弁護士ドットコム
bengo4com
3
9.9k
Featured
See All Featured
Statistics for Hackers
jakevdp
799
220k
How GitHub (no longer) Works
holman
314
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.6k
Building Applications with DynamoDB
mza
96
6.6k
A better future with KSS
kneath
239
17k
We Have a Design System, Now What?
morganepeng
53
7.7k
For a Future-Friendly Web
brad_frost
179
9.9k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.4k
Become a Pro
speakerdeck
PRO
29
5.5k
Mobile First: as difficult as doing things right
swwweet
223
9.9k
Transcript
HACKED WORDPRESS CLEANUP 2019 ATHENS WORDCAMP WORKSHOP
Who am I? Gerasimos Mourelatos WordPress Warrior / Security Aficionado
/ Dad Makis Mourelatos
1. INFOSECURITY PRINCIPLES & WORDPRESS MALWARE TYPES 2. WORDPRESS HACKED?
(ΤΙ ΕΓΙΝΕ ΡΕ ΠΑΙΔΙΑ?) 3. CLEANING A WORDPRESS MALICIOUS RE REDIRECT 4. HOW TO SECURE OUR WORDPRESS SITE WORKSHOP INDEX
ΟΙ DEFAULT ΡΥΘΜΙΣΕΙΣ ΘΑ ΠΡΕΠΕΙ ΝΑ ΕΙΝΑΙ ΟΣΟ ΓΙΝΕΤΑΙ ΠΙΟ
ΑΣΦΑΛΕΙΣ ΑΚΟΜΑ ΚΑΙ ΑΝ ΑΥΤΟ ΕΠΗΡΕΑΖΕΙ ΤΗΝ ΕΥΚΟΛΙΑ ΧΕΙΡΙΣΜΟΥ ΑΠΟ ΤΟΝ ΧΡΗΣΤΗ SECURITY BY DEFAULT
SECURE BY DESIGN Ο ΣΧΕΔΙΑΣΜΟΣ ΘΑ ΠΡΕΠΕΙ ΝΑ ΕΧΕΙ ΛΑΒΕΙ
ΥΠΟΨΙΝ ΤΗΝ ΠΙΘΑΝΟΤΗΤΑ ΠΑΡΑΒΙΑΣΗΣ ΤΟΥ ΣΥΣΤΗΜΑΤΟΣ ΚΑΙ ΝΑ ΕΧΕΙ ΔΗΜΙΟΥΡΓΗΣΕΙ ΤΙΣ ΑΝΤΙΣΤΟΙΧΕΣ ΔΙΚΛΕΙΔΕΣ ΑΣΦΑΛΕΙΑΣ
SECURITY THROUGH OBSCURITY Η ΠΟΛΙΤΙΚΗ (ΨΕΥΔΟ)ΑΣΦΑΛΕΙΑΣ ΟΠΟΥ Ο Ο ΧΕΙΡΙΣΜΟΣ
ΕΝΟΣ ΣΥΣΤΗΜΑΤΟΣ ΕΙΝΑΙ ΔΙΑΘΕΣΙΜΟΣ ΜΟΝΟ ΣΕ ΣΥΓΚΕΚΡΙΜΕΝΑ ΑΤΟΜΑ 1
SECURITY THROUGH MINORITY OR OBSOLESCENCE MIA AKOMA ΠΟΛΙΤΙΚΗ (ΨΕΥΔΟ)ΑΣΦΑΛΕΙΑΣ ΠΟΥ
ΣΤΗΡΙΖΕΤΑΙ ΣΤΗΝ ΣΠΑΝΙΟΤΗΤΑ ΚΑΙ ΑΡΧΑΙΟΤΗΤΑ ΤΟΥ ΛΟΓΙΣΜΙΚΟΥ ΠΟΥ ΧΡΗΣΙΜΟΠΟΙΕΙΤΑΙ
PRESUMED SECURITY Η ΑΣΦΑΛΕΙΑ ΠΡΟΕΡΧΕΤΑΙ(ΨΕΥΔΩΣ) ΑΠΟ ΤΗΝ ΔΗΜΟΦΙΛΙΑ ΚΑΙ ΤΗΝ
ΦΗΜΗ ΠΟΥ ΕΧΕΙ ΤΟ ΣΥΣΤΗΜΑ. Π.Χ. ΙΣΤΟΣΕΛΙΔΑ ΤΟΥ FBI.
ΤΥΠΟΙ ΠΑΡΑΒΙΑΣΕΩΝ • MALICIOUS REDIRECTS • BACKDOOR ATTACKS • DRIVE
BY DOWNLOADS • SEO SPAM HACKS
MALICIOUS REDIRECTS • .HTACCESS REDIRECTS • PHP ENCODED REDIRECTS (INDEX.PHP,
HEADER.PHP, FOOTER.PHP) • REDIRECT IS HIDDEN
BACKDOOR ATTACK • ΠΑΡΑΒΙΑΣΗ ΜΕΣΩ COMMAND LINE(SSH) ‘Η EXPLOIT KIT
• Ο ΕΠΙΤΙΘΕΜΕΝΟΣ ΜΠΟΡΕΙ ΝΑ ΑΠΟΚΤΗΣΕΙ ΠΡΟΣΒΑΣΗ ΣΕ ΟΛΟ ΤΟ SERVER
DRIVE BY DOWNLOAD • SCRIPT INJECTION • CONDITIONAL MALWARE
SEO SPAM HACK(PHARMA-J APANESE) • SPAM INJECTIONS • ΕΜΦΑΝΙΖΕΤΑΙ ΚΥΡΙΩΣ
ΣΤΑ ΑΠΟΤΕΛΕΣΜΑΤΑ ΤΩΝ ΜΗΧΑΝΩΝ ΑΝΑΖΗΤΗΣΗΣ • ΣΤΟΧΟΣ ΕΙΝΑΙ ΤΟ SPAMMING ΚΑΙ ΟΧΙ Η ΜΕΤΑΔΟΣΗ MALWARE
• HOMEPAGE REDIRECTS • SUDDEN SPAM COMMENT SPIKE • SLOW
WEBSITE RESPONSE TIME • BANNERS POP UP SIGNS OF A HACKED WORDPRESS SITE
2
ΤΙ ΕΓΙΝΕ ΡΕ ΠΑΙΔΙΑ?
None
JAPANESE KEYWORD HACK
DE-INDEXED SITE site:gonewiththe.wind
ALL YOUR BASE BELONG TO US 3
GOOGLE SEARCH CONSOLE WARNING GSC →SECURITY & MANUAL ACTIONS
ONLINE TOOLS Google Tools Virus Total 4
MALWARE REDIRECTS INFECTED .HTACCESS FILE 5
$tmp= base64_encode(' Welcome to WordCamp Athens 2019'); WEIRD NAMED PHP,
J S, ICO FILES eval(base64_decode('V2 VsY29tZSB0byBXb3J kQ 2FtcCBBdGhlbnMgMjAx OQ= = '); eval(gzinflate(base64_d ecode('UFVOS1MlMjBO T1QlMjBERUFEJ TIx'); 6
WORDPRESS MALICIOUS REDIRECT HACK FIX
BACKUP!!!!! BACKUP!!!!! BACKUP!!!!! 1. WORDPRESS SITE FILES 2. WORDPRESS SITE
DATABASE 3. ARCHIVE AND DOWNLOAD
DATABASE HOSTING PANEL ΔΙΑΓΡΑΦΗ ΠΑΛΙΟΥ DB USER & ΔΗΜΙΟΥΡΓΙΑ ΝΕΟΥ
ΣΥΝΔΕΣΗ ΤΟΥ DB USER ΜΕ ΤΗ DATABASE ΕΛΕΓΧΟΣ DATABASE ΜΕΣΩ PHPMYADMIN ΓΙΑ ΠΕΡΙΕΡΓΕΣ ΕΓΓΡΑΦΕΣ(Π.Χ. ΣΤΟ WP_OPTIONS) ΑΛΛΑΓΗ ADMINISTRATOR USERNAMES ΜΕΣΩ PHPMYADMIN 7
WP-CONFIG.PHP • ΑΛΛΑΓΗ DATABASE LOGIN DETAILS • ΑΛΛΑΓΗ AUTH KEYS
8
WP-CONFIG.PHP ΕΛΕΓΧΟΣ ΓΙΑ SCRIPT-CODE INJECTION 9
ΑΛΛΑΓΗ ADMIN PASSWORD & SESSION LOGOUT
ΕΛΕΓΧΟΣ ADMIN USER ACCOUNTS
UPDATE WORDPRESS
UPDATE PREMIUM THEMES & PLUGINS REMOVE NOT RENEWED COMPONENTS
UPDATE REPOSITORY THEMES AND PLUGINS
FILES • ΔΙΑΓΡΑΦΗ ΚΑΙ ΕΠΑΝΕΓΚΑΤΑΣΤΑΣΗ WORDPRESS CORE DIRECTORIES & FILES
• ΔΙΑΓΡΑΦΗ CACHE (WP-CONTENT/CACHE/) • ΔΙΑΓΡΑΦΗ FILE AND DATABASE BACKUPS • ΕΛΕΓΧΟΣ ΓΙΑ .PHP/.JS/.ICO FILES (WP-CONTENT/UPLOADS)
LAST BUT NOT LEAST ... REPEAT FOR ALL WORDPRESS SITES
UNDER THE SAME HOSTING ACCOUNT
WORDPRESS SECURITY & MAINTENANCE
• MANAGED WORDPRESS HOSTING • DAILY WORDPRESS BACKUP SERVICE •
NEVER HOST YOUR EMAIL WITH YOUR SITE HOSTING USE A SECURE WORDPRESS HOSTING SERVICE
• DNS LEVEL FIREWALL FILTERS TRAFFIC BEFORE REACHING YOUR WEB
SERVER • APPLICATION LEVEL LEVEL FIREWALL FILTERS TRAFFIC AFTER REACHING YOUR WEB SERVER USE A FIREWALL SERVICE
• KEEP YOUR WORDPRESS INSTALLATION UPDATED • MAINTAIN ONLY THE
NEEDED(ACTIVE) THEMES AND PLUGINS • USE ONLY MODERN THEMES AND PLUGINS WORDPRESS HOUSEKEEPING
• BACKUP YOUR SITE. OFF-SITE, AUTOMATED AND INCREMENTAL (IF POSSIBLE)
• NEVER EVER USE NULLED THEMES OR PLUGINS WORDPRESS ELEMENTS
• FORCE SSL • DISABLE XML-RPC WHEN POSSIBLE • RENAME
WP LOGIN URL LOGIN HARDENING 10
• LIMIT LOGIN ATTEMPTS • USE 2FA • USE .HTACCESS
TO LIMIT LOGIN ONLY FOR SPECIFIC IP(s) LOGIN HARDENING 11
• ALLOW 1 OR 2 ADMINS MAX FOLLOW THE LEAST
PRIVILEGE PRINCIPAL • USE DIFFICULT TO GUESS PASSWORDS • RANDOMIZE ADMIN USERNAMES USER ACCOUNT SECURITY
FILE ACCESS HARDENING • DISABLE PLUGIN AND THEME EDITOR (WP-CONFIG.PHP)
• DISALLOW ACCESS TO WP- CONFIG.PHP (.HTACCESS) • DISABLE .PHP FILE EXECUTION UNDER WP- CONTENT/UPLOADS & WP-INCLUDES (.HTACCESS) < files wp-config.php> order allow,deny deny from all < /files> define('DISALLOW_FILE_EDIT', true); < Files *.php> deny from all < /Files> 12
FILE ACCESS HARDENING • CREATE NEW SECRET KEYS (WP-CONFIG.PHP) •
DISABLE DIRECTORY LISTING Options All -Indexes (.HTACCESS) • REMOVE ALL DEMO AND STAGING SITES 13
EXTRA FILE ACCESS HARDENING • DIRS: 0755 FILES: 0644 •
WP-CONFIG.PHP: 0600 .HTACCESS: 0600 • MONITOR FILE CHANGES
MYSQL DATABASE HARDENING • DO NOT ALLOW REMOTE CONNECTIONS •
DO NOT SHARE THE SAME DATABASE USER WITH A NUMBER OF DATABASES • DO NOT SHARE THE SAME DATABASE FOR ALL YOUR WORDPRESS SITES
• DO NOT SHARE PASSWORDS • USE A PASSWORD MANAGER
• STOP USING PUBLIC WIFI DUE DILIGENCE 14
• http://bit.ly/2J NcWYC WordPress Security Checklist • http://bit.ly/2ZZXP3L WordCamp Phoenix
Security CheckList • http://bit.ly/2J NmYZI OWASP Wordpress Security Implementation Guideline • http://bit.ly/2EffqeA WordPress.org Security Whitepaper • http://bit.ly/2w4wWOn Hardening WordPress by WordPress.org • http://bit.ly/30ufqAX Help, I think I've been hacked! • https://tcrn.ch/2J s40IG ‘Unhackable’ encrypted flash drive eyeDisk is, as it happens, hackable USEFUL RESOURCES
Makis Mourelatos