Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to clean a Hacked WordPress website
Search
makmour
May 18, 2019
Technology
0
29
How to clean a Hacked WordPress website
Makis Mourelatos - 2019 Athens WordCamp Workshop
makmour
May 18, 2019
Tweet
Share
More Decks by makmour
See All by makmour
Detect and Remove WordPress Malware Redirect
makmour
0
79
The WordPress X-Files
makmour
0
66
How to Detect and Secure a WordPress Hacked site
makmour
0
120
WordPress Hardening Rules 101
makmour
0
87
WordPress Security 101 Seminar - WordPress security real cases of hacked sites
makmour
0
18
WordPress Security 101 Seminar - WordPress Security: real cases of hacked sites
makmour
0
34
Developing a WordPress Startup
makmour
0
34
How to protect your WordPress site from DDoS and bruteforce attacks
makmour
0
32
Other Decks in Technology
See All in Technology
Vision Language Modelと自動運転AIの最前線_20250730
yuyamaguchi
2
890
【Λ(らむだ)】最近のアプデ情報 / RPALT20250729
lambda
0
180
Jitera Company Deck / JP
jitera
0
310
AI によるドキュメント処理を加速するためのOCR 結果の永続化と再利用戦略
tomoaki25
0
240
【CEDEC2025】『ウマ娘 プリティーダービー』における映像制作のさらなる高品質化へ!~ 豊富な素材出力と制作フローの改善を実現するツールについて~
cygames
PRO
0
100
Mambaで物体検出 完全に理解した
shirarei24
2
150
AIに全任せしないコーディングとマネジメント思考
kikuchikakeru
0
310
【CEDEC2025】大規模言語モデルを活用したゲーム内会話パートのスクリプト作成支援への取り組み
cygames
PRO
1
540
From Live Coding to Vibe Coding with Firebase Studio
firebasethailand
1
330
解消したはずが…技術と人間のエラーが交錯する恐怖体験
lamaglama39
0
150
私とAWSとの関わりの歩み~意志あるところに道は開けるかも?~
nagisa53
1
140
データエンジニアがクラシルでやりたいことの現在地
gappy50
3
780
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
329
21k
Designing for Performance
lara
610
69k
Thoughts on Productivity
jonyablonski
69
4.8k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Gamification - CAS2011
davidbonilla
81
5.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Unsuck your backbone
ammeep
671
58k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.3k
How to Think Like a Performance Engineer
csswizardry
25
1.8k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Balancing Empowerment & Direction
lara
1
510
Transcript
HACKED WORDPRESS CLEANUP 2019 ATHENS WORDCAMP WORKSHOP
Who am I? Gerasimos Mourelatos WordPress Warrior / Security Aficionado
/ Dad Makis Mourelatos
1. INFOSECURITY PRINCIPLES & WORDPRESS MALWARE TYPES 2. WORDPRESS HACKED?
(ΤΙ ΕΓΙΝΕ ΡΕ ΠΑΙΔΙΑ?) 3. CLEANING A WORDPRESS MALICIOUS RE REDIRECT 4. HOW TO SECURE OUR WORDPRESS SITE WORKSHOP INDEX
ΟΙ DEFAULT ΡΥΘΜΙΣΕΙΣ ΘΑ ΠΡΕΠΕΙ ΝΑ ΕΙΝΑΙ ΟΣΟ ΓΙΝΕΤΑΙ ΠΙΟ
ΑΣΦΑΛΕΙΣ ΑΚΟΜΑ ΚΑΙ ΑΝ ΑΥΤΟ ΕΠΗΡΕΑΖΕΙ ΤΗΝ ΕΥΚΟΛΙΑ ΧΕΙΡΙΣΜΟΥ ΑΠΟ ΤΟΝ ΧΡΗΣΤΗ SECURITY BY DEFAULT
SECURE BY DESIGN Ο ΣΧΕΔΙΑΣΜΟΣ ΘΑ ΠΡΕΠΕΙ ΝΑ ΕΧΕΙ ΛΑΒΕΙ
ΥΠΟΨΙΝ ΤΗΝ ΠΙΘΑΝΟΤΗΤΑ ΠΑΡΑΒΙΑΣΗΣ ΤΟΥ ΣΥΣΤΗΜΑΤΟΣ ΚΑΙ ΝΑ ΕΧΕΙ ΔΗΜΙΟΥΡΓΗΣΕΙ ΤΙΣ ΑΝΤΙΣΤΟΙΧΕΣ ΔΙΚΛΕΙΔΕΣ ΑΣΦΑΛΕΙΑΣ
SECURITY THROUGH OBSCURITY Η ΠΟΛΙΤΙΚΗ (ΨΕΥΔΟ)ΑΣΦΑΛΕΙΑΣ ΟΠΟΥ Ο Ο ΧΕΙΡΙΣΜΟΣ
ΕΝΟΣ ΣΥΣΤΗΜΑΤΟΣ ΕΙΝΑΙ ΔΙΑΘΕΣΙΜΟΣ ΜΟΝΟ ΣΕ ΣΥΓΚΕΚΡΙΜΕΝΑ ΑΤΟΜΑ 1
SECURITY THROUGH MINORITY OR OBSOLESCENCE MIA AKOMA ΠΟΛΙΤΙΚΗ (ΨΕΥΔΟ)ΑΣΦΑΛΕΙΑΣ ΠΟΥ
ΣΤΗΡΙΖΕΤΑΙ ΣΤΗΝ ΣΠΑΝΙΟΤΗΤΑ ΚΑΙ ΑΡΧΑΙΟΤΗΤΑ ΤΟΥ ΛΟΓΙΣΜΙΚΟΥ ΠΟΥ ΧΡΗΣΙΜΟΠΟΙΕΙΤΑΙ
PRESUMED SECURITY Η ΑΣΦΑΛΕΙΑ ΠΡΟΕΡΧΕΤΑΙ(ΨΕΥΔΩΣ) ΑΠΟ ΤΗΝ ΔΗΜΟΦΙΛΙΑ ΚΑΙ ΤΗΝ
ΦΗΜΗ ΠΟΥ ΕΧΕΙ ΤΟ ΣΥΣΤΗΜΑ. Π.Χ. ΙΣΤΟΣΕΛΙΔΑ ΤΟΥ FBI.
ΤΥΠΟΙ ΠΑΡΑΒΙΑΣΕΩΝ • MALICIOUS REDIRECTS • BACKDOOR ATTACKS • DRIVE
BY DOWNLOADS • SEO SPAM HACKS
MALICIOUS REDIRECTS • .HTACCESS REDIRECTS • PHP ENCODED REDIRECTS (INDEX.PHP,
HEADER.PHP, FOOTER.PHP) • REDIRECT IS HIDDEN
BACKDOOR ATTACK • ΠΑΡΑΒΙΑΣΗ ΜΕΣΩ COMMAND LINE(SSH) ‘Η EXPLOIT KIT
• Ο ΕΠΙΤΙΘΕΜΕΝΟΣ ΜΠΟΡΕΙ ΝΑ ΑΠΟΚΤΗΣΕΙ ΠΡΟΣΒΑΣΗ ΣΕ ΟΛΟ ΤΟ SERVER
DRIVE BY DOWNLOAD • SCRIPT INJECTION • CONDITIONAL MALWARE
SEO SPAM HACK(PHARMA-J APANESE) • SPAM INJECTIONS • ΕΜΦΑΝΙΖΕΤΑΙ ΚΥΡΙΩΣ
ΣΤΑ ΑΠΟΤΕΛΕΣΜΑΤΑ ΤΩΝ ΜΗΧΑΝΩΝ ΑΝΑΖΗΤΗΣΗΣ • ΣΤΟΧΟΣ ΕΙΝΑΙ ΤΟ SPAMMING ΚΑΙ ΟΧΙ Η ΜΕΤΑΔΟΣΗ MALWARE
• HOMEPAGE REDIRECTS • SUDDEN SPAM COMMENT SPIKE • SLOW
WEBSITE RESPONSE TIME • BANNERS POP UP SIGNS OF A HACKED WORDPRESS SITE
2
ΤΙ ΕΓΙΝΕ ΡΕ ΠΑΙΔΙΑ?
None
JAPANESE KEYWORD HACK
DE-INDEXED SITE site:gonewiththe.wind
ALL YOUR BASE BELONG TO US 3
GOOGLE SEARCH CONSOLE WARNING GSC →SECURITY & MANUAL ACTIONS
ONLINE TOOLS Google Tools Virus Total 4
MALWARE REDIRECTS INFECTED .HTACCESS FILE 5
$tmp= base64_encode(' Welcome to WordCamp Athens 2019'); WEIRD NAMED PHP,
J S, ICO FILES eval(base64_decode('V2 VsY29tZSB0byBXb3J kQ 2FtcCBBdGhlbnMgMjAx OQ= = '); eval(gzinflate(base64_d ecode('UFVOS1MlMjBO T1QlMjBERUFEJ TIx'); 6
WORDPRESS MALICIOUS REDIRECT HACK FIX
BACKUP!!!!! BACKUP!!!!! BACKUP!!!!! 1. WORDPRESS SITE FILES 2. WORDPRESS SITE
DATABASE 3. ARCHIVE AND DOWNLOAD
DATABASE HOSTING PANEL ΔΙΑΓΡΑΦΗ ΠΑΛΙΟΥ DB USER & ΔΗΜΙΟΥΡΓΙΑ ΝΕΟΥ
ΣΥΝΔΕΣΗ ΤΟΥ DB USER ΜΕ ΤΗ DATABASE ΕΛΕΓΧΟΣ DATABASE ΜΕΣΩ PHPMYADMIN ΓΙΑ ΠΕΡΙΕΡΓΕΣ ΕΓΓΡΑΦΕΣ(Π.Χ. ΣΤΟ WP_OPTIONS) ΑΛΛΑΓΗ ADMINISTRATOR USERNAMES ΜΕΣΩ PHPMYADMIN 7
WP-CONFIG.PHP • ΑΛΛΑΓΗ DATABASE LOGIN DETAILS • ΑΛΛΑΓΗ AUTH KEYS
8
WP-CONFIG.PHP ΕΛΕΓΧΟΣ ΓΙΑ SCRIPT-CODE INJECTION 9
ΑΛΛΑΓΗ ADMIN PASSWORD & SESSION LOGOUT
ΕΛΕΓΧΟΣ ADMIN USER ACCOUNTS
UPDATE WORDPRESS
UPDATE PREMIUM THEMES & PLUGINS REMOVE NOT RENEWED COMPONENTS
UPDATE REPOSITORY THEMES AND PLUGINS
FILES • ΔΙΑΓΡΑΦΗ ΚΑΙ ΕΠΑΝΕΓΚΑΤΑΣΤΑΣΗ WORDPRESS CORE DIRECTORIES & FILES
• ΔΙΑΓΡΑΦΗ CACHE (WP-CONTENT/CACHE/) • ΔΙΑΓΡΑΦΗ FILE AND DATABASE BACKUPS • ΕΛΕΓΧΟΣ ΓΙΑ .PHP/.JS/.ICO FILES (WP-CONTENT/UPLOADS)
LAST BUT NOT LEAST ... REPEAT FOR ALL WORDPRESS SITES
UNDER THE SAME HOSTING ACCOUNT
WORDPRESS SECURITY & MAINTENANCE
• MANAGED WORDPRESS HOSTING • DAILY WORDPRESS BACKUP SERVICE •
NEVER HOST YOUR EMAIL WITH YOUR SITE HOSTING USE A SECURE WORDPRESS HOSTING SERVICE
• DNS LEVEL FIREWALL FILTERS TRAFFIC BEFORE REACHING YOUR WEB
SERVER • APPLICATION LEVEL LEVEL FIREWALL FILTERS TRAFFIC AFTER REACHING YOUR WEB SERVER USE A FIREWALL SERVICE
• KEEP YOUR WORDPRESS INSTALLATION UPDATED • MAINTAIN ONLY THE
NEEDED(ACTIVE) THEMES AND PLUGINS • USE ONLY MODERN THEMES AND PLUGINS WORDPRESS HOUSEKEEPING
• BACKUP YOUR SITE. OFF-SITE, AUTOMATED AND INCREMENTAL (IF POSSIBLE)
• NEVER EVER USE NULLED THEMES OR PLUGINS WORDPRESS ELEMENTS
• FORCE SSL • DISABLE XML-RPC WHEN POSSIBLE • RENAME
WP LOGIN URL LOGIN HARDENING 10
• LIMIT LOGIN ATTEMPTS • USE 2FA • USE .HTACCESS
TO LIMIT LOGIN ONLY FOR SPECIFIC IP(s) LOGIN HARDENING 11
• ALLOW 1 OR 2 ADMINS MAX FOLLOW THE LEAST
PRIVILEGE PRINCIPAL • USE DIFFICULT TO GUESS PASSWORDS • RANDOMIZE ADMIN USERNAMES USER ACCOUNT SECURITY
FILE ACCESS HARDENING • DISABLE PLUGIN AND THEME EDITOR (WP-CONFIG.PHP)
• DISALLOW ACCESS TO WP- CONFIG.PHP (.HTACCESS) • DISABLE .PHP FILE EXECUTION UNDER WP- CONTENT/UPLOADS & WP-INCLUDES (.HTACCESS) < files wp-config.php> order allow,deny deny from all < /files> define('DISALLOW_FILE_EDIT', true); < Files *.php> deny from all < /Files> 12
FILE ACCESS HARDENING • CREATE NEW SECRET KEYS (WP-CONFIG.PHP) •
DISABLE DIRECTORY LISTING Options All -Indexes (.HTACCESS) • REMOVE ALL DEMO AND STAGING SITES 13
EXTRA FILE ACCESS HARDENING • DIRS: 0755 FILES: 0644 •
WP-CONFIG.PHP: 0600 .HTACCESS: 0600 • MONITOR FILE CHANGES
MYSQL DATABASE HARDENING • DO NOT ALLOW REMOTE CONNECTIONS •
DO NOT SHARE THE SAME DATABASE USER WITH A NUMBER OF DATABASES • DO NOT SHARE THE SAME DATABASE FOR ALL YOUR WORDPRESS SITES
• DO NOT SHARE PASSWORDS • USE A PASSWORD MANAGER
• STOP USING PUBLIC WIFI DUE DILIGENCE 14
• http://bit.ly/2J NcWYC WordPress Security Checklist • http://bit.ly/2ZZXP3L WordCamp Phoenix
Security CheckList • http://bit.ly/2J NmYZI OWASP Wordpress Security Implementation Guideline • http://bit.ly/2EffqeA WordPress.org Security Whitepaper • http://bit.ly/2w4wWOn Hardening WordPress by WordPress.org • http://bit.ly/30ufqAX Help, I think I've been hacked! • https://tcrn.ch/2J s40IG ‘Unhackable’ encrypted flash drive eyeDisk is, as it happens, hackable USEFUL RESOURCES
Makis Mourelatos