Wordpress Hacked! Woe.

I don't often talk about the freelance stuff I do, but I run a small web design and development business on the side. It's cute, and small and does all those things that sometimes you can't do yourself. Like self-host your Wordpress site, or create a custom Wordpress theme, or design a native smart phone app. I make pretty things, and I'm quite good at it. And so I have a handful of clients, and we get on fine.

That is, to say we did, until there was a surge of hacking attempts. It's a horrific and sad when some nasty bot comes along with a targeted script and changes all the things. No one ever wants to see a terrible geocities reincarnation of 'LOL H4X0RD!!11!' on their site, or have it redirect to a shady pharmaceutical site selling probably not very safe drugs. Or have their much loved lifestyle blog suddenly spouting propaganda from Pakistan.

So, I've gotten quite good at covering my bases, and making sure that all my clients Wordpress sites are relatively secure.

Interested in securing your Wordpress site? Or want to know how to fix your site post hack? Here's a quick run down:

If your self hosted Wordpress install is hacked, the best way to fix it is to ...

1. Make sure your anti-virus software is up-to-date - check that your machine is clean, and you're using the latest virus definition files for your anti-virus software. Make sure your laptop/computer/machine is free of viruses and malware.

2. Delete the current Wordpress installation (the database and all the files on your FTP) and install a clean Wordpress installation from wordpress.org.

3. Import a clean version of your theme, and the database from back ups.

4. Cover all your bases to make another hack much more difficult. (More on that below).

I know. This is annoying and terrible, but relatively easy to do if you have backups of all the files. You delete all the corrupted files and you don't have to wonder if anything else has changed or if you've left a backdoor open for hackers to be bothersome anymore. Check out the site logs to see if anything stands out.

If you don't have back ups, woe is you. This will be a lot more difficult or you.

If you host your own Wordpress, and it gets hacked, and you don't have a clean back up you should...

1. First copy everything you have (your database + all the files on the FTP) down to your local machine and rename it so you know it's corrupted. This is a back up, so if your 'fixing' goes terribly wrong, you have a point from which you can start again.

2. Go through all your files on the FTP, looking at the last modified dates. This is long and tedious, but you'll be able to see what's been changed and what hasn't. Make a note of all the most recently changed files and download whats been changed. Open it to see what's been edited, and remove anything terrible. Keep an eye out for files that don't belong, or directories that aren't supposed to be where they are.

Be patient and thorough with this this step. Go into every directory and worm out things that aren't as expected. If you mess something up, you have the (corrupted) back up and you can start again.

3. Check the .htaccess file for hacks. Look for anything redirecting to a new site. Remove any code that's not meant to be there, or has been altered.

4. Check all your directories and files have the right permissions (755 for directories, 644 for files). If they don't, change them.

5. Check to see if any rogue plugins have been installed, or any rogue users have been added. Check current users to see if passwords/usernames have been changed. You may not see rogue plugins or rogue users in your wp-admin area, so check the database.

6. Check with Sucuri Sitecheck to make sure there isn't anything obviously malicious.

7. Check with isithacked.com and do a scan. You can sign up for a (free) fortnightly automatic scan, if something is dodge it will email you.

8. Cover all your bases to make another hack much more difficult (below).

Post hack you should ...

Note: There are handy plugins that can do a lot of these things for you. See 'handy plugins' below for a list.

1. Change all of the passwords. The FTP passwords, the Wordpress passwords, CPanel passwords, the database passwords, all of the passwords. Make sure the passwords are strong ones. Use something like Last Pass 1Password.

2. Disable any still-valid cookies. Visit the WordPress key generator to get a new key, and then overwrite the values in the wp-config file.

3. Take regular backups.

4. Where possible, use SFTP (and not just regular FTP)

5. Make sure all the Wordpress installs + plugins are up to date.

6. Make sure there is no Wordpress user with the username 'admin', or that any user has an id of '1'

7. Disable file-editing for users that don't need to, don't have the skills to, or will never edit the theme/plugin files.

8. Secure the wp-includes files by changing the .htaccess file.

9. Change the table prefixes in the database to something other than wp_ (Make sure you change $table_prefix to something not 'wp_' in wp-config.php. Then change all the table names in the db via phpAdmin, as well as the contents of wp_options and wp_usermeta. There are also plug-ins that can do it for you, like Better WP Security). When installing a new version, the installer asks was prefix you want to use. You should pick something not wp_.

10. Change the login url paths.

11. Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your installation and serve no purpose to the public once WordPress has been successfully installed.

12. Disable directory browsing. This will prevent users from seeing a list of files in a directory when no index file is present.

13. Remove the Wordpress generated meta tag - by removing the meta tag from your sites header you hide the Wordpress version information, which makes it more difficult to target.

14. Remove write access to the the wp-config.php file and .htaccess file. That way scripts and any rogue users won't be able to write to either file.

15. Delete any theme files which aren't being used.

How did they get in?

Typically: - If user names have been changed, it was probably a database exploit, and might have been done through either a form, or a plugin that writes back to the database (we've found a lot of insecurities with e-commerce plugins). - Brute force, via the wp-login screen with a weak username or password. - Malware/viruses from a local machine or a security vulnerability from your host. So awkward. - They used vulnerabilities known in older versions of plugins, themes or Wordpress installations. - If none of these seem feasible, use the site logs are the way to figure out how it happened (ossec.net might be able to help if you get really really stuck).

But whhyyyyy?

Because they're bastards. All of the hacking made me so very angry, because mostly? It's so very unnecessary.

Usually, they either want free traffic from your blog (and you'll see a massive bandwidth jump), or they do it for shits and giggles. Because they're bastards, and are terrible terrible people.

Helpful Plugins

General security * Better WP Security

I like Better WP Security the best, it does all the things, and more.

* Bullet Proof Security * All in one security plugin

Back Ups * Automatic back up for plugins * Regular backups to Dropbox

Authentication Security * Stealth Login Page * Authenticate with Google * Secure login

Brute Force * Wordpress advice against brute force attacks

Scanning for Terrible Things * Exploit Script Scanner

Well, that's it! Hope that all of your Wordpress installs are all clean and merry.