1 Tips For Fixing a Hacked WordPress Site Vladimir Lasky http://wpexpert.com.au/ WordCamp Sydney 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Tips For Fixing a Hacked WordPress Site
Vladimir Lasky
http://wpexpert.com.au/
WordCamp Sydney 2016
2
What Your Client Wishes They Had
A Time Machine
Hindsight
Website & Database Backups
3
General Recovery Strategy
Assess The Damage
Disinfect Site
Replace Data
Recover Data
Secure Website
Check For Reinfection
4
What You Need
WordPress Admin Account Details
cPanel Login
Secure Shell (SSH) Access
5
Files That Are Often Infected:
.htaccess
index.php
index.html
wp-config.php
Theme templates
Plugin Files
6
Files That Are Often Infected:
Anywhere within the installation:
– .htaccess
– index.php
– index.html
– wp-config.php
Within wp-content
– Theme templates
– Plugin Files
7
Common Infectious Payloads:
Shell code (a back door for the hacker)
– Often appears as strangely-named PHP files
Spam to be shown to site visitors
Javascript code to pull in content from external
sites or to attempt to trigger vulnerabilities in the
visitor’s web browser
Boasts about the attacker’s hacking prowess
8
Finding Files Modifed Between Two Dates
find . -type f -newermt 2010-10-07 ! -newermt
2014-10-08
find . -type f -newermt "2014-10-08 10:17:00" ! -
newermt "2014-10-08 10:53:00"
find srcdir -type f -newermt 2014-08-31 ! -
newermt 2014-09-30 -exec mv -i {} destdir/ \;
9
Searching For Obfuscated Code
Searching for obfuscated code
– base64_decode
– gzinflate
– eval
10
Identifying The Infection
Sucuri Site Check
Google Webmaster Tools
If website still accessible, vulnerability scanning
plugins like Wordfence (or similar plugins)
11
Recovering Site Content
Old Site Backups
WordPress Export
Google's Cache of the site
Archive.org (also called Internet Archive or
Wayback Machine)
12
Conclusion
Slides from My Previous Security Talks:
– Wordcamp GC 2011:
• http://slidesha.re/tr2XA5
• Covers the “Three Pillars of Security”, the aims of attackers and other WordPress security
plugins
– WordCamp Sydney 2012:
• http://www.slideshare.net/wordcampsyd/securing-your-wordpress-website-vlad-lasky-
wordcamp-sydney-2012
Questions and Comments:
– http://wpexpert.com.au/contact-us/
Related Documents
