Word Press is becoming ever popular among IM’ers. Some IM’ers even own hundreds of WP sites each. What’s worrying right now is the increasing number of hacking and hijacking incidents. So what can we do about these threats?
To be clear, here are the obvious differences between HACKED and HIJACKED.
Hacked – the landing page of a web site was illegally changed by a hacker with his own messages. The real owner has some control of the site’s administration.
Hijacked – a web site which was taken over without the owner’s permission. The real owner has totally lost control of the site’s administration.
Determined intruders are always looking for ways to exploit security holes and backdoors to WP sites. So, let’s know more about vulnerable ones:
1. Using outdated WP versions for the sites.
2. Having outdated plugin versions namely : Google Analytics For WP, WP Addthis, WP Total Cache and etc.
3. Using obscure plugins that are not tested and verified by WP security enthusiasts and volunteers.
4. Using old plugins that are no longer maintained and updated by their creators.
5. Not monitoring visitor activities via Webstats. Thus, being ignorant of the attempts in accessing “alien” files which do not belong to our web servers.
6. Using default userid, i.e. “admin”. This is the default userid during our first installation of WP, if we do not specify another userid.
7. Using weak passwords such as dictionary-based words, all letters or all numerals as well as not having non-alphanumeric characters and less than 13 characters.
Better Be Safe Than Sorry
We can only minimize and cannot completely prevent intrusions to our sites. Here is a list of steps to minimize threats :
1. ALWAYS … update to the latest WP version
2. ALWAYS …. update to the latest plugins
3. Use different USERIDs & PASSWORDs for CPanels and WP Sites.
4. Use different USERIDs & PASSWORDs for different sites/domains.
5. Use strong passwords with a minimum of 13 characters which consists of at least 3 capitalized letters, at least 3 numerals and at least 3 non-alphanumeric characters (@#$%^&*()_-+=).
6. Change login passwords regularly.
7. Change the default prefix of the db tables from wp_ to something else.
8. Deactivate and delete all unused plugins from plugins folder.
9. Take steps and use plugins proposed below
So What Can We Do If Our WP Sites Are Hijacked?
The first thing to do is to check whether we still have CONTROL of our CPanel.
We can do this by trying to access our CPanel via the web browser or by trying to access our server via FTP.
If we can’t access, then there are 2 ways to resolve this immediately:
-> 1. If we have WHM control panel, we can reset the CPanel password which was changed by the hijacker. This will also instantly change the password to PHPmyAdmin.
Then by using CPanel File Manager or via FTP, delete all WP folders and files in the root directory including .htaccess file. If we want to salvage our customization, then don’t delete the WP-Content folder.
At this point, our WP data in MySQL may already be seriously compromised by the hijacker.
By using PHPMyadmin, delete all the WP databases. If we want to salvage the databases, we will have to use a database scanner for possible malicious codes residing in the tables and repair where possible.
In CPanel, be sure to check your email settings and look for strange email addresses and re-directions. Also check for domain and sub-domain re-directions. If there are unfamiliar sub-domains, delete them.
-> 2. If we don’t have WHM control panel, then contact the Hosting Provider immediately. Tell them about the Hijacking Incident. Hosting providers will instantly do the needful, if they are responsive.
So What To Do When Our WP Sites Are Hacked?
In the case of being “hacked”, yet we’re still able to access our CPanel or WP Dashboard, there are precautionary measures to take.
We may think we can resolve the issue by just replacing the affected files and by changing our passwords. This is a risky notion because intruders can be very deceptive.
Being hacked is NOT less dangerous than being hijacked. There are possibilities that hackers may have left some “live agents” buried deep among WP files or altered codes in the files or even in the database tables. Be aware that there were incidents where hackers altered plugin codes, permalinks and htaccess.
These malicious codes could be monitoring every move we make in the servers. They may even harm our visitors. Worse still, those malicious codes could also be DDOS or spam bots, thus making OUR SERVER as their attack platform to victimize others. Such cases are NOT RARE.
So, let us take a safer route and do proper cleaning. In fact, these steps and tools will strengthen the security of our WP sites against potential exploits.
1. Scan & Disinfect your computer.
Make sure your computer is cleaned from malware, spyware, trojan, worms, keyloggers, rootkits and viruses.
These 2 free tools are really handy to disinfect your PC:
-> MalwareBytes Anti-Malware
-> Trojan Remover.
2. Change your CPanel Password
After changing your CPanel password with a strong one, enter your server using FTP.
Delete any .htaccess file that you see on the root directory.
Enter the CGI folder and delete any CGI file you see.
Via CPanel, be sure to check the integrity of your email settings, sub-domains and re-drections.
From the WP dashboard, deactivate all plugins. Or simply delete all of them by using FTP. They are located at the wp-content/plugins directory.
By using the dashboard or FTP, start replacing all WP folders and files with the latest downloads from WordPress.Org, except for WP-Content folder. This folder contains all of your customizations.
If you’re afraid that the WP-Content folder files are also infected, then replace them with your backup copies.
Replace all tables in your DB with your backup copies.
Finally, replace all plugins with new downloads.
Remember. Make regular backups of the WP-Content folder by using FTP. Stash the folder somewhere safe, offline. We might need it in future, just in case.
4. WP Plugin : WP Security Scan
This plugin scans your server files and folders for permission vulnerabilities. It also detects database and server vulnerabilities. Then it will recommend corrective measures. It will also warn you about possible exploit attempts by you-know-who. This plugin has a built-in DB backup function. It will also help you change the DB Tables prefix easily from WP_ to something obscure. It will also hide your WP version and WP ID Meta tags from prying eyes. It will also tell you whether your domains are blacklisted by SpamHaus, Google, MalwareDomainList and abuse.ch .
WP Security Scan also has a function to check password strength.
5. WP Plugin :
Login Lockdown <<= NOT ENCOURAGED. PLUGIN HAS NOT BEEN MAINTAINED
Limit Login Attempts <<= NOT ENCOURAGED. PLUGIN HAS NOT BEEN MAINTAINED
All In One WP Security <<= The best all-rounded Security Plugin
6. WP Plugin : WP-DB Manager
Use this plugin to schedule database backups and autosend to your email or saved on another server. You can also backup on your DB on-demand. Do this at least once a week. You’ll never know when intruders will strike.
7. WP Plugin : WP Backup
This plugin can be scheduled or used on-demand to back-up essential folders holding Themes, Uploads and Plugins. All these will be zipped.You can set the backup intervals and save to server or send via email ( the size could be big ).
8. WP Plugin : Akismet
This plugin not only classifies and prevents spammers from posting comments on your site, it ensures your visitors are not harmed. Some spammers place malicious links in comments. When visitors clicked on them, they can be afflicted with malware. And if you do not manage comments holding malicious codes, your WP sites may be considered dangerous by Google and anti-virus companies. Visitors may also report your sites to Security Forums and Groups.
This article is by no means authoritative. I’m just sharing from experience. Probably, it may help some Warriors as a start-up knowledge towards more secure WP sites.