WP Hacked 💀
WHO AM I
- Dad of 4 girls.
- Technical Consultant
- Web Development for 12+ years
- Worked on a range of CMS' and e-commerce platforms.
- Currently at Aligent Consulting
Client
Um my websites not working...
Me
Oh shit... let me get back to you.
Hack - Easy WP SMTP
Exploit
- Feature added into core plugin
- No capabilities check on import options
- Allowed user to change default user role to Administrator
- Used editor to add exploit code.
Hack
- Changed option siteurl
- Added script tag to redirect site to click bait site
- Added tentacles to allow further exploits and bot-nets
Step 1 - Assess the damage
Investigate
- File permissions
- Database - options, users table
- WordPress file integrity
- wp-content directory
Note
Time is critical as hack takes root and spreads
Step 2 - Attribute cause
- Software / php out of date?
- WP / Plugin out of date, known vulnerabilities?
- Brute force?
- Admin login insecure / Phishing ?
- WordFence Blog, Other WP security blogs
Step 3 - Recovery
Action
- Restore Backup
- Reset permissions
- Restore Database
- Clean/Remove hacked files
- Re-install Wordpress
- Re-install plugins
chmod -R 644 *
find . -type d -exec chmod 0755 {} \;
Step 4 - Secure
Action
- Update all the things
- Backups in place
- Security plugins
- Rotate keys, password, usernames
- Firewall, Ip blocking
Tools
Action
- Your hosting provider support
- SSH, SFTP
- WP-CLI
- Clam-Av / Linux Malware Detect
- WAF - Web Application Firewall
- ManageWP
Plugins
Compare
- WordFence - WAF
- Sucuri - Integrity
- iThemes Security - Obscurity
SUCURI
Take Aways
- TNO - Trust No One
- Security is a process not a state
- Only as strong as your weakest link
Questions?
ThANK YOU. 🙌
WP \Hack\ed
By Jack McNicol
WP \Hack\ed
A brief account and steps to cover once your wordpress instance is hacked
