WordPress is probably the cheapest and easiest solution for online content management. WordPress has been around for a long time and powers a major section of the web now. However, this popularity comes with a heavy cost as it is also one of the most commonly targeted CMS in the world. As a result, users often complain of issues like WordPress hacked sending spam to their customers. And dealing with WordPress spam can prove to be more frustrating for you for it can sabotage the reputation of your site in the long run.
WordPress is probably the cheapest and easiest solution for online content management. WordPress has been around for a long time and powers a major section of the web now. However, this popularity comes with a heavy cost as it is also one of the most commonly targeted CMS in the world. As a result, users often complain of issues like WordPress hacked sending spam to their customers. And dealing with WordPress spam can prove to be more frustrating for you for it can sabotage the reputation of your site in the long run. According to the book WordPress Ultimate Security,
Spam is nauseating not only because it’s like bad graffiti, but also because it dilutes the value of decent content. Rather than add a kind word or helpful information, spam defaces a site, butts into discussion between real-deal site users and, if you’ve not already become jaded enough to stop following links to spread the SEO love stuff, gives credit where it’s never due while reducing the search value of your site. The cheek of it.
In this article, we shall discuss some cases of WordPress hacked sending spam and learn ways to deal with them.
Related Article: How Hackers Exploited your WordPress Website in 2018
WordPress Hacked Sending Spam: Symptoms
When the issue of WordPress hacked sending spam arises, it can take hours or days to detect it. This is because spam emails take time to propagate over the web. However, there are some symptoms that can give away such an attack. These are:
- Online services which monitor servers that send spam blacklist your IP for WordPress hacked sending spam. As a result, the legitimate emails you send end up in the spam folder of the recipient.
- Some search engines like Google blacklist your WordPress sites for sending spam.
- Your WordPress site suddenly becomes very slow due to a large amount of spam added to MTA queues.
- Too many errors appear in the logs especially failed email delivery messages.
- ISP warns you about large amounts of outbound spam.
- Your WordPress site suddenly starts chocking the bandwidth.
- You receive warning messages like “MTA Queue is too large!”.
WordPress Hacked Sending Spam: Causes
WordPress hacked sending spam may be due to a malware infection. Moreover, hackers try to upload malicious scripts to the WordPress servers. These malicious scripts establish a connection with the SMTP mail server and churn out spam. The source code of one such malware is given below. As seen in the image, this is a simple malware which constructs spam messages and encodes it in base 64 encodings to evade detection.
Coding vulnerabilities like SQLi, XSS, RCE, etc can lead to WordPress hacked sending spam. Attackers can compromise your WordPress site using these vulnerabilities and inject malicious code into legitimate files. Files like index.php, functions.php, themes.php, etc can be injected with malicious code to send spam because of these coding vulnerabilities.
Server misconfiguration can give away your site to the attackers who can use it to send spam. For instance, using port 25 for SMTP connections can make the server a target for spammers. Instead, use the port 587 as some ISPs block port 25. Similarly, sharing a web space can also lead to the spreading of such spam malware infection on multiple sites. To prevent this, use subnetting. Other server misconfigurations like Indexing enabled, open ports, etc can also lead to WordPress hacked sending spam.
Related Article: Preventing WordPress Spambots with Astra
WordPress Hacked Sending Spam: Detection
Often, malicious PHP scripts are responsible for WordPress hacked sending spam. Detection and removal of such scripts mean the removal of spam. Therefore, in order to hunt them down, start by logging into the server with administrative rights.
After you have acquired administrator privileges, now start capturing the outbound emails.
In order to capture spam emails, first, create a file where all that info can be logged. This can be done by the following command:
Make sure that the phpmail.log file you just created is writable. To do this, run the following command:
chown httpd:httpd /var/log/phpmail.log
Once this file has been created, it’s time to restart your Apache server with the following command:
service httpd restart
These emails can now be captured and saved in the log file via this command:
tail -f /var/log/phpmail.log
The -f option of the tail command here will save all the logging data to phpmail.log file. The contents of the log file would then look like something shown in the image below.
Here, in this image, the file responsible for sending out spam emails can be seen in the first line itself. This is the functions.php file of WordPress which has been infected. So give yourself a pat on the back, you have successfully identified the spam-sending script. Now we shall proceed to remove it.
WordPress Hacked Sending Spam: Cleanup
Once the script has been identified, open it to inspect the code. Typically, the attacker will try to conceal the code by using techniques like base64 encoding, FOPO, etc. For reference, look at the code given in the image which seems to be unreadable.
This code when deobsfucated looks like the code in the image given below. So, when decoded it turned out that the eval() function which processes a string into PHP code was being used by the attackers to pump spam.
Its usage is therefore detrimental to the quality of the code. Hence, delete all such malicious codes. However, if you are unsure of what it is doing simply comment out the line and contact experts for malware removal. You can also delete the infected files and replace them with fresh ones. However, in such cases caution must be exercised as some files like .htaccess are crucial to the working of the server. Finally, after you clean up, delete all the remaining spam messages in your MTA queues which the server tries to resend. This can be done via the following commands:
sudo postsuper -d ALL
sudo postsuper -d ALL deferred
WordPress Hacked Sending Spam: Mitigation
Security solution like Astra can protect your WordPress site 24/7 against every kind of spam. Astra actively monitors your traffic to block any type of incoming or outgoing spam. Most importantly, Astra is highly affordable for even personal blogs on WordPress with prices starting from $9. Specially built for WordPress like CMS(s), Astra can remove spam and protect you against it.