WordPress Hacked? These WordPress Vulnerabilities Could be the Reason

Fixing Hacked WordPress Website

Managing content on the web now is just a matter of seconds affair, thanks to WordPress’s open-source structure. WordPress has been on the web since the time when blogging was only a new trend. WordPress has evolved with time and has created a successful ecosystem of plugins & themes developers and users. However, like any popular software solution, WordPress has its fair share of security vulnerabilities. Recently, the WordPress iOS app was found leaking sensitive access token of WordPress blog to third party websites. Apart from this, WordPress is one of the widely targeted CMS by attackers and thousands of users each year suffer from a WordPress site hacked. Weighing in on WordPress’s security concerns, its CEO Matt Mullenweg once remarked that,

I agree there’s probably not a ton of benefit to having the online banking/ bill pay/ etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’strength as a content management platform that is flexible, customizable, and easy to update and maintain.

WordPress Site Hacked: Examples

Users who are victims of WordPress site hacked can be found asking help from other users on the other internet. So many WordPress sites are targeted each year that multiple help forums can be found to deal with WordPress site hacked. If we set aside other forums, on the official forum of WordPress, the keyword ‘Hacked’ alone yields around 5970 results at the time of writing this. Given below are some examples of these help requests.

WordPress site hacked example 1


WordPress site hacked example 2


WordPress site hacked example 3


WordPress site hacked example 4

WordPress Site Hacked: Symptoms

While things like defacement of a WordPress site are clear indications of WordPress site hacked, other signs may be subtle. These may go unnoticed by average users. Some such signs of a WordPress site hacked are:

  • New, unknown files in the wp-admin and wp-includes directories, both of which have rarely new files added.
  • WordPress site is redirecting users, and they complain about ending up on other domains.
  • Adblockers are blocking the WordPress site for cryptocurrency mining.
  • Unknown pop-ups and malicious adverts appear on the WordPress site.
  • Suspicious Cron jobs waiting to be executed on the server or suspicious activity in the server logs.
  • WordPress theme, header, footer files have been modified to create redirects.
  • Some Japanese looking characters and gibberish content appears on the WordPress site due Japanese Keyword Hack or Pharma Hack etc.
  • While logging in to the WordPress account hosted on cloud servers, Warning messages of account suspension appear.
  • Search results show an incorrect meta description of your WordPress site.
  • A sudden drop in traffic on the WordPress site due to being blacklisted by Google and other search engines for malware spam etc.
  • New and unknown admins of the WordPress website’s database appear.
  • Outbound Emails from your WordPress website’s domain are being sent into the recipient’s spam folder.
  • WordPress website shows some unexpected error messages and becomes slow/unresponsive.
  • Not much traffic on the site but the server is always consuming heavy processing resources.

Your WordPress site hacked?. Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my Hacked WordPress website now.

WordPress Site Hacked: Common Vulnerabilities

WordPress SQL Injection

WordPress version 4.8.3 and previous ones were found vulnerable to SQL injection attacks. This vulnerability was dubbed as CVE-2017-16510 and was assigned a CVSS score of 7.5. Quite ironically, the $wpdb->prepare() method which is generally used to prepare safe queries was itself vulnerable this time. This meant that plugins and themes that used queries created using this function were also potentially vulnerable to an SQLi attack. Similarly, the WP Statistics plugin of WordPress with more than 3,00,000 downloads was found vulnerable to an SQLi. Typically, an attacker can read sensitive tables like wp_users of your WordPress site using SQLi. Although the passwords are stored in encrypted format, still tools can be used for decryption. This means getting admin credentials to log into an admin’s account in WordPress. In the worst case scenario, the attacker can even upload a reverse shell using an SQLi leading to a WordPress site hacked.

Related Article –  Prevent SQL Injection in WordPress

WordPress Cross-Site Scripting

WordPress version 5.1.1 and previous ones were found vulnerable to an XSS, CSRF and RCE vulnerability dubbed as CVE-2019-9787. This was a stored XSS vulnerability. The wp_filter_kses() function which is used to sanitize comments, allows basic HTML tags, and attributes like <a> tag combined with the ‘href‘ attribute. Therefore, attackers can deliver malicious payload like <a title=’XSS ” onmouseover=evilCode() id=” ‘>. This would get stored in the database and run every time a user visits this page.

Related Blog – Cross- Site Scripting in WordPress – Examples

WordPress Cross-Site Request Forgery

CSRF validation token has not been implemented in WordPress and rightly so because if done, it would hinder the trackbacks and pingbacks features of WordPress. To differentiate normal users from admins, WordPress uses an extra nonce for admin validation in the comment forms. So, if the correct nonce is provided, the comment is created without sanitization and if the nonce is incorrect, the comment is created with sanitization. So when an administrator fails to provide nonce, the comment is sanitized using wp_filter_post_kses() instead of the function wp_filter_kses(). Thus, the function wp_filter_post_kses() allows an attacker to create comments with lots more HTML tags and attributes than permissible thereby conducting a CSRF attack. This issue was highlighted in the CVE-2019-9787.

WordPress Remote Code Execution

WordPress versions before 4.9.9 and 5.x before 5.0.1 were found prone to RCE. This vulnerability was dubbed as CVE-2019-8942 and assigned a CVSS score of 6.5. The vulnerable parameter was the Post meta entry of the _wp_attached_file() function. This parameter could be manipulated to a string of choice i.e. ending with .jpg?file.php substring. However, to exploit this, the attacker needed author privileges. The attacker with author privileges could upload a specially crafted image. This image contained the PHP code to be executed, embedded in the Exif metadata. Script to exploit this vulnerability are publically available and a Metasploit module has been released too!

WordPress Directory Traversal

WordPress 5.0.3 was vulnerable to Path Traversal attacks. This vulnerability was dubbed as CVE-2019-8943 and assigned a CVSS score of 4.0. However, to exploit this, the attacker needed at least author privileges on the target WordPress site. The vulnerable components was the function wp_crop_image(). So, the user running this function (is able to crop an image) could output image to an arbitrary directory. Moreover, the file name could be appended with the directory up symbol i.e. ‘../‘ to get the path of the file an attacker wishes to obtain i.e .jpg?/../../file.jpg. Exploits and Metasploit modules to replicate this vulnerability are available online!

Buggy Plugins or Themes

It is also likely that a poorly coded plugin is responsible for WordPress site hacked. Themes by non-reputed authors often contain buggy code. In some cases, attackers themselves release malware-laden plugins and themes to compromise numerous sites. Also, an outdated WordPress software can make the site vulnerable thereby leading to WordPress site hacked.

Need professional help to prevent WordPress site hacked?. Drop us a message on the chat widget, and we’d be happy to help you. Fix my Hacked WordPress website now.

WordPress Site Hacked: Cleanup

In order to see the WordPress files modified by the attackers, obtain SSH access to your server and run the following command:

find . -mtime -2 -ls

This command would list all the WordPress files modified in the last 2 days. Similarly, keep increasing the number of days till you find something fishy. Now combine this find command of SSH with the grep command to search for code encoded in base64 format. Simply execute the following command:

find . -name “*.php” -exec grep “base64″‘{}’; -print &> hiddencode.txt

Now, use online tools to decrypt the content of hiddencode.txt. In case you find something suspicious but are unable to figure out what it does, simply comment the line and contact experts for complete malware removal. This can be alternatively done using the phpMyAdmin as shown in the image given below. Moreover, phpMyAdmin can also come handy while cleaning the database in case of a WordPress site hacked.

WordPress site hacked phpMyadmin

WordPress Site Hacked: Mitigation

Secure Practices

  • Avoid using common or default passwords. Make sure the WordPress login requires a secure and random password.
  • Remove folders of old WordPress installation from the site as they can leak sensitive info.
  • Do not use null themes or plugins from unreputed authors. Keep the existing plugins and themes up to date with the latest patches.
  • Use subnetting while sharing the WordPress hosting space with other sites.
  • Make sure no sensitive ports are open on the internet.
  • Disable directory indexing for sensitive WordPress files using .htaccess.
  • Restrict IPs based on countries from where you detect heavy bot traffic on site.
  • Follow secure coding practices if you are a developer for WordPress.
  • Use SSL for your WordPress site.
  • Always keep a backup of your WordPress site separately.
  • Rename the wp-login.php into a unique slug.
  • Use two-factor authentication to log into your WordPress site.

Use a Security Solution

A firewall can help in securing your WordPress site even if it is vulnerable. However, finding the correct firewall according to the diverse needs of WordPress can be tricky. Astra can help you in making the right choices from its three plans of Essential, Pro, and Business. No matter you use WordPress to run a small blog or a corporate site, Astra covers every ground for you. Moreover, the Astra security solution scans and patches your vulnerable WordPress site automatically. Just install the Astra plugin and your site is secure again.

Try a demo now!

Security Audit and Pentesting

As seen in the article, vulnerabilities in WordPress will arise from time to time. Therefore, as a precautionary measure, it is advisable to conduct a penetration testing of your website. This will reveal the loopholes to you before the attackers can catch up on your site’s security. Astra provides a comprehensive security audit of the complete WordPress site. With its 120+ active tests, Astra gives you the right mix of automatic and manual testing.

Say hello to a secure future.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.