WordPress Hacked? These WordPress Vulnerabilities Could be the Reason

Having your WordPress site hacked can be very frustrating. It can be harmful for your website’s reputation, SEO and sales. Recently, the WordPress iOS app was found leaking sensitive access tokens of WordPress blog to third party websites. Besides this, many plugin exploits such as Yuzo, WP live chat support, FB messenger live chat, Slimstat, etc also led to the hack of thousands of WordPress sites. Stay tuned to know the reasons for the hack and its step-wise fixation methods.

Webmasters often misunderstand and neglect WordPress security. This makes WordPress one of the widely targeted CMS’ by attackers. In this article, we will try to answer common questions like “why was your WordPress site hacked?“, “How can you fix it?“, and “How attackers attack you?” in detail.

WordPress Site Hacked: Symptoms

While things like defacement of a WordPress site are clear indications of WordPress site hacked, other signs may be subtle. These may go unnoticed by average users. Some such signs of a WordPress site hacked are:

  • New, unknown files in the wp-admin and wp-includes directories, both of which have rarely new files added.
  • WordPress site is redirecting users, and they complain about ending up on other domains.
  • Adblockers are blocking the WordPress site for cryptocurrency mining.
  • Unknown pop-ups and malicious adverts appear on the WordPress site.
  • Suspicious Cron jobs waiting to be executed on the server or suspicious activity in the server logs.
  • WordPress theme, header, footer files have been modified to create redirects.
  • Some Japanese looking characters and gibberish content appears on the WordPress site due Japanese Keyword Hack or Pharma Hack etc.
  • While logging in to the WordPress account hosted on cloud servers, Warning messages of account suspension appear.
  • Search results show an incorrect meta description of your WordPress site.
  • A sudden drop in traffic on the WordPress site due to being blacklisted by Google and other search engines for malware spam etc.
  • New and unknown admins of the WordPress website’s database appear.
  • Outbound Emails from your WordPress website’s domain are being sent into the recipient’s spam folder.
  • WordPress website shows some unexpected error messages and becomes slow/unresponsive.
  • Not much traffic on the site but the server is always consuming heavy processing resources.

Your WordPress site hacked?. Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my Hacked WordPress website now.

Why was your WordPress site hacked?

Your website’s security depends on the steps you take to secure it. Ignoring simple security rules increase your risk online. Here are some of the reasons why hackers exploited your website –

1. Not Updating WordPress

This is the most basic security measure for a website. Failing to update to the latest version is the number one reason for hacked sites. So, always be quick in updating to the latest and patched versions. This patches the known vulnerabilities on your website.

2. Hosting on a Shared Server

A shared server may be the cheaper option. But, it has costlier after effects if hacked. Move your website to a safer hosting. And choose a trusted hosting provider. Make sure to verify whether your provider complies to the best security standards.

3. Using Weak Passwords and Username

Almost all the sensitive areas on your website are password secured. A password made of your own name/your website name and has no numerals/characters is a weak password. Make sure you do not use weak passwords for the following –

  • wp-admin panel,
  • server hosting panel,
  • databases,
  • FTP accounts, and
  • your primary email account.

Also, change your default username to something unique. Words like admin, your own name, website’s name are too easy to crack for the attacker.

4. Incorrect File Permissions

Easy file permissions can let attackers access, modify or delete them. In some cases, attackers even held files against ransom. Set correct permissions as-

  • For files- 644
  • For directories- 755

5. Unprotected Access to wp-admin Directory

The wp-admin directory is the area from where you control your website. Allowing unprotected access to the WordPress admin directory lets your users/team members perform unwanted actions on your website. Thus, restrict access by defining permissions for different roles of the users. That way no user has the power to do it all. Further, adding layers of authentication to your WordPress admin directory also helps. 

6. Outdated Plugins or Theme

Numerous WordPress websites use outdated plugins and themes on their website. Since these plugins and themes already contain known vulnerabilities, it is way too easy for hackers to exploit them. Therefore, if the plugin developer pushes an update, you should be quick to follow.

7. Using Plain FTP instead of SFTP/SSH

FTP accounts are used to upload files to your web server using an FTP client. Plain FTP does not encrypt your password and heightens the risk of someone hacking it. SFTP (SSH File Transfer Protocol), on the other hand, sends encrypted data to the server. So, always opt for SFTP over FTP. You could do this by changing the protocol to ‘SFTP – SSH’ every time you connect to your server.

Fixing hacked WordPress website


How do hackers attack WordPress websites?

1. WordPress SQL Injection

WordPress version 4.8.3 and previous ones were found vulnerable to SQL injection attacks. This vulnerability was dubbed as CVE-2017-16510 and was assigned a CVSS score of 7.5. Quite ironically, the $wpdb->prepare() method which is generally used to prepare safe queries was itself vulnerable this time. This meant that plugins and themes that used queries created using this function were also potentially vulnerable to an SQLi attack. Similarly, the WP Statistics plugin of WordPress with more than 3,00,000 downloads was found vulnerable to an SQLi. Typically, an attacker can read sensitive tables like wp_users of your WordPress site using SQLi. Although the passwords are stored in encrypted format, still tools can be used for decryption. This means getting admin credentials to log into an admin’s account in WordPress. In the worst case scenario, the attacker can even upload a reverse shell using an SQLi leading to a WordPress site hacked.

Related Article –  Prevent SQL Injection in WordPress

2. WordPress Cross-Site Scripting

WordPress version 5.1.1 and previous ones were found vulnerable to an XSS, CSRF and RCE vulnerability dubbed as CVE-2019-9787. This was a stored XSS vulnerability. The wp_filter_kses() function which is used to sanitize comments, allows basic HTML tags, and attributes like <a> tag combined with the ‘href‘ attribute. Therefore, attackers can deliver malicious payload like <a title=’XSS ” onmouseover=evilCode() id=” ‘>. This would get stored in the database and run every time a user visits this page.

Related Blog – Cross- Site Scripting in WordPress – Examples

3. WordPress Cross-Site Request Forgery

CSRF validation token has not been implemented in WordPress and rightly so because if done, it would hinder the trackbacks and pingbacks features of WordPress. To differentiate normal users from admins, WordPress uses an extra nonce for admin validation in the comment forms. So, if the correct nonce is provided, the comment is created without sanitization and if the nonce is incorrect, the comment is created with sanitization. So when an administrator fails to provide nonce, the comment is sanitized using wp_filter_post_kses() instead of the function wp_filter_kses(). Thus, the function wp_filter_post_kses() allows an attacker to create comments with lots more HTML tags and attributes than permissible thereby conducting a CSRF attack. This issue was highlighted in the CVE-2019-9787.

4. WordPress Remote Code Execution

WordPress versions before 4.9.9 and 5.x before 5.0.1 were found prone to RCE. This vulnerability was dubbed as CVE-2019-8942 and assigned a CVSS score of 6.5. The vulnerable parameter was the Post meta entry of the _wp_attached_file() function. This parameter could be manipulated to a string of choice i.e. ending with .jpg?file.php substring. However, to exploit this, the attacker needed author privileges. The attacker with author privileges could upload a specially crafted image. This image contained the PHP code to be executed, embedded in the Exif metadata. Script to exploit this vulnerability are publically available and a Metasploit module has been released too!

5. WordPress Directory Traversal

WordPress 5.0.3 was vulnerable to Path Traversal attacks. This vulnerability was dubbed as CVE-2019-8943 and assigned a CVSS score of 4.0. However, to exploit this, the attacker needed at least author privileges on the target WordPress site. The vulnerable components was the function wp_crop_image(). So, the user running this function (is able to crop an image) could output image to an arbitrary directory. Moreover, the file name could be appended with the directory up symbol i.e. ‘../‘ to get the path of the file an attacker wishes to obtain i.e .jpg?/../../file.jpg. Exploits and Metasploit modules to replicate this vulnerability are available online!

6. Buggy Plugins or Themes

It is also likely that a poorly coded plugin is responsible for WordPress site hacked. Themes by non-reputed authors often contain buggy code. In some cases, attackers themselves release malware-laden plugins and themes to compromise numerous sites. Also, an outdated WordPress software can make the site vulnerable thereby leading to WordPress site hacked.

Need professional help to prevent WordPress site hacked?. Drop us a message on the chat widget, and we’d be happy to help you. Fix my Hacked WordPress website now.

How to fix your WordPress Site Hacked?

1. Use ‘find’ command to review recent modifications

In order to see the WordPress files modified by the attackers, obtain SSH access to your server and run the following command:

find . -mtime -2 -ls

This command would list all the WordPress files modified in the last 2 days. Similarly, keep increasing the number of days till you find something fishy. Now combine this find command of SSH with the grep command to search for code encoded in base64 format. Simply execute the following command:

find . -name “*.php” -exec grep “base64″‘{}’; -print &> hiddencode.txt

2. Use a malware scanner to find malicious codes

Now, use online tools to decrypt the content of hiddencode.txt. In case you find something suspicious but are unable to figure out what it does, simply comment the line and contact experts for complete malware removal. This can be alternatively done using the phpMyAdmin as shown in the image given below. Moreover, phpMyAdmin can also come handy while cleaning the database in case of a WordPress site hacked.

WordPress site hacked phpMyadmin

WordPress Site Hacked: Mitigation

1. Secure Practices

  • Avoid using common or default passwords. Make sure the WordPress login requires a secure and random password.
  • Remove folders of old WordPress installation from the site as they can leak sensitive info.
  • Do not use null themes or plugins from unreputed authors. Keep the existing plugins and themes up to date with the latest patches.
  • Use subnetting while sharing the WordPress hosting space with other sites.
  • Make sure no sensitive ports are open on the internet.
  • Disable directory indexing for sensitive WordPress files using .htaccess.
  • Restrict IPs based on countries from where you detect heavy bot traffic on site.
  • Follow secure coding practices if you are a developer for WordPress.
  • Use SSL for your WordPress site.
  • Always keep a backup of your WordPress site separately.
  • Rename the wp-login.php into a unique slug.
  • Use two-factor authentication to log into your WordPress site.

2. Use a Security Solution

A firewall can help in securing your WordPress site even if it is vulnerable. However, finding the correct firewall according to the diverse needs of WordPress can be tricky. Astra can help you in making the right choices from its three plans of Essential, Pro, and Business. No matter you use WordPress to run a small blog or a corporate site, Astra covers every ground for you. Moreover, the Astra security solution scans and patches your vulnerable WordPress site automatically. Just install the Astra plugin and your site is secure again.

Try a demo now!

3. Security Audit and Pentesting

As seen in the article, vulnerabilities in WordPress will arise from time to time. Therefore, as a precautionary measure, it is advisable to conduct a penetration testing of your website. This will reveal the loopholes to you before the attackers can catch up on your site’s security. Astra provides a comprehensive security audit of the complete WordPress site. With its 120+ active tests, Astra gives you the right mix of automatic and manual testing.

Say hello to a secure future.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.