Category: Wordpress Guides

What To Do If Your WordPress Website Gets Hacked

What To Do If Your WordPress Website Gets Hacked

What To Do If Your WordPress Website Gets Hacked 1

 

With WordPress being so popular and the vast amount of themes and plugins, it is a favorite target for hackers. In 99% of cases, your WordPress website is not actually targeted, most of the hacks are automated and carried out by bots.

 

Why do hackers hack WordPress websites?

Usually, they are using your site to make money. They do this by finding an exploit that allows them to upload file(s) or inject an existing file with their code. The code most commonly used is mailing scripts to send spam and fake login pages for things like banks, PayPal, etc (phishing). They may also insert ads into your website’s files. In the vast majority of cases, we see, your sites are not specifically targeted and they are not actually after you.

 

How was my WordPress website hacked?

Hackers use bots that scan your WordPress website for vulnerabilities both known and unknown. There are some comprehensive scanning tools out there that will scan your WordPress site for 1000’s of vulnerabilities, and other possible weaknesses such as out of date server software (PHP, Apache, Mysql, etc..). If an exploit is found then the bot will try and use it, usually to upload a script or inject code. Once this has been done files and permissions can be changed/added as needed. Most commonly hackers gain access through out of date WordPress core files, plugins, and themes. Always keep everything up to date and if a plugin is not actively maintained by its developers then you really should get rid of it.

 

How do I know if my WordPress website is hacked?

 

In many cases, you will not know. The hacker that is using your website to make $$ will usually try and keep things quiet. Often you do not know until you are notified by us that your site has been compromised. Our systems constantly monitor your websites for suspicious activity such as mailing scripts, mail sending, and many other forms of malicious code. Other hints that something is awry may be:

  • Website suddenly showing a white page or 500 error
  • Ads and popups that you did not add.
  • Decreased website performance.
  • Logins stop working and mail recovery of login / password no longer working.
  • Your website and or pages of your website redirect to another site.

 

How do I recover my WordPress website after being hacked?

The hackers usually will hide malicious code (backdoors) throughout your website and they can be hard to track down and eliminate them all. If you miss one they will be back in no time at all. The best way to recover your site from a hack is from backup, but before you do that you need to find out when your site was hacked.

 

Finding out when your website was hacked

First thing we need to do is find some of the hacked and or compromised files. There are a variety of ways that this can be accomplished:

  • Use something like Wordfence to scan for malicious files (careful though it can remove legitimate files)
  • Scan for malicious files from SSH (see below)
  • Ask us to run a scan on your account

Scanning from SSH is quick and easy, here I will include the 3 most common types of base64 and variations that we see, these usually are enough to help you quickly identify compromised or added malicious files.

Make sure you are in your website directory using the cd command, for example, “cd public_html”

find . -type f -name '*.php' | xargs grep -l "eval *("

 

This scans for  “eval”. This will return quite a few false positives as there are legitimate uses for this code in WordPress. Here is what I get from a fresh WordPress 4.8 install with this command:

./wp-includes/functions.php
./wp-includes/class-snoopy.php
./wp-includes/class-json.php
./wp-admin/includes/class-pclzip.php

 

These are legitimate and clean files in WordPress 4.8 that come with “eval”. Now lets scan specifically for “base64_decode”.

find . -type f -name '*.php' | xargs grep -l "base64_decode *("

 

Here again is the results from our fresh WordPress 4.8 install:

./wp-includes/class-wp-customize-widgets.php
./wp-includes/class-wp-simplepie-sanitize-kses.php
./wp-includes/class-smtp.php
./wp-includes/class-phpmailer.php
./wp-includes/ID3/module.audio.ogg.php
./wp-includes/IXR/class-IXR-message.php
./wp-includes/SimplePie/Sanitize.php
./wp-includes/random_compat/random_bytes_com_dotnet.php
./wp-admin/includes/file.php

 

These are all legitimate files that include base64 in WordPress 4.8. One last scan for “gzinflate”.

find . -type f -name '*.php' | xargs grep -l "gzinflate *("

 

Again results from our fresh WordPress 4.8 install:

./wp-includes/class-requests.php
./wp-includes/class-wp-http-encoding.php
./wp-includes/SimplePie/File.php
./wp-includes/SimplePie/gzdecode.php
./wp-admin/includes/class-pclzip.php

 

To verify whether the results are indeed bad files you need to compare them against clean WordPress files. Found some suspicious files in a plugin directory? Download a fresh copy of that plugin and compare the files.

Checking when a file was last changed

Once you have a confirmed list of “bad” files you want to check the date they were last changed, you can do so using the “stat” command.

stat date-test.txt

File: ‘date-test.txt

Size: 17

Blocks: 8

IO Block: 4096   regular file

Device: 803h/2051d

Inode: 27798301

Links: 1Access: (0664/-rw-rw-r–)

Uid: ( 1020/xoiwjrbc)

Gid: ( 1020/xoiwjrbc)

Access: 2017-07-03 08:11:22.511398107 -0400

Modify: 2017-07-03 08:11:22.511398107 -0400

Change: 2017-07-03 08:11:22.511398107 -0400

 

Sometimes the hackers script will attempt to hide file activity by modifying the Access and Modify time-stamps to match other files on your WordPress installation, but change time cannot be modified. Now that you have a general idea of when files were changed or modified you can move on to the best option of recovering from a hack, and that is backups.

 

Using backups to recover from hacked WordPress

Due to the complexity and difficulty of cleaning files and databases (yes they might have also added to your database) you best option for recovery is restoring files and database(s) from backup. This is the reason why we went through the above steps of finding a somewhat accurate date as to when the site was compromised. At Kickassd we provide complimentary R1soft backups that are taken daily and stored for 30 days. In the majority of cases a hack becomes apparent inside of that 30 day window, and our R1soft backups allow you to quickly and easily recover your website.

But some hackers will gain access and sit silently for months before using their backdoors. In these cases for most the only option is to clean their website which is a comprehensive and and complex task which is beyond the scope of this article. If you use our hosting services and find this is the case please don’t hesitate to let us know!

The post What To Do If Your WordPress Website Gets Hacked appeared first on Kickassd – The Web Hosting Blog.

Amazon S3 Storage For Your WordPress Site

In many cases much of your resource use comes from serving files on your WordPress site. An easy and cheap way to lower resource use is to use Amazon S3 Storage For Your WordPress Site. This is quite easy and actually free for 1 year if you stay within the free tiers limitations. First we need to make an account so go sign-up for Amazon S3 here: http://aws.amazon.com/s3/

amazons3-signup

 

Once done go ahead and sign-in and navigate to Storage And Content Delivery > S3 > Create A Bucket. You will need to name your bucket a unique name using alphanumeric characters and no spaces. We named ours storage.kickassd.com. Also select the location closest to where your WordPress site is physically hosted.

 

amazons3-create-bucket

 

Now go ahead and install the “Amazon Web Services” plugin, once that is done access the plugin and you will see we need to provide some access keys. In order to do this we need to create a user for the bucket and give that user permissions. To do this do the following:

  1. Go to https://console.aws.amazon.com/iam/home#users
  2.  Create New User
  3. Show User Credentials (record the keys)
  4. Add the keys to wp-config as outlined in the plugin settings

define( 'DBI_AWS_ACCESS_KEY_ID', '********************' );
define( 'DBI_AWS_SECRET_ACCESS_KEY', '****************************************' );

Replace * with your keys.

Now we need to give the user some permissions, a clean organized way to do this is to first create a custom group, call it something you recognize and than give it Administrator permissions. After that add the user you created to this new custom group.

Now if you navigate back to the Amazon plugin in your WordPress Dashboard you will see the option to install WP Offload Lite, go ahead and install this. In your sidebar now you will see you have AWS > S3 And Cloudfront. Open that and browse existing buckets > select the bucket you created. To test this go ahead and upload something to the media library and check the url to it. You will notice the url now leads to amazon!

That’s it you are now using Amazon S3 for all content uploaded from this point forward. If you want to transfer all content that is already in your media library this requires and upgrade to the pro version. To see how to further boost performance using Amazons Cloudfront please see this post: Amazon S3 Cloudfront For Your WordPress Site

 

Try this on one of our High Performance SSD Web Hosting plans!

 

 

 

 

 

 

 

The post Amazon S3 Storage For Your WordPress Site appeared first on Kickassd – The Web Hosting Blog.

Install WordPress On cPanel

Here at Kickassd we are firm believers in not using 1 click installers as they just have too much potential for creating bad installs that cause headaches for people. So here is a quick and simple Install WordPress On cPanel guide. Before you go any farther go download the latest version of WordPress: https://wordpress.org/download/ (grab the zip version)

Installation Steps

  1. Log into your Kickassd cPanel account
  2. Navigate to Files > File Manager
  3. Open the public_html directory. Look up and click Upload
  4. Select File and choose the WordPress file Zip file you downloaded. Once complete go back to the previous directory.
  5. Now right click on the WordPress zip file and extract the files, you will now see you have a WordPress folder.
  6. Enter the WordPress folder and select all files than choose move you will see the path is “/public_html/wordpress”. If you want WordPress to be available when people visit www.yourdomain.com than change the path to /public_html and click Move File(s).
  7. Now visit your site and you should be presented with the WordPress install screen, select your language, continue past the next screen as well.
  8. Back in your cPanel account go to Databases > Mysql Databases.
  9. Create a database, a database user, assign the user to the database with full privledges. Be sure to record the Database name, user name, and password as you go.
  10. Back to your WordPress install screen and enter the Database name, username, and password. Hit the magic submit button!
  11. The next screen of note will ask you to enter your site name username, etc. Do not use admin as a username and I suggest you use the generated password as it is strong and this is very important. Make sure to record it in a safe place.
  12. Go ahead and “Install WordPress”. You should greeted with a “Success!” and be able to login and start using your new WordPress site.

 

Installing WordPress On A Sub-Domain

Installation of WordPress on a sub-domain will be essentially the same as above. the only thing that changes is the location that you upload and install the WordPress files. If you have created a Sub-Domain of “wp” than you will see a new folder in public_html. This is where you will upload and install WordPress.

 

 

Of course if you have any issues and need help or have questions please don’t hesitate to contact support so we can help you get up and running.

The post Install WordPress On cPanel appeared first on Kickassd – The Web Hosting Blog.