One of the biggest challenges our Technical Support department faces is dealing with hacking incidents. In spite of our various levels of protection, hackers can still get through. They know how to target vulnerabilities in software and have ingenious ways to appear as legitimate users and site visitors. The more sophisticated hackers also do a good job of covering their tracks. This article discusses hacks to CMS systems, which comprise the majority of incidents, and offers some tips and techniques for preventing and dealing with WordPress hacks.

WordPress is the most popular software in the world for websites. Joomla! and Drupal are also very popular. Because of their open architecture, and widespread use, these three Content Management Systems (CMS) are the #1 target of hackers. The vulnerabilities of these CMS is usually not in the core software itself, but rather results from poor coding in third party add-ons (plugins, themes, etc). There have even been cases where bad actors purchased a popular plug-in, and then embedded a Trojan horse or vulnerability to be exploited later.

As mentioned earlier, hacking is often due to poor programming which leads to code that is vulnerable to exploits. Such exploits are known as backdoors.

A backdoor is commonly referred to as a method of bypassing normal authentication and the ability to remotely access the server while remaining undetected. Some backdoors will allow hackers to create hidden admin usernames that they can use to access the server. More complex backdoors can allow the hacker to upload and execute any PHP code sent from the browser. Some backdoors even have their own UI (user interface) which allows the hacker to impersonate the server. This level of access allows them to send emails, execute MySQL queries and perform other bad acts. What makes backdoors so dangerous is that the hacker can control the entire server.

Where is the backdoor code hidden?

There are several common locations where backdoors are hidden.

Themes –  It is possible that the backdoor is not even within the current used theme but maybe within an old theme that was not updated and left vulnerable. Site owners sometimes use cracked themes.

*** Word of advice - You should NEVER use cracked themes, as these are often “patched” with a backdoor.

Plugins – The plugins folder is one of the most used locations for hackers to keep their files in. The reason behind that is simple:

• First, site owners do not look in this folder very often, as there is no need to pay close attention to it
• Second, site owners neglect to upgrade their plugins. An out of date plugin can survive a WordPress upgrade. In many cases, upgrading an old or discontinued plugin may not be possible without a developer.
• Third, many of the plugins we encounter are poorly coded and often lead to vulnerabilities.

*** Word of advice: Upgrade your WordPress plugins on a daily/weekly basis.

Upload Directory  - Another place to look for backdoors is the upload directory. Site owners rarely look in the upload directory. Site images and used in posts reside here. The upload directory can contain hundreds or thousands of images, making it the perfect hiding place. Another downside with the upload directory is that it is writable, making it the perfect target. A very large number of backdoors we find are in the upload directory.

*** Word of advice: Use a security monitoring plugin such as Sucuri. iThemes, or WordFence.

wp-config.php and wp-include - We also find infected code in the wp-config.php. This is a highly targeted file by hackers. The includes folder (wp-include) is also a good place to hide the backdoor.  Many hackers will not just leave one backdoor file, but will place them in more than one location. Once the initial backdoor was uploaded, hackers will add another one (or more) to ensure they still have access in case of a cleanup. We often find the backdoor to be disguised as a WordPress file. For example wp-users.php was uploaded in wp-includes. In the normal WordPress installation there is user.php but no wp-user.php in the wp-includes folder. Usually the infected code is after the first php opening tag and it has encrypted code.

*** Word of advice: When in doubt if your wp-config.php file is infected, you can use the wp-confing.php file from a clean WordPress install. Make sure to keep the database connection details.

Random Named PHP Files - We also find the backdoor as a PHP file with a random name generated such as wxshIjduoy.php, which is obviously not a word and without a meaning.

You may encounter such names wp-content.old.tmp, data.php, wp-app.php or php5.php. It does not necessarily have to be a PHP file. In some cases there was an application hidden within a GIF file and that GIF file was hidden within a legitimate image directory. Tracking down such incidents can be a little trickier and requires a lot of skills, including debugging and troubleshooting skills.

Recommendations in Dealing with WordPress Hacks

1. Keep good backups of your WordPress. Make sure you have at least 7 days worth of backups for your WordPress sites. eApps offers an excellent Enterprise Backup service, which allows you to set up a retention schedule with sufficient recovery points.
2. Since you can never be 100% sure that the hack is cleaned, we recommend that you delete the site and restore it to the point where you are sure it was not hacked. This does not fix your vulnerability so you still need to find and patch it.
3. You don’t always need to restore the database. The hack is usually stored within the site files, so the content should not be lost. In some rare cases, the database is affected and requires a manual restore of the missing posts and data.
4. In order to test if your site is hacked, you may need to run it in incognito mode to see if the hack comes back. Some of the hackers are smart, and it will not show the hack for the logged in users. Only logged out users will see the hack. Also try to change your browser’s user agent as Google. Sometimes hackers only want to target the hack to search engines.
5. Disable the following PHP functions:
   "exec,passthru,shell_exec,system,proc_open,popen"
6. Install security plugins, such as Wordfence or iThemes Security, to limit the number of logins. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
7. Force strong passwords on your users. You can use a password managing utility such as 1Password, for example.
8. Enable  “two step authentication”. Alternatively, you can use phone verification for users that want to login. If a password gets compromised, the user would still need to have the verification code from their phone.
9. There is a WordPress exploit in GDPR plugin. Such a bug will allow a standard user to have administrator rights. This WordPress exploit affects WP GDPR Compliance versions up to and including 1.4.2. The patched version, 1.4.3, is now available within the WordPress plugin repository. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites. Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.
10. Stay up to date with both plugins and WordPress. The latest WordPress version should, in theory, have no vulnerability, until one is discovered.
11. Do not use cracked/nulled themes, these will most likely contain infected/vulnerable code. Unless you are a PHP developer you will not know the difference between an infected and clean code.
12. Configure the free eApps Web Application Firewall (WAF) and CDN Site Accelerator. This valuable service, powered by StackPath, can be activated from your eApps Portal > My Cloud menu. Once configured, the WAF will protect your WordPress sites against hacker bots. The Site Accelerator will help improve the speed of your static content. You can follow the setup wizard to configure the service or purchase our assistance service.