I always considered WordPress easy to install and administer and am not hesitating to update, as soon as an update warning comes. As a matter of fact, we are now at WordPress 4.7.4 and the last update (4.7.3) was a really big one. Earlier versions were affected by six security issues, and the update was addressing them.

Six security issues sound rather vague and theoretical to you? Well this time, and after having to deal with cleaning up two WordPress blogs of our company which got hacked sometime between February and March, I really came to love updates and realized how stupid we were, not updating in time…

How the hack changed our WordPress blog?

It edited some posts and injected spam links. Some of those posts were on first page, some of them were on page two, or only when browsed by category… So identifying the changed posts at once glance wasn’t that easy.

How one gained access?

I think by injecting PHP code into pages via the WordPress REST API as explained here. And also because I had a plugin allowing PHP within posts.

One of the posts showed following text in its revisions

How to clean up afterwards?

Well, first of all, keep calm.

I logged into the mysql db using phpMyAdmin, reset all users passwords, deleted inactive users, and changed their role to just ‘Subscriber‘. If they need to log in again to the system, I can always update their role.

Now I logged again as me (having an Administrator Role) into the wp-admin area, and located the post which was showing the spam links. It was there in its Revisions that I saw the above lines indicating me when the attack tool place.

I switched back to an older post revision, updated my WordPress version and the template I was using and thought I was fine…was I? Hmmm who knows, maybe yes, maybe not.

Only because I reverted the posts I identified as being changed, this does not mean that I had removed all posts containing spam links, and/or the backdoor for a new attack.

How one should actually clean up afterwards?

WordPress offers a good FAQ covering this question. It was there that I find a link to a site checking pages for malware, asked to search my cleaned blogs, only to find out, that I still missed some affected posts on the second one.

So my first approach was not that good and effective, was it?

Anyhow…

Lessons learned?

  • Update as soon as updates get released
  • Remove the ‘admin’ user
  • Remove plugins allowing php into posts
  • Remove outdated and inactive Plugins
  • Remove outdated and inactive Templates
  • Do not allow PHP code to run on /upload (by an .htaccess)
  • Use a security plugin (such as Sucuri Security)

 

Live long and prosper!