I always considered WordPress easy to install and administer and am not hesitating to update, as soon as an update warning comes. As a matter of fact, we are now at WordPress 4.7.4 and the last update (4.7.3) was a really big one. Earlier versions were affected by six security issues, and the update was addressing them.

Six security issues sound rather vague and theoretical to you? Well this time, and after having to deal with cleaning up two WordPress blogs of our company which got hacked sometime between February and March, I really came to love updates and realized how stupid we were, not updating in time…

How the hack changed our WordPress blog?

It edited some posts and injected spam links. Some of those posts were on first page, some of them were on page two, or only when browsed by category… So identifying the changed posts at once glance wasn’t that easy.

How one gained access?

I think by injecting PHP code into pages via the WordPress REST API as explained here. And also because I had a plugin allowing PHP within posts.

One of the posts showed following text in its revisions

How to clean up afterwards?

Well, first of all, keep calm.

I logged into the mysql db using phpMyAdmin, reset all users passwords, deleted inactive users, and changed their role to just ‘Subscriber‘. If they need to log in again to the system, I can always update their role.

Now I logged again as me (having an Administrator Role) into the wp-admin area, and located the post which was showing the spam links. It was there in its Revisions that I saw the above lines indicating me when the attack tool place.

I switched back to an older post revision, updated my WordPress version and the template I was using and thought I was fine…was I? Hmmm who knows, maybe yes, maybe not.

Only because I reverted the posts I identified as being changed, this does not mean that I had removed all posts containing spam links, and/or the backdoor for a new attack.

How one should actually clean up afterwards?

WordPress offers a good FAQ covering this question. It was there that I find a link to a site checking pages for malware, asked to search my cleaned blogs, only to find out, that I still missed some affected posts on the second one.

So my first approach was not that good and effective, was it?

Anyhow…

Lessons learned?

• Update as soon as updates get released
• Remove the ‘admin’ user
• Remove plugins allowing php into posts
• Remove outdated and inactive Plugins
• Remove outdated and inactive Templates
• Do not allow PHP code to run on /upload (by an .htaccess)
• Protect the /wp-admin path (by an .htaccess) to allow access from your IP only
• Use a security plugin (such as Sucuri Security)

Live long and prosper!

UPDATE: I have the feeling that WP-hacking got somehow very popular over the last months, so I keep this post sticky for all interested or affected WP-Bloggers.

Have you also tried to connect an honor mobile phone (Android version 6.0 – EMUI version 4.1) to your mac (running macOS Sierra) and couldn’t get the ‘Android File Transfer’ app to connect to it?
Ok, this is how I finally got it to work:

1. You install the ‘Android File Transfer’ app, as downloaded from here.
   Yes I know , the app is rather old (ver 1.0 – creation date of Oct 15th, 2012) but it works, if you know how.
2. Connect the honor by USB cable to my mac
3. Go to its notifications
4. In the ‘USB connected’ notification area, you tap on ‘Files’
5. Now start the ‘Android File Transfer’ app on your mac

=> See it listing all files and folders of the mobile phone.

NOTE: To save you some time – and because I was rather frustrated while searching and not finding what I was looking for – the photos from the Camera are saved under following path: DCIM > Camera

Enjoy