My WordPress Site Was Hacked

WordPress HackedRegular followers of this blog may have noticed that it has been quite some time since I have posted any new articles. Even though I have a couple currently in draft status, I have recently had to devote a serious amount of time to addressing another very important issue.

If you visit my website regularly, you might have never known that something quite distressing was occurring. WordPress hacking has been at the forefront of tech news recently and, unfortunately, my Powers Fine Art site became the victim of such an assault. Approximately 3 April 2013, my website became the victim of a base64 spam injection attack.

I discovered the hacking attack purely by accident. As I was inspecting my Google Analytics data for my Powers Fine Art website, I kept seeing a large quantity of traffic originating in Minnesota. City location data was missing and the visitation amounted to 100’s of visitors over a very short period. At the time, I decided the traffic must be related to the downtime monitor I was using via Unfortunately, this was not the case.

About a week later, as I was creating another template page for my website, I decided to look at my theme’s default header.php file. I found a very large quantity of links for “performance-enhancing” drugs. None of these were actually appearing on my viewable website, however, since I was using a WordPress child theme with a custom header.php file which was superseding the one for the original theme. This was incredibly lucky since the hacking attack very easily could have affected my search engine rankings and put my website out of commission.

Although I am certain my usernames and passwords had not been compromised, my first step toward cleansing my website of the threat was to change everything. I not only changed my WordPress credentials but I also created an entirely new ftp username and password. I reinstalled WordPress, reinstalled my database, and reinstalled my wp-content directory. I also reinstalled my main theme files and deleted any unused WordPress themes in case they had vulnerabilities.

Next, I needed to devote some time scouring my files to remove any offending code and to find the source of the back door which allowed the spam injection to occur. It took quite some time but eventually I discover a .php file which contained base64_decode coding that created a backdoor and allowed the hack to occur. I wish I would have remembered to write the name of the file down so I could share but I was so anxious to eliminate the threat that I deleted the file without hesitation. Here is a similar example of the offending code from Tony Perez:

Code Excerpt

As an additional step, I followed the expert advice of Tony Perez and added the following .htaccess file to my uploads directory in order to make it impossible to execute a .php file from that area:

<Files *.php>
Deny from All

Once the offending files had been found, I began taking additional steps to harden my WordPress installation. I wanted to make it incredibly difficult for this to happen again and I found a couple great plugins that have really aided my efforts.

The first plugin is called BulletProof Security and it helps place some .htaccess files in key areas of the WordPress installation that can limit access by outsiders. The plugin protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts and is very easy to install and setup. I took further action by following the plugin’s suggestions for setting access permissions for various files and folders within my WordPress installation.

The second plugin I have been using is called Wordfence Security and it does quite a few really interesting things. According to the plugin’s description, “Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.” The Wordfence Security plugin finds files that have been modified or don’t belong in an installation by comparing the files with ones that are stored in the installation repository. It will even allow you to compare problem files to see the changes that have been made. You can monitor live web traffic to your site, see failed login attempts, see pages on your site that people have tried to access but don’t exist, block ip addresses, limit the number of times a person can attempt to log in, and monitor bot activity. In fact, I have even been able to see base64 code injection attempts in real-time. This WordPress plugin really impresses me.

As can be seen above, there are many tools available to aid the WordPress webmaster in maintaining a secure site. Although no site can be 100% impenetrable, these plugins really can help to make your WordPress installation much more difficult to hack. I should mention, however, it can be a little disturbing to see the number of failed login attempts that occur during the course of the day when using Wordfence. In any 24 hour period, I have about 15 failed login attempts for my Powers Fine Art website and I have closer to 30 for my Powers Home Brewery website. Most of these are bots attempting to access my websites with usernames such as admin, administrator, support, aaa, test, or user. If you are foolishly using any of these usernames, change them immediately or the consequences could be dire.

In recent months, WordPress website attacks have increased by an enormous amount. At the time of this writing, Silicon Republic is reporting a single bot network of over 90,000 computers currently executing a brute force attack that is causing havoc for many large web hosts, businesses, and webmasters everywhere.

Now is the time to take action and harden your WordPress installation. If you take anything away from this article, I hope it is a desire to be proactive and to take measures to ensure your don’t have to suffer through my recent experience.

Tagged with: , , ,
Comments (7)
  • Alexander James June 11, 2013

    First up, you will need to ensure that your plugins are clean. Most of the time, a Pharma Hack targets Akismet (simply because almost every WP installation has it, active or inactive). While any of your plugins can be at risk, it is worthwhile to start the search from Akismet. Look for files with suspicious names, especially ones with a pseudo-extension, such as .akismet.cache.php or akismet.old.php Similarly, other malicious naming conventions include class-akismet.php and so on. Eliminate any suspicious files, and repeat this step for all your plugins.

    • Ken Powers June 11, 2013

      Thanks for the additional information Alexander. Every tip helps!

  • Brandi Hurst July 14, 2013

    One potential security issue many people don’t think about are the plugins and themes that aren’t in use. It may come as a surprise that inactive plugins and themes can still be used to compromise a site, but it is very true. The Timthumb exploit of a year and a half ago worked just as well with an inactive plugin or theme as an active one. So, rather than leaving a large set of deactivated plugins and themes on your site, back them up somewhere and delete them.

  • Sam September 24, 2013

    i used Security Press –
    its best of the solution i found for my site.

    • Ken Powers September 29, 2013

      That is a nice looking solution. I will have to investigate it a bit more!

  • Willard B. Ramos September 28, 2013

    Yes, you should use the lastest versions of WordPress core and for the most part the latest version of plugins. But of course incompatibilities arise so be careful when updating.

    • Ken Powers September 29, 2013

      Great advice Willard!

Leave a Comment

* required

This is a unique website which will require a more modern browser to work!

Please upgrade today!