Friday, February 20, 2015

When You're Hacked in WordPress: Dealing With a Hacked WordPress Site

This post is part of a series called When You're Hacked in WordPress.
One of the worst things that can happen to your website just happened: It's been hacked. Somebody broke into your computer and got passwords, or your passwords were weak, or somebody exploited a security vulnerability caused by WordPress or your hosting provider, or something else happened that let a hacker hack your website...
What do we do now? It's not the time to feel sorry for yourself, it's time to take action and bring back your website. Let's go!
It's a good question, and it's got more than one answer, but none of those answers is "because WordPress isn't safe". 
Believe me when I say this: WordPress is one of the most secure platforms on the internet. You can't expect 100% security from any system (even your brain isn't 100% secure—scientists are now able to read or even overwrite thoughts on your brain!). So nobody can talk about total protection, but be sure that WordPress is a lot safer than regular platforms. Why? Because it has a huge developer community that can patch zero-day vulnerabilities on day zero. But, again, you shouldn't even trust yourself when it comes to safety and security.
So, let's answer the question: Why do WordPress websites get hacked? As I said, there is more than one answer:
Because of a security flaw on your server: You probably know that WordPress isn't the only software that runs on your server to generate your web pages. Your server has an operating system which runs important software like PHP, MySQL, a hosting control panel like cPanel, and anything that's necessary to allow software like WordPress to be run. Even the tiniest security flaw in this system can allow a hacker to bring down your website.
Because of a security flaw on your computer or mobile device: Remember the times when you could connect to a computer with Windows XP through a port and without any intervention, even evading those awful "firewalls"? It's not as horrible as it's used to be, but that doesn't mean that your computer, smartphone or tablet is completely safe—again, nothing is 100% safe. More and more viruses and trojans come out every day, targeting iOS, Android, Windows, Linux, OS X and every other operating system. Not only operating systems, but also regular software can cause security problems as well. It doesn't stop there either: You can even reveal your passwords to hackers through unencrypted Wi-Fi connections. Seriously, an evil mind has many options to get to your passwords.
Because of a security flaw on you: You know what I learned in over 15 years? You can take every single precaution on your systems, but if you don't have common sense, you will fail on security. It seems the easiest, but it's actually the hardest thing to do if you want better security: You have to be careful.
Or because of a security flaw on WordPress: Yeah, there's that, too. It happens, a zero-day vulnerability in the core of WordPress could emerge tomorrow and some 15-year-old script kiddie could go on a "hacking spree" and your website could get hacked.
So, what happens when what's done is done? It's time to act to get your website back, of course!
Yes, before everything, take down your website immediately. It's going to be a minor inconvenience if your visitors can't reach your website, but it's going to be adisappointment if your visitors see that your website is hacked. If WordPress is still running, take your website into maintenance mode. If the damage is bigger, just shut down the website and sort things out via your server's control panel.
If you don't know much about server management, ask your hosting provider about this attack: What really happened? What was the main cause—was it WordPress, or was it a PHP flaw that was exploited? If you find out that it's your theme or one of the plugins you installed, delete the file(s) with the vulnerability before anything else.
And save the log files, in case you're going to take legal action.
In times like this, you understand the importance of backing up your files and databases. If you have backups, review them and restore the healthiest one. It's a good idea to restore the last backup, but if you're not sure when the attack took place, you might need to download a bunch of backups and look inside each of them.
When my website got hacked for the first time, my hosting provider told me that it was a plugin file that allowed the hacker to run a "shell script" in my server. Luckily, the hacker was merciful and didn't delete anything on my server (though even if he did, I had backups)—he just put an index.html file in the root folder.
As you can guess, I immediately got rid of the plugin and contacted its author to inform him about the situation. If you find out that it was a theme or plugin vulnerability, you should contact the person who made it and tell them that it caused a hacker attack. If it was a core vulnerability and it's unknown to the community, make sure we (the community) know about this. If you can patch the vulnerability, that's another good thing.
If you don't panic when things like this happen, it will be a lot easier to overcome and fix everything.
  • Take a deep breath.
  • Shut down the server.
  • Review the backups.
  • Restore the latest healthy backup.
  • Get information (and logs) from the server admin.
  • Fix what caused the problem and eliminate the vulnerability.
  • Double-check to make sure everything is all right.
  • Go live again.
Incidents like these teach us to be more careful, so don't read the situation just in a bad way. What's done is done. You (hopefully) succeeded in making things right, and you're ready to move on with more wisdom.
It's an unpleasant experience, I know. But things like this happen all the time, and trying to avoid thinking about it is the worst thing to do. You shouldn't refrain from thinking about the worst case scenario, and you shouldn't refrain from taking precautions.
What did you do when your website got hacked? Tell us what you experienced or what you think in the comments section below. And if you liked the article, don't forget to share it with your friends!
Stay tuned for the next part of this series!

No comments:

Post a Comment