It has been a year since I wrote WordPress Hacked: Security Steps and there are now some new plugins and tools to help with security of your WordPress site. The steps to take to find hacks are the same as the security steps previously mentioned, but there are some new tools and services that may make your life easier and alleviate more attacks. So here is an updated set of rules, plugins, and actions to take. I suggest Reading the original post as a part of this one.
I have copied over my previous rules and adding a few more, check for UPDATED and NEW flags.
- Make a backup of your database
- Get a complete list of your existing themes and plugins
- Download the latest WordPress zip file
- Disable your existing WordPress installation (copy index.php to some other name)
- Move your old WordPress install from /usr/share/wordpress to /usr/share/wordpress.old
- Make a new /usr/share/wordpress directory and install the latest WordPress into this directory
- Restore your existing database
- Use the default theme
- Compare the Exploit-DB for WordPress against your list of plugins and themes
- Search Google for specific 0-day attacks against your version of WordPress, if any exist patch them as explained
- Reinstall your Theme if not on the above list
- Reinstall your Plugins if not on the aforementioned list, if you cannot find your plugins because they have gone the way of the dodo and become unavailable, then inspect every file for any form of malware and then copy from your ‘hacked’ backup directory. However, if you do not know what malware looks like, then get a professional to help. Alternatively, find a new plugin that performs the same actions. Also, remember some plugins like Simple::Press and cForms are not in the WordPress repository. <== UPDATED
- Change your Administrator and Editor passwords to a > 16 character pass phrase
- Replace your NONCE salts within your wp-config.php file by getting a new set from https://api.wordpress.org/secret-key/1.1/salt/
- Ensure no files or directories are world or group writable
- Remove any unused themes and plugins (they can still be attack vectors even when not activated)
- Clear any Cache files in wp-content/cache/* or other location
- Change the Permissions on /index.php to be non-writable (chmod ugo-w index.php)
- Change the Permissions on /wp-config.php (or where ever you store it) to be non-writable (chmod ugo-w wp-config.php) <== NEW
- Properly configure .htaccess to disallow direct access to wp-admin directory. In many cases using mod_rewrite is sufficient to redirect access to /index.php <== NEW
- Remove readme.html and wp-admin/install.php after installing or reinstalling WordPress. No one needs to know your wordpress version or access the installer. <== NEW
- Ultimate Security Checker – Provides a list of easily fixable security vulnerabilities in the standard WordPress environment. Some of these end up being hard to pass without modifying other plugins. One in particular is W3 Total Cache, where you need to remove the ‘X-Powered-By’ headers.
- Secure WP – Provides useful tools to disable attack vectors and giving up too much knowledge of your environment.
- WP Security Scan – Use WP Security Scan to verify there are no vulnerabilities in your fresh installation or your database, use this tool to modify your administrative username and database table prefixes from their current settings. Also scan for other mis-configurations
- Clean Options – Go through all your options and remove any orphaned and unused options while also inspecting the options for malware. Not only will this clean up your current options, but also speed up WordPress.
- WordPress File Monitor Plus – This is the most important plugin. Configure it to run every hour or sooner so that you can get a list of changes to your WordPress files. If anything changes, inspect immediately for malware. If anything is added to your list of WordPress files, it could be malware. Simply look at the files for base64 encoded data that looks cryptic and not as plain PHP code. I then inspect my Apache log files for who perpetrated the attacks if possible and block them from happening again using firewall rules. I have seen things pop in that show this does not pick up everything <== UPDATED
- WordPress Firewall 2 adds some important but basic request verification against well known attack vectors but can also be bypassed. <== UPDATED
- WP MalWatch – Provides a way to look for malware in common places, while not always useful, it could expose critical issues.
- Exploit Scanner – Provides a way to look for malware in uncommon locations, takes a bit of Javaascript and PHP coding knowledge to understand the output, but does bring to light certain critical issues.
- WP Cron – Provides a way to inspect those cron jobs WordPress requires to work, ensure there are only expected jobs in the list.
- PIE Register – or some other registration functionality that requires users to click on a verification link. While it does not alleviate all comment/user hack attempts it will remove quite a few spammers. <== NEW
- WangGuard – Provides a way to look at your existing users to determine if they are spam users or in general unacceptable users per their network. Since logged in users get more privileges this could be a way in. <== NEW
- WordFence – Provides a way to scan your sites files, users, plugins, and themes against well known good copies of the files. The known good copies reside on the WordFence cloud. This has found a few minor elements on my site as well as finding a few users with week passwords. <== NEW
- Website Defender – Several plugins such as Ultimate Security Checker, Secure WP, and WP Security Scan all come from the same group who put together Website Defender. Website Defender creates an offline scan of your website using an agent within a locked down WordPress directory. <== NEW
Actions to Take
Even with all the tools, do not think you are covered. I have had all these tools in place and find that I occasionally find files that should not belong. Which leads me to a set of actions you should take:
- Ensure you have the security tools running on all sites within the webserver. Perhaps it is a shared WordPress install or a multi-site install, you need to cover all entry points
- If you have forum software that runs beside WordPress and integrates with it, ensure that is protected as well. I actually moved from bbPress to a plugin forum so that I had better control over what was out there.
- Monitor your site in real time using something like New Relic RPM. While the APM solution is incredibly useful for performance tuning, the transaction traces have been very helpful in finding new hack attempts.
Security is everyone’s business, even so it is important to realize that the tools are only so useful and do not work unless all entry points into your WordPress site are covered. In addition, most security tools are reactive to what has already happened and not new attacks. So monitoring your site on a regular basis is a must.
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.