Category Archives: Forensics

WordPress Hacked: Security Steps

Anyone who has a WordPress site may have been hacked at one point in time or another. A hack may happen regardless of how diligent you are, but what can we do to help us identify attacks before they occur and what can we do to secure the WordPress environment. I found some very helpful tools while perusing the internet for WordPress exploits and solutions. The following are what I have discovered as extremely useful, there are some rules if you been hacked, and then some tools you can use to find future attacks easier as well as prevent them.

First what do you do if you were hacked (assume working in the directory /usr/share/wordpress, but really wherever your wordpress install lives):

  • Make a backup of your database
  • Get a complete list of your existing themes and plugins
  • Download the latest WordPress zip file
  • Disable your existing WordPress installation (copy index.php to some other name)
  • Move your old WordPress install from /usr/share/wordpress to /usr/share/wordpress.old
  • Make a new /usr/share/wordpress directory and install the latest WordPress into this directory
  • Restore your existing database
  • Use the default theme
  • Compare the Exploit-DB for WordPress against your list of plugins and themes
  • Search Google for specific 0-day attacks against your version of WordPress, if any exist patch them as explained
  • Reinstall your Theme if not on the above list
  • Reinstall your Plugins if not on the aforementioned list, if you cannot find your plugins because they have gone the way of the dodo and become available, then inspect every file for any form of malware and then copy from your ‘hacked’ backup directory. However, if you do not know what malware looks like, then get a professional to help. <== NEW

After a few hours work your WordPress site should be back to normal hopefully without the latest list of exploits.

If you have bbpress also installed, repeat for bbpress as well as the two can be linked together in many ways. <== NEW

If you were not attacked, but wish to prevent it from happening, or if you were attacked how to prevent it from happening again. First, modify your installation just a bit to alleviate further attacks:

  • Change your Administrator and Editor passwords to a > 16 character pass phrase
  • Replace your NONCE salts within your wp-config.php file by getting a new set from
  • Ensure no files or directories are world or group writable
  • Remove any unused themes and plugins (they can still be attack vectors even when not activated) <== NEW
  • Clear any Cache files in wp-content/cache/* or other locations <== NEW
  • Change the Permissions on /index.php to be non-writable (chmod ugo-w index.php) <== NEW

Then install some WordPress security plugins. These first are a must:

  • Ultimate Security Checker – Provides a list of easily fixable security vulnerabilities in the standard WordPress environment. Some of these end up being hard to pass without modifying other plugins. One in particular is W3 Total Cache, where you need to remove the ‘X-Powered-By’ headers.
  • Secure WP – Provides useful tools to disable attack vectors and giving up too much knowledge of your environment.
  • WP Security Scan – Use WP Security Scan to verify there are no vulnerabilities in your fresh installation or your database, use this tool to modify your administrative username and database table prefixes from their current settings. Also scan for other mis-configurations
  • Clean Options – Go through all your options and remove any orphaned and unused options while also inspecting the options for malware. Not only will this clean up your current options, but also speed up WordPress.
  • WordPress File Monitor Plus – This is the most important plugin. Configure it to run every hour or sooner so that you can get a list of changes to your WordPress files. If anything changes, inspect immediately for malware. If anything is added to your list of WordPress files, it could be malware. Simply look at the files for base64 encoded data that looks cryptic and not as plain PHP code. I then inspect my Apache log files for who perpetrated the attacks if possible and block them from happening again using firewall rules.
  • WordPress Firewall 2 adds some important but basic request verification against well known attack vectors <== NEW

These three add more logging into your WordPress environment and provide details that takes other knowledge to use:

  • WP MalWatch – Provides a way to look for malware in common places, while not always useful, it could expose critical issues.
  • Exploit Scanner – Provides a way to look for malware in uncommon locations, takes a bit of Javaascript and PHP coding knowledge to understand the output, but does bring to light certain critical issues.
  • WP Cron – Provides a way to inspect those cron jobs WordPress requires to work, ensure there are only expected jobs in the list.

In addition, to the above elements, I also made the following changes:

  • Disable the ability to directly access wp-config.php and other files using a .htaccess file (if using Apache)
  • Disable the ability to access non-image files from your uploads directory. Granted this only denies reading files of the appropriate extension, but you also need to ensure any upload software inspects for images only into this directory.
  • Changed permissions on critical WordPress files to be non-writable by all so that they cannot be modified. However, this does require you be diligent whenever you update WordPress to make the files readable once more, then revert them to non-writable by all.
  • Implement a web performance management suite such as New Relic RPM to detect when your WordPress site is accessing external web traffic. In Figure 1, for example we see an increase in ‘Web External’ traffic that represented a hack to a WordPress site. Most malware wants to call home, this one did to a recently created domain. New Relic RPM furthermore allows you to view all External Services your website calls, it is a very good idea to review that list to determine if all external traffic is expected or not. <==NEW
  • Sign Up for something like Website Defender to automatically scan the site every few days. <== NEW
Figure 1: New Relic RPM showing External Web Traffic

Given how WordPress sites are written today, some Web External traffic is to be expected, but when there is a sudden increase, it is also time to research to determine why this is happening.

Lastly, I created a development site into which I can install and test any new updates to plugins and WordPress. Until they get tested, they do not get onto the production WordPress installation.  By being diligent and relying on good attack intelligence you can stay on top of the current batch of WordPress attacks as well as prevent them from happening.  It is important to not only to review exploit databases for known vulnerabilities but to also understand how the attacks were perpetrated so that you can investigate and mitigate future security attacks.

We also need to remember to clean up any bbpress installation as well. bbpress, which is forum software, has links to WordPress when you use the two together.

Edward Haletky

Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.