Your WordPress Site Has Been Hacked: What Now?
-
Upload
keanan-koppenhaver -
Category
Technology
-
view
157 -
download
2
Transcript of Your WordPress Site Has Been Hacked: What Now?
![Page 1: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/1.jpg)
You’ve Been Hacked: What Now?
KEANAN KOPPENHAVER
@KKOPPENHAVER
HTTP://LEVELUPWP.NET
![Page 2: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/2.jpg)
Who Am I?
• Developer at doejo
• Been working primarily on WP projects for the past 3 years
• Sites large and small
![Page 3: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/3.jpg)
People on the internet are rude.
![Page 4: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/4.jpg)
Part 1 | Discovery
![Page 5: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/5.jpg)
Your host may tell you.
![Page 6: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/6.jpg)
You may see some strange behavior
• Published posts you didn’t write
• Menu links you didn’t create
• Images you didn’t upload
![Page 7: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/7.jpg)
(Check with anyone else who works on your site)
![Page 8: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/8.jpg)
Google may tell you
![Page 9: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/9.jpg)
Mysterious redirections
![Page 10: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/10.jpg)
Part 2 | Recovery
![Page 11: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/11.jpg)
https://codex.wordpress.org/FAQ_My_site_was_hacked
![Page 12: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/12.jpg)
Backup Now
• Some hosts will disable/take down your site when they find out you’ve been hacked
• Peace of mind during the restore process
• Useful even if (especially if) you already have an existing backup
![Page 13: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/13.jpg)
Restore from your backup
![Page 14: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/14.jpg)
You’re un-hacked!
![Page 16: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/16.jpg)
No backup?
![Page 17: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/17.jpg)
![Page 18: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/18.jpg)
Run local scans
• Some server infections start with your local environment, make sure that’s clean first
![Page 19: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/19.jpg)
Start from scratch
• Difficult to identify everything, even the smallest backdoor could let attacker back in
• Fresh (separate) install, bring all content over via WP Export
![Page 20: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/20.jpg)
Post-mortem Site Scan
• Sucuri Site Scan
• WordFence Site Scan
• Command-line diff-ing (on files that aren’t supposed to change)
![Page 21: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/21.jpg)
Change everything• wp-admin password
• DB password
• FTP/SSH password (maybe use public keys instead?)
• Hosting admin panel
• SECRET KEYS (to kick out logged in users)
![Page 22: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/22.jpg)
define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );
![Page 23: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/23.jpg)
Part 3 | Prevention
![Page 24: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/24.jpg)
Strong Passwords
• Use a password manager (1Password, LastPass)
• Don’t share passwords between services (WP, MYSQL, FTP) or installations
![Page 25: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/25.jpg)
Updates
• WP Core
• Plugins, plugins, plugins (update and clean up)
• Themes (update and clean up)
![Page 26: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/26.jpg)
Get a Security Plugin
• WordFence
• Sucuri
• iThemes Security
![Page 27: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/27.jpg)
Hardening WordPress
https://codex.wordpress.org/Hardening_WordPress
![Page 28: Your WordPress Site Has Been Hacked: What Now?](https://reader033.fdocuments.net/reader033/viewer/2022042907/58778ce11a28ab0f778b4809/html5/thumbnails/28.jpg)
Specific Tips• Don’t give the WP user root access to MySQL
• Change the default table prefix
• Hide the WP version
• Change the default login URL (/wp-admin)
• Don’t use admin as your username
• Block login attempts