Post on 12-Jan-2017
You’ve Been Hacked: What Now?
KEANAN KOPPENHAVER
@KKOPPENHAVER
HTTP://LEVELUPWP.NET
Who Am I?
• Developer at doejo
• Been working primarily on WP projects for the past 3 years
• Sites large and small
People on the internet are rude.
Part 1 | Discovery
Your host may tell you.
You may see some strange behavior
• Published posts you didn’t write
• Menu links you didn’t create
• Images you didn’t upload
(Check with anyone else who works on your site)
Google may tell you
Mysterious redirections
Part 2 | Recovery
https://codex.wordpress.org/FAQ_My_site_was_hacked
Backup Now
• Some hosts will disable/take down your site when they find out you’ve been hacked
• Peace of mind during the restore process
• Useful even if (especially if) you already have an existing backup
Restore from your backup
You’re un-hacked!
No backup?
Run local scans
• Some server infections start with your local environment, make sure that’s clean first
Start from scratch
• Difficult to identify everything, even the smallest backdoor could let attacker back in
• Fresh (separate) install, bring all content over via WP Export
Post-mortem Site Scan
• Sucuri Site Scan
• WordFence Site Scan
• Command-line diff-ing (on files that aren’t supposed to change)
Change everything• wp-admin password
• DB password
• FTP/SSH password (maybe use public keys instead?)
• Hosting admin panel
• SECRET KEYS (to kick out logged in users)
define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );
Part 3 | Prevention
Strong Passwords
• Use a password manager (1Password, LastPass)
• Don’t share passwords between services (WP, MYSQL, FTP) or installations
Updates
• WP Core
• Plugins, plugins, plugins (update and clean up)
• Themes (update and clean up)
Get a Security Plugin
• WordFence
• Sucuri
• iThemes Security
Hardening WordPress
https://codex.wordpress.org/Hardening_WordPress
Specific Tips• Don’t give the WP user root access to MySQL
• Change the default table prefix
• Hide the WP version
• Change the default login URL (/wp-admin)
• Don’t use admin as your username
• Block login attempts