This is the kind of post that I’ve thankfully not needed to post for over nine years. Today one of my WordPress sites got compromised.
It all began with an email this afternoon from AntiVirus a WordPress plugin that scans your theme templates for malicious code injections. The email read:
The daily antivirus scan of your blog suggests alarm.
I had to laugh at the phrase “suggests alarm”. But after I laughed, I accepted their suggestion and for a few moments felt alarm, before realising that panic was no use and besides, I knew what to do.
I’m still not 100% sure what caused the code injection but I currently suspect two potential sources of infection:
I may have been one of 50,000+ victims of the MailPoet vulnerability that was made public days before I went down with viral meningitis! I had that
As the MailPoet site states:
There was a security issue in all the versions of MailPoet lower to 2.6.8, this security issue was making your site highly vulnerable (blog post).
It can really only have been a plugin vulnerability as I have to manually unlock FTP access whenever I want to upload anything. So it had to be an ‘inside job’. And I had MailPoet (formerly WYSIJA) installed that account.
I thought I had patched it…, but, perhaps with my meningitis-muddled head I didn’t do it properly.
How to clean an infected WordPress site
Whatever it was, it injected a bunch of obsfucated code into the top of all the PHP files on that site. A give away was that in the WordPress plugins screen all the plugins were disabled and reporting “the plugin does not have a valid header”.
If something similar happens to you, then you might find the following steps useful:
- Change passwords for:
- WordPress admin
- MySQL database
- Backup all the files on the site. (That took ages!)
- Delete all WordPress core files including themes and plugins (Do not delete user-uploaded content, e.g. images, PDFs, etc.)
- Download clean installation of WordPress.
- Upload clean WordPress files (except wp-config-sample.php).
- Rename wp-config-sample.php to wp-config.php, update with database details and upload.
- Upload a clean version of your theme (remove themes that you are not using).
- Install and activate required plugins including antivirus and security plugins.
- Check other PHP files for compromise, not just WordPress files.
I found this post on the WordPress support site useful: I am getting hacked evry two weeks? Help please. There are some useful links listed on how to clean a WordPress installation.
The main lesson for me to learn from this episode is to make sure I never get viral meningitis again when there are two (or more) critical vulnerabilities in the wild!
Oh, yeah, and always keep your WordPress themes and plugins updated… and if in doubt just delete them before they can cause any problems.
Sunday 19 October 2014
It looks like, based on this blog post from Sucuri WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability that the source of the infection was indeed MailPoet.