Just over 48 hours ago I updated the DNS settings and initiated the switch to the new server. Other than a slightly misconfigured Cloudflare CDN everything has gone smoothly. This is in part due to my experience of having done this a couple of times now, and in part due to the excellent and clear controls that SiteGround offers behind the scenes.
This is the kind of post that I’ve thankfully not needed to post for over nine years. Today one of my WordPress sites got compromised.
It all began with an email this afternoon from AntiVirus a WordPress plugin that scans your theme templates for malicious code injections. The email read:
The daily antivirus scan of your blog suggests alarm.
I had to laugh at the phrase “suggests alarm”. But after I laughed, I accepted their suggestion and for a few moments felt alarm, before realising that panic was no use and besides, I knew what to do.
I’m still not 100% sure what caused the code injection but I currently suspect two potential sources of infection:
I may have been one of 50,000+ victims of the MailPoet vulnerability that was made public days before I went down with viral meningitis! I had that
As the MailPoet site states:
There was a security issue in all the versions of MailPoet lower to 2.6.8, this security issue was making your site highly vulnerable (blog post).
It can really only have been a plugin vulnerability as I have to manually unlock FTP access whenever I want to upload anything. So it had to be an ‘inside job’. And I had MailPoet (formerly WYSIJA) installed that account.
I thought I had patched it…, but, perhaps with my meningitis-muddled head I didn’t do it properly.
How to clean an infected WordPress site
Whatever it was, it injected a bunch of obsfucated code into the top of all the PHP files on that site. A give away was that in the WordPress plugins screen all the plugins were disabled and reporting “the plugin does not have a valid header”.
If something similar happens to you, then you might find the following steps useful:
- Change passwords for:
- WordPress admin
- MySQL database
- Backup all the files on the site. (That took ages!)
- Delete all WordPress core files including themes and plugins (Do not delete user-uploaded content, e.g. images, PDFs, etc.)
- Download clean installation of WordPress.
- Upload clean WordPress files (except wp-config-sample.php).
- Rename wp-config-sample.php to wp-config.php, update with database details and upload.
- Upload a clean version of your theme (remove themes that you are not using).
- Install and activate required plugins including antivirus and security plugins.
- Check other PHP files for compromise, not just WordPress files.
I found this post on the WordPress support site useful: I am getting hacked evry two weeks? Help please. There are some useful links listed on how to clean a WordPress installation.
The main lesson for me to learn from this episode is to make sure I never get viral meningitis again when there are two (or more) critical vulnerabilities in the wild!
Oh, yeah, and always keep your WordPress themes and plugins updated… and if in doubt just delete them before they can cause any problems.
Sunday 19 October 2014
It looks like, based on this blog post from Sucuri WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability that the source of the infection was indeed MailPoet.
I got back from Cellardyke tonight to discover that my site had been hacked once again. This time I didn’t delete the files they’d dumped on my server; I’ve zipped them and sent them to my webhost for examination.
I’m now wondering if they’ve used a Linux kernel exploit to gain root access to the server. That’s pretty serious stuff, and if that is the case then I do hope my webhost get the kernel patched asap. If it’s not, then I hope they help me get to the root of this problem.
I’ve just sent an email to my webhost, HostEurope/Pipex, to ask if they can shed any light on how/why my website got hacked. This morning I received this email, written at 19:42 last night:
Check this address – some one has invaded your site
and sure enough, my website front page had been replaced with a two word plain text file that read “F*ck .uk” (but with no asterisk).
I’ve now replaced the offending/offensive page with my original page and will await to see if Pipex can shed any light on how or why it was hacked, and what I (or they) can do to prevent this in the future.