What Does a Hacked WordPress Site Look Like?

Even with every measure in place, it is hard to completely eliminate the possibility of a site getting hacked. WordPress, in particular, is targeted more than other websites because of its wide use.

To properly maintain a WordPress site you should be:

  • Updating Plugins as soon as updates come out
  • Updating the WordPress Core as soon as feasible, especially incremental security patches
  • Making backups so when the worst happens, it can be fixed

What Happened:

A wpONcall client (we will keep them anonymous) was up to date on all updates and everything was running normally the previous day. The next morning we awoke to a site that was completely hacked, left with this landing page:

The hackers gained entry to the file system and completely removed the entire WordPress install, including theme files and all uploads. We were left with a one-file web page, which contained the hackers message.

I will give the hacker some credit that their page was creatively constructed. All styling and media elements were part of his/her index page so that it was not reliant on any external files. The hacked page contained everything from a Facebook like button to an embedded audio file playing the song, “We Own It” by 2 Chainz & Wiz Khalifa. It was a pretty scary page, to say the least.

Could This Have Been Prevented?

Every measure has been taken to keep the site from being hacked, including proactively updating plugins and WordPress as soon as updates became available. Even with this proactive maintenance, the hacker found a way into the file system of the hosting account. It is hard to say for sure, but the site could have been compromised through the hosting company or through a theme vulnerability (the site was built from a custom theme).

What Did We Do to Fix It?

backupssaveBecause we make weekly backups of all websites, we were quick to respond. The first step was to remove the malicious page and put up a temporary blank page. We retrieved our backup taken a few days previous from our cloud service. After uploading the un-affected site, we needed to clear the site cache and reset permalinks to get everything working again. The last step was resetting all administrator passwords to ensure it was not a password breach to the site.

Is it Likely the Site Will be Re-Hacked?

We typically do not see sites re-infected right after restoration, but we cannot be too careful. wpONcall will keep a close eye on the site and make sure there is no new malware or compromises to the website.

The Lesson:

Always, always make a backup of your site. The hacker deleted everything from the server. There was no fix for this except restoring the site from a recent backup.

 

Has your site ever been hacked? Did you know what to do to get things back to where they should be?

Update WP eCommerce To Patch New Security Vulnerability

What is WP eCommerce?

WP eCommerce used to be the most popular WordPress ecommerce plugin to power an online store through WordPress. That was until WooCommerce came along and took most of the market share. I do not see any reason to stay on WP eCommerce as WooCommerce has far more extensions and support. This latest security threat may be the last straw for many people using WP eCommerce.

What is the Vulnerability?

A vulnerability was found in the plugin that allows a bad person (hacker) to easily access and change private information. This vulnerability can expose confidential information about your past customers and also allow the attacker to potentially purchase an item on your site without paying. Some pretty big issues!

What Should You Do?

You have two choice to easily fix this vulnerability:

  • Update to the latest version of WP eCommerce, which has already been patched (download here).
  • Switch your online store from WP eCommerce to WooCommerce. This may not be quick and easy, but you will have a more powerful system to run your store going forward.

If you are running WP eCommerce, update right away!

 

Is Your Site Safe from the Shell Shock (Bash) Vulnerability?

What is It?

This vulnerability attacks your host, not your website itself. It is important to check to make sure your host has patched the bug to ensure your site is safe. Some say this security threat could be bigger than HeartBleed a few months ago, so it is important to know your site it protected.

 

Has Your Host Responded?

Below are excerpts from each host explaining how they responded to Shell Shock.

 

BlueHost

logo-1

As one of the first organizations to know about the exploit, we immediately began taking action to secure our platform.  Using the RedHat public patch as a primary resource, we patched our own implementation of Bash to secure our platform, and have deployed that to all our servers.

Official Response

GoDaddy

imgres

We’re patching our servers. We began patching our servers yesterday when we learned of the vulnerability. We’ve got a lot of work to do, but our goal is to finish patching by end of day today. We’ve also added additional security filters to protect your accounts while we patch our servers. (9/25/14)

Official Response

HostGator

images

“You should know that all HostGator servers have been patched as of this writing. We identified the issue very early-on and developed the necessary solution for our environment.”

Official Response

WP Engine

imgres-1

Because we specifically block CGI execution on customer sites by default—as it does not need to be “on” in order to get WordPress to run—our users are already protected from this exploit. Our use of AppArmor on all servers also offers additional protections that would keep attackers from gaining access to anything beyond the site they are visiting.

Official Response

SiteGround

imgres-2

All SiteGround servers were patched in less than 24 hours the vulnerability was announced. In addition, our unique server setup including the special chroot isolation has made it highly unlikely for any attacker to have been able to utilize this vulnerability and gain access to sensitive information even before the patch.

Official Response

 

Don’t See Your Host Listed Here?

Download and activate this plugin, which will let you know if your site is secure from Shell Shock.

 

Security Alert: Slider Revolution

What is Slider Revolution?

slider-revolution

It is one of the most common sliders (rotating slideshows) used in premium WordPress themes. Chances are,  your site uses this plugin if your theme was purchased through ThemeForest.

What is the Problem?

Old versions of Slider Revolution (Pre 4.5) can allow access to your wp-config.php file. This means a hacker has the ability to completely take over your website and do what they wish with it. This is a major security flaw that the developers of the plugin did not disclose to the public until after they released a fix.  Revolution Slider is a premium plugin, which eliminates the ability to alert your site of an update through the “Plugins” page of WordPress.

What Should You Do About It?

First, check to see if your site is using Slider Revolution. You will see this menu at the bottom left side of your WordPress Dashboard:

rev-wordpress

If you do see this, your site currently uses Slider Revolution. You may not see it in your Plugins list if it was bundled with a premium theme.

You have two options:

  1. Update the Plugin
    • Download the new version of Slider Revolution here.
    • Go to your file manager (or FTP) and upload the new version in your “Plugins” folder.
  2. Update Your Theme
    • See what theme you are using by clicking “Appearance” then “Themes”. This page will show you the active theme on your site.
    • Search for that theme at ThemeForest, download the new version, find Slider Revolution files and replace in your theme.

If you need help doing this, let us know!

 

Major Security Vulnerability in WordPress, Drupal Could Take Down Websites

Another reason to keep your WordPress installs up-to-date. Today WordPress released 3.9.2 to patch this particular threat.