steelbridge.io

Website Designer, Developer, Engineer | (541) 719-8322

WordPress: Hacked

With over 25% of total websites online today being driven by WordPress, it’s no wonder this popular blogging platform that became a content management system and now an application with its own API has been the focus of “Hacking”. This article describes how to avoid a WordPress Hacked scenario.

What is a hacked WordPress site? Here are some examples:

Defaced/ Hackers replace your websites content with their own. In most instances, all your website content is erased and/or replaced with the hackers malicious content or web page. The image below is a screenshot of a website that is obviously rendered unrecognizable and impossible to navigate because the hackers code is “all wrong”.

hacked site example

Example of a site hacked and defaced. Photo found at https://www.hackread.com

Malicious Redirect/ Essentially this method redirects traffic from the hacked website to the hackers malicious website. A good way to do this without being detected immediately is to redirect traffic to a specific page. In my early days with WordPress, my fly fishing website bethefly was infected with a phishing page (almost a pun) where the hackers created a page asking for financial information posing as a certain German Bank. The page wasn’t directly accessible through site navigation means. The hackers simply pointed a URL to my sites IP address and the page in question. I was made aware of this issue when German authorities contacted me.

SEO Spam/ This method is accomplished most commonly by a hacker inserting a web-page in your website directory. If you have a site that is performing well, a hacker may infiltrate your hosting environment and create a page used to benefit from your hard earned search prominence. SEO spam can go undetected until a site audit is performed.

Malware/ This is a big issue online today for websites running WordPress. The installation of plugins found in the WordPress repository exposes a WordPress site to malicious software that can install malware on your site and visitors computers without your or any visitors knowledge.  This is not to say all plugins are “bad”. No way. You can see ratings and updates to the plugin of interest and easily, confidently make a sound judgment call on whether to install “any” plugin. Where most end up in trouble is when the plugin sits on your website, going without updates, check-ups on credibility, maybe it has not been tested with the current version of WordPress. Sadly, overtime hackers figure out how to exploit a given plugin or WordPress core itself, and then it’s game over.

Ransomware/ This is an insidious attack where the hackers literally hold your website hostage in exchange for payment. Often, the website files are encrypted. In order to restore your site, payment is required in order to obtain a decryption tool. If this happens to your site, find an expert at helping you restore your site and pay them.

Ransom Example

A ransom page asking for Bitcoin as payment in order to access decryption software.

The list is much longer than I care to write about in this post of how your WordPress website can be exploited, how visitors to your site can be exploited.

How To Protect Yourself From a WordPress Hacked Scenario

Keep Backups! Lots Of Them!

The key here is to research every plugin you put on your site. Pay attention to the plugin ratings associated with its presence in the WordPress plugin repository. Keep those plugins up-to-date. Keep WordPress up-to-date. Keep a number of recent back-ups handy. Back-ups can be kept on your server, but a copy of a number of back-ups should be kept in an external location, like DropBox, Google Drive or your local storage. I keep a number of backups handy that date back 6 months. I run automatic backups with UpDraft about once a week or whenever I update my website or your website. Always keep an external copy as described so in the event your sites root directory gets hit, you have a reliable, clean back-up that literally saves you thousands of $$$.

Use A Security Plugin

I use WordFence on all the websites I create. I will also move the config.php file out of root in addition to the wp-content folder. How to do that in addition to a few other options I’ll describe below will protect your self-hosted WordPress site and minimize the chance you’ll get hacked.

One of the first tasks I accomplish in hardening a WordPress installation id hiding the version as I describe below:

Hide WordPress Version

Add the code below to your config.php file found in your WordPress file directory:

Remove_action('wp_head', 'wp_generator');

Never Use Admin User Name

Always delete this initial user. You can do this by simply creating a new user assigning an Administrator role to the new user (i.e. create a new username, password). Next, log-in as the new user and delete the Admin user from within the Dashboard -> Users.

Limit Login Attempts

WordFence is a great security plugin that offers this feature. Need help configuring this plugin? Contact me.

Block Access To config.php

I prefer, as most do, to run WordPress on a server running Apache. Most WordPress installations running on Apache will have a file named .htaccess in the WordPress directory. Using your ftp client, find this file and make a copy of it! Next, download and edit .htaccess by adding this code at the bottom of the existing code:

<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

 

.htacess - WordPress Hacked

Here’s an example of what you should see in your .htaccess file with the code that blocks access to config.php at the placed at the end/last line

 

Save .htaccess and upload. Test your site. If you get a 500 error or blank-white screen, rename the file you just uploaded as .htaccess-nfg and restore the copied version to .htaccess (You should be able to accomplish this within the remote or live view of your ftp client. If in doubt, contact me here or use my Zendesk option below-right labeled “Help”. I typically respond within minutes if I’m not sleeping.

An alternative method is to simply move the config.php file out of the WordPress directory. But this only works if you have your WordPress install in a sub-directory (I install WordPress in its own sub-directory 100% of the time). Simply move config.php into your hosting environment root directory, or up one folder from your existing WordPress directory. Don’t worry… WordPress knows to check out the parent directory if it can’t find config.php in its own directory.

Move wp-content Up One Directory

Again, this is a great option for WordPress installs residing in a sub-folder/sub-directory. This option isn’t available for versions of WordPress 2.6 or < . As of today, the current version of WordPress is 4.8.3. How to check your version of WordPress? Scroll down and look bottom right of your dashboard screen.

Anyway, if you do move your wp-content file into a parent directory you will need to add the following to your config.php file just before the end of the file but before where it says 

/* That's all, stop editing! Happy blogging. */
/**
*Tells WP where to look for wp-content
*/
define('WP_CONTENT_DIR',
$_SERVER['DOCUMENT_ROOT'].'/your-wp-folder-name/wp-content');
define('WP_CONTENT_URL',
'http://your-site-domain.com/your-wp-folder/wp-content');

Sometimes, plugins will not work dealing with this non-standard directory structure. As a precaution, add the following below the code you just entered:

/**
* Tells WP where to find plugins
*/
define('WP_PLUGIN_DIR',
$_SERVER['DOCUMENT_ROOT']. '/your-wp-folder-name/wp-content/plugins');
define( 'WP_PLUGIN_URL',
'http://your-site-domain.com/your-wp-folder-name/wp-content/plugins');

(Make sure to update code with your URL and WordPress folder name where indicated)

Add Salt To Your WordPress config.php

Yep, add salt. Go here: https://api.wordpress.org/secret-key/1.1/salt/

Copy the code. All of it. (you know highlight and press CMD+C or Ctrl+C if you’re on PC).

Go to your config.php file and look for a section called “Authentication Unique Keys and Salts”.

Highlight and replace (CMD+V or CtrL+V on PC) or delete the existing salts and replace with the Salts you copied a second ago. The section I’m referring to looks like this: (the code in question is every line that begins with the “define” statement.

 

WordPress Salts - WordPress Hacked

An example of the Salts found in config.php

Get An SSL Certificate

Not only is this a great way to show your site is trusted, it’s becoming a mandatory security practice. See this article. Get one and avoid having your site labeled as “insecure” by Chrome and no doubt browsers to come. You can get SSL certificates through your hosting provider. Need hosting? I offer it through GoDaddy here. Includes free SSL.
Once you have an SSL activated, enter the following code in your config.php file:

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

This will force visitors and administrators to log-in to your site via a Secure-Socket-Layer encrypted page. That’s secure! Word to the wise: Do not set up your SSL as a self-signed certificate. Your hosting provider will help you with this.

Why Use WordPress If It Get’s Hacked?

With the web comprised of an ever-growing number of self-hosted versions of WordPress, the option to target the platform is obvious. But, consider this: Should you build a website on another platform? Does that mean your site won’t get hacked? No. Any site can be hacked. If your website is popular, it’s a matter of time before it’s hit with an attack. Understand that WordPress gets a bad wrap because it is popular. It is a proven and effective way to deliver web content. When we consider the 1/4 and growing share of website volume worldwide running WordPress, of course, there’s going to be WordPress sites being hacked. WordPress isn’t responsible for “Hacking” as much as hackers will target websites.

So, I guess one could argue that if they choose to use a CMS like Craft, or Joomla, Drupal, Jeckly and a host of others they will fly under the radar of the hackers and malicious bots that crawl the web. That’s like saying “There’s lightning and I went outside and didn’t get struck” okay. But if a million of you go outside, and you’re all holding lightning rods, and an exceptionally large percentage of you happen to be wearing red jackets… is it fair to say that most people struck by lightning were wearing red jackets, so don’t wear red jackets? I don’t doubt there are hackers that target WordPress. But if it isn’t WordPress, it will be some other dominant content management/delivery system that becomes a target.

In the “wild west” of the web, I would choose a platform that is widely supported. If one chooses to be different, I understand but be prepared to die by your own sword.

Should my site get hacked, I will need the help of others in the open source community to bail me out. This is one of the main reasons why I choose WordPress as my tool of choice when building dynamic websites. WordPress has an immense support culture providing answers and solutions. Should I have to contend with a hacked WordPress site, I can consult with many techs who have already experienced my dilemma and already have a solution.

Another reason why I choose WordPress is the community of developers contributing to its core are creating a better, more secure version of WordPress monthly, yearly. I know of no other framework where the knowledge of how to avoid an attack, a hacked site is spelled out so clearly: Keep Your Site Updated & Current.

Software that is up-to-date is unlikely to be exploited. WordPress is aggressive about updates thanks to the passionate community supporting the platform. All of the hacked websites that have come across my desk where running old versions of plugins and/or WordPress. There’s a reason why the software is updated and it isn’t always for feature reasons!

If I was running another framework and I was compromised, I’d be more worried for sure. In my experience with hacked WordPress sites, I can say that 100% of the time, I was able to recover the site and clean it of the malicious content. If not, we use a backup to rebuild and restore the site and database.

I’m always interested in your thoughts and experiences. Let me know what happens! Okay?

 

Self Hosted WordPress vs Hosted WordPress

Which kind of WordPress do you need? There’s two kinds as you have discovered and they are very different. One is called Hosted WordPress or “WordPress.com” and the second is called Self Hosted WordPress or “WordPress.org”.

Here’s the difference:

WordPress.com

This version starts out as free except for the cost of a custom domain (i.e. yoursite.com). you can upgrade this version as needed. This approach provides an economical web presence where you do have enough control to present a feature-rich blog / website to you visitors for 0$ out of the box.

Good For Hobbies, Students, Blogs, Sharing Content On Social Media

This option is a good one for you if you plan to promote your site via social media or you can easily target your market. Example: Great for hobbyists where the site isn’t so much a source of revenue and customers but more of a resource for your friends. Good for students producing a common presence for article/tech reference.

WordPress.com does offer upgrades that are billed monthly or annually. Options include live chat support, Ad-free, advanced custom design and e-commerce. Fees can add up to over $25.00 per month for a managed WordPress experience offering live how-to courses. A really good option for a sort term, do-it-yourself venture.

WordPress.com hosted sites restrict what plugins are available and it’s almost impossible to edit a theme so you can truly customize and brand your visitor experience. Integrating your site with Instagram and other social venues can be a bit buggy because wp.com won’t allow you/a developer to integrate an API.

Very Secure

The upside of WordPress.com is it’s very secure and really does give you the ability to create an elegant presentation of your service, hobby, ideas and new fledgling business. They are a solid option if you are considering Shopify. I’d recommend WordPress.com over Shopify because you can easily migrate to a self-hosted version when expansion demands it. Shopify can be tough and expensive. Your WordPres.com site is easy to maintain and set up. I think the hosted version is ideal for those who need to create a knowledge base where students can access information and search engine optimization isn’t a #1 priority.

It hasn’t been proven, but from an SEO perspective it is widely believed Google will favor a self hosted version of WordPress over a “free” site at WordPress.com. It may be very difficult to achieve a respectable trust value with a “free” wp.com site .vs a WordPress website hosted at Godaddy or here at steelbridge.io 

SEO Options

WordPress.com offers SEO tools for it’s paid Business version in addition to third-party plugins, custom plugins, and themes. Hosted through Pressable, I believe this is a solid option for some, but expensive and maybe not in your budget. The business version is an awesome approach if you need WordPress support and are willing to pay the 25.00 per month for hosting. And that’s where it starts! Need e-commerce? Expect to pay more depending on product volume and delivery.

Full Service, Hosting For $25.00 A Month

If server management, full-service support, product delivery and you are never going to manage your website in-house is your option, then I’d consider going with a managed WordPress.com option.

WordPress.org

Are you a do-it-yourself kinda person? Maybe you need to dominate the SEO vertical in your niche, but your budget won’t allow for high-end hosting. You want to control the types of plugins uploaded to your WordPress driven site in addition to on-site SEO content but are okay starting out in a shared hosting environment that will cost less than $80.00 a year. Maybe you don’t mind staying on top of your own website updates. Or maybe you will handle moving your WordPress driven site to another hosting environment once traffic, sales, and profits allow you to make that move.

100% Control For Free Plus Hosting & Domain

A self-hosted version of WordPress is hands down the way to go for the webmaster who demands control over budget, flexibility and can either hire out web development to a contractor on an as-needed basis or has developers and WordPress implementors working in-house. Or, you do it all because you are a WordPress wizard.

WordPress.org is the best way to go because you have all the options to do whatever you want.

You can install it yourself or have your hosting company install it. I handle the installs for my clients and then they handle the installation of there own themes and plugins, hiring me to do some of the more complicated development work as needed.

As Little As $54.00 A Year

The upside is the self-hosted version of WordPress is free software. Costs include hosting which can be a little as $43.00 a year for a cPanel/Linux shared-hosting environment plus $11.00 a year for your domain. Domain emails can be free! So, for as little as $54.00 a year, you have a website where adding content is as easy as using the WordPress dashboard user interface, you can add as many email addresses as you wish and scale your website and associated resources as needed. Literally, go from a website that can handle a few visitors or transactions to one that handles thousands of visitors and transactions. All on one installation of WordPress.

Better SEO

A self-hosted version of WordPress offers the ultimate in SEO integration. We can control how your tracking software is integrated, what pages are tracked, goal conversion tracking and special scripts on a per page basis.

Need to run specific, automated tasks (Chron Jobs)? Self-hosted WordPress is the best option.

Need to control what version of PHP your WordPress site runs on? Self-hosted is the way to go.

Access The WordPress REST API

My #1 reason for going self-hosted. For scalability, the option to pull content from WordPress into your external application could be the biggest advantage of going self-hosted.

In closing, per comments below, it is for complete control of the data that one selects a self hosted version of WordPress.