It’s been a few months since my site was being constantly hacked over a number of weeks. Enough time, I think, to discuss what happened without compromising my site security to them again (it’s been months since the last attack so I’m assuming they’ve lost interest now).
(Cue dream sequence) It all started back in June when I decided to overhaul this site. I’d chosen a new theme and made the decision to clean things up with a completely new installation. I kept my existing database and transferred over my uploads folder but, otherwise, all was new and shiny.
Soon after, however, I found that clicking on my site caused pop-up ads to appear. After a bit of digging I found that some code had been added to a widget in my footer. Needless-to-say I removed it but was curious as to how it could have been added. So I turned to the Slack channel for the WordPress forums, where I’m one of many volunteers, and asked if anybody had seen it before. After some mocking for allowing myself to be hacked I was directed to a chap who worked for Sucuri. Very generously he agreed to look at it for me for free – this included a through inspection of my site logs. He could see someone with an IP address from Africa on my site but no clue as to how it had been done.
I followed all the recommendations for securing a site, including those provided by the Sucuri guy, such as installing their plugin. I also added two-factor authentication to my site (which I can thoroughly recommend).
Anyway, it happened again but this time the script was added to a file in my theme. I cleared this and continued to look at ways of securing my site. A chap from WordFence also got involved but he, too, drew blanks as to how it was occurring – I was doing everything right but, still, attacks continued.
During this time I was looking at my site logins – I only had two and one was just a contributor. I then got an email from the Sucuri plugin to say a widget had been modified and two logins to my site had occurred. I was still signed into my site and immediately checked – the emails indicated two different logins being used and upon checking my list of users one of them was listed. Just minutes before it hadn’t. I deleted it and removed the changes they’d made to my footer widget again.
How was this happening? They’d accessed my site using logins which hadn’t been in existence only minutes before and were even in the process of removing the evidence at the time I caught them (which is why I think one of the logins had already gone). Both genuine logins to my site had their passwords changed a number of times whilst all these hacks were occurring and, each time, with very strong passwords.
I’d had enough. I rebuild my site again but this time I included a fresh database install. Only my uploads folder was moved over and I scanned this thoroughly for anything other than a valid image file. I was trying to not do this before because it will clear down your media library database – something I had to rebuild using a plugin, but was still a pretty manual and intensive process.
By this time both Sucuri and WordFence had stopped with their assistance (and one of them – not naming names – even ignored any messages I sent to them), although neither had said as much. Basically, it had foxed them and me too.
But it was the next hack which gave the game away. Once again pop-ups were appearing on my site when anything was clicked but this time I tracked it down to a script that had been added to all my posts. ALL OF THEM. Including drafts and private posts. They HAD to have access to my database to achieve this i.
However, there’s a problem here – after every hack I’d changed ALL of my passwords. Site passwords, MySQL, seeds and even the password to access my hosting. There was only ONE way they could be doing this and that’s by accessing the information in my
wp-config.php file (whether viewing it directly or somehow calling it and extracting the login data).
After a quick Google, I found two ways of securing it…
- Changing the file permissions to 400. This allows a local installation to read the file and nothing else.
- Moving the file one level further back – instead of being at my site root, it’s one stage back (in my case
public_htmlfolder). This causes problems with some plugins but, certainly, WordPress will detect the movement and continue to work fine.
I actioned both of these whilst also changing ALL my passwords again.
Since then… nothing. No hacks and pearce has returned to my site. I just hope it remains that way.
So how did they access my
wp-config.php? I don’t know but over the series of hacks, various scripts did work their way onto my system – although these only happened at the point of me originally updating my site. I quickly found them and got rid of them but I wonder if something had remained in place. It’s odd that most of the initial attacks was at the point of the initial site build, as if it had been timed to be exactly at the point that the site contents were still being put into place and it was most vulnerable.
What I can say is that I’m confident that any maliciously added has now been purged.
- and I had to use the same method to remove their code – running a query against my database