How Did We Resolve an Attack to Our Client’s Website?

20 Jul, 2021

WordPress sites being hacked is not something new to business owners. We hear about devastating stories in the news, costing businesses millions of dollars. We recently resolved a hack attempt to our website as well as one of the websites we manage for our client, and as an effort to make everyone’s lives easier, we decided to disclose what we did to detect and restore the websites. 

Tl; dr; 

  • We detect recently updated files using our proprietary tools. 
  • We attempt to upgrade WordPress to the latest version to have the most recent security upgrades. (Backup before an upgrade is required) 
  • We also attempt to upgrade all plugins to their latest version. 
  • Remove malicious code from the recently updated files. 
  • Remove unused themes (ensure that only necessary code is stored in the server). 
  • Install Wordfence plugin to scan infected files. 

Detection 

In early June 2021, our tools detected some unusual changes in WordPress code. Some files were updated that day, and there was not any change request. 

This is usually a big red flag on someone is accessing the files unauthorized, and attempt to leave a backdoor. 

We immediately forward the log to our developer and follow our procedure to fix the problem before it hits the client. Luckily it was midnight, so we have a few hours to resolve the issue. (Just a plug here, our maintenance service is 24/7). 

Resolve the issue 

  • First thing’s first, we back up the malicious version for future forensics. This is done via the SiteGround plugin, we do have a partnership with SiteGround so we can use all their tools. 
  • Secondly, we open the updated file `wp-config.php`, and guess what we found… 

Surely this weird-looking code is not the way anyone would write their code. We compared with the sample file provided in the official WordPress website `wp-config-sample.php` just to be sure. 

  • We deleted the malicious code and compare it with the sample file to ensure everything else is in place. 
  • Thirdly, we open the `.htaccess` file. The same thing happened here. 

Let’s not bother with the details and jump to our resolution, which is restoring the .htaccess file content to what it should be. 

We also resolved a few more files that got infected, which was detected by the Wordfence plugin. 

  • Once we resolve all infected files, it’s time to try to upgrade WordPress and the plugins to the latest version. Depending on our maintenance contract, we either do this periodically or only when issues appear. 

Mitigation 

If you use Wordfence premium, it can schedule a quick scan every day, and a full scan every 72 hours. In our case, we don’t have the premium subscription, therefore we substitute with our homemade tool, which is enough to detect changes, and then we use Wordfence to completely fix the problem. 

Try to upgrade WordPress and all your plugins to the latest version for security updates. 

Periodically create backups for your websites, so that if something happens, you can restore to the nearest backup. 

Summary 

As a business owner, we don’t want our website to be hacked into, especially with WordPress websites with an e-commerce plugin. We defense against these types of hacks quite frequently, therefore our process is becoming more and more efficient each day. 

Above is just a basic solution that can help you get the website back up and running. However, if things get out of hand, you may need to seek help from professionals. 

Related Posts

Join Our Newsletter for Updates & Offers

How can we help you today?