Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Detecting hacks

From: WordPress 3: Developing Secure Sites

Video: Detecting hacks

Once you're up and running with WordPress, it's a good idea to periodically search your files and database for possible malicious code. Exploit code happens when an attacker finds a way into your site and plants the payload somewhere in your files or database. In this screencast, we look at an easy way to scan your site for any signs of foul play. For example, here at the Digging into WordPress site, we explain a rather nefarious hack that plagued the WordPress community back in July of 2010.

Detecting hacks

Once you're up and running with WordPress, it's a good idea to periodically search your files and database for possible malicious code. Exploit code happens when an attacker finds a way into your site and plants the payload somewhere in your files or database. In this screencast, we look at an easy way to scan your site for any signs of foul play. For example, here at the Digging into WordPress site, we explain a rather nefarious hack that plagued the WordPress community back in July of 2010.

This is a great article to familiarize yourself with the type of stuff that we are talking about when referring to malicious code or exploit code. As seen following the link here, malicious code often looks like long strings of encoded gibberish. Make no mistake, exploit code like this is malicious and used for evil purposes, but there is a plug-in called Exploit Scanner that does an incredible job of actually finding this stuff. It doesn't remove anything or make any changes to your files, which is good, but it does provide a detailed report, along with some options to fine-tune the results.

It's a powerful tool, so let's set it up and use it to keep an eye on things. To install the plug-in, go to the Add New Plugins page in the Admin area and type in 'Exploit Scanner' in the Search field. Click on the Search button to view the results and you should see it listed first in the list. Click on the Details link to learn a little bit more about the plug-in. As we see here in the description, this plug-in does one thing, and it does it well. It scans your database and files for anything suspicious.

The author is a reputable author, and the plug-in was updated recently. It's compatible with the latest version of WordPress, has been downloaded many times, and enjoys an excellent rating. Going to the Installation tab, we see that the installation is typical and since we have the latest version already installed, let's close out of this screen and configure the plug-in by clicking the Exploit Scanner link in the Tools menu. Here at the Exploit Scanner settings page, we have several options.

First, Search for suspicious styles. You can try this both ways, but keep in mind there are way more false positives with this checked. For Upper file size limit, the default value is fine, but you can change if needed. Number of files per batch, again, leave it at the default value unless you have reason to do otherwise. And finally, click Run the Scan to run a scan on your site. The scan is now complete. Before digging in, let's look at the three different levels of results. Level Severe, usually a strong indicator of a hack or exploit code.

Warnings are not as bad as severe, but you should treat them with caution. And then there are notes which are lowest-priority results that are commonly used and probably safe. So now let's return to the admin area and scan through our results. Because of all the Security plug-ins that I have installed on this demo site, this is a pretty horrendous results set of data here, and we're not going to have time in the screencast to analyze everything.

So let's look at a more typical case with only a few plug-ins installed at a different demo site, here. In the results, we see the three different levels represented. We have Level Severe with two matches, Level Warning with six matches, and Level Note with one match. These results are typical, and you may have more or less depending on the plug-ins and themes and other files that you have in your site.

Let's begin with Level Severe, and we see in wp-commentsrss2.php, they matched eval and base64_decode, which are often good indicators of a potential attack. Level Warning, the license file and these other files, things have been modified, and you should look into those.

And Level Note, this is for your information. If you feel this is something worth looking at, then go ahead. But let's focus now on Level Severe. What we want to do is find this file in our WordPress installation. So we go to our FTP/file editor and we look in our local files, and we open the file and see that there's nothing here. Well, that makes sense because if somebody did hack our site, they did it on the server. So let's look at the same file as it exists on the server. Aha! Notice the difference between these two files, our local file and the one on the server.

Here, someone or something has injected this malicious code into the file using eval(base64_decode). This encoded gibberish to do anything--we don't know, but we want to get rid of it. So we can either delete this or simply upload our local file to the server. Now, let's look at the file and make sure that we have cleaned things up.

It looks good. Opening the local file, the two files are identical, so we've eliminated this threat. Returning to the browser, let's rerun the scan and see what happens. Great, no Level Severe matches. We do have Level Warnings, but we will leave this up to you to research and find out what's going on there. It can be time consuming interpreting the results, especially if you have lots of plug-ins and themes installed.

So if you're at all unsure about a particular result, it's best to err on the side of caution. For more help, ask around in the WordPress support forum and/or other online forums, or maybe search the Internet for similar situations, code, and so on. You'll inevitably see a lot of false positives, but the chance to locate and eliminate actual malicious code is worth it. There are few big things to watch out for: Matches around unknown or external links, if you see a hyperlink in your code and you see some sort of base 64 decoding or eval or anything weird, take a good close look. base 64 encoded text in modified core files is also known a no-no. Keep a close eye on that.

Listing extra admin accounts in the lower panel of the Plugins Settings page is also something you should keep an eye on. And then finally, just keep an eye out for any bad code in posts, pages, and so on. In this screencast, we've seen how to configure Exploit Scanner to scan our files and database for malicious content. It usually takes some time interpreting the results, but even finding just one injected exploit makes the effort completely worth it.

Show transcript

This video is part of

Image for WordPress 3: Developing Secure Sites
WordPress 3: Developing Secure Sites

36 video lessons · 11313 viewers

Jeff Starr
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now "Already a member? Log in

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed WordPress 3: Developing Secure Sites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.