Join Jeff Starr for an in-depth discussion in this video Detect hacks, part of WordPress: Developing Secure Sites .
- [Instructor] Once you're up and running with WordPress, it's a good idea to periodically search your files and database for exploits and malicious code. Exploit code happens when an attacker finds a way into your site and plants a payload somewhere in your files or database. In this video, we look for an easy way to scan your site and check for any signs of foul play. At my site, digwp.com, I describe how our site got hit with the nefarious Pharma Hack. There are endless examples of articles like these, where people share their experience with attacks and the kind of stuff we're talking about when we refer to malicious code or exploit code.
It can be useful to familiarize yourself with some of this information because it can give you perspective should you ever need to respond to a similar incident. As seen here, malicious code often looks like long strings of encoded gibberish. This encoded payload is what hit many sites several years ago. It was really nasty. Make no mistake, exploit code is malicious and used for evil, but there is a plug-in called Exploit Scanner that does an incredibly thorough job of finding it.
It doesn't actually remove the code or make any changes, which is a good thing, but it does enable on-demand, real-time security scans with detailed reports. It's a powerful tool, so let's set it up and use it to scan our site. To install Exploit Scanner, go to the add new plug-ins screen and take a look. Here it is. Taking a look at the details, we see that everything looks good. It's current with the latest version of WordPress. It was recently updated and it's popular with over 60 thousand active installs and the reviews look decent enough.
Apparently, an older version of the plug-in was missing a hash file and some folks rated the plug-in poorly because of it. That's been fixed, by the way. Also note that the authors of this plug-in are some top WordPress developers and they have great reputation. Reading the description, we see that this plug-in scans your posts, comments, plug-ins and other files and the installation steps are typical and straightforward. In fact, this plug-in already is installed on our demo site. So let's go ahead and activate Exploit Scanner and see how it works.
Here at the Exploit Scanner settings page, we have several options. Search for suspicious styles, this refers to CSS styles. Let's leave this checked for now. Upper file size limit, here is the default value is fine, but change if needed and we also have number of files per batch. Go ahead and leave this at the default value, unless you have reason to change it. Again, the main thing this plug-in does is scan for exploit code. It's up to the admin or webmaster to analyze, interpret and respond to the results that said, let's watch the plug-in do it's thing by clicking run the scan.
First, there are severe results, which are strong indicators of a hack, but not definitive proof. Then there are warning results which are not as bad as severe, but should be treated with caution and lastly, there are notes, which are lowest priority, showing results that are common and probably safe. Now let's return to the admin area and examine the results of the scan. As you can see by scrolling down the page, the levels are displayed in three separate sections.
We have severe, warning, and note. Things aren't looking too bad for this scan, but check out how many note results are displayed. Real quick, let's scroll back up and disable that first option, search for suspicious styles and there's no need to save any changes, just click run the scan again to start a new scan. As you can see, the number of note results is greatly reduced, which helps to clean things up a bit.
Further, all of the things pointed out by these particular note results are fine and perfectly normal. In the warning results, however, we notice that the sample configuration file has been modified and we also see that the plug-in detected an error log, which is fine. Let's take a closer look by clicking see what has been modified. Looks like a lot of bad code. We see that Eval and Base64 and then we also see a lot of encoded gibberish.
Definitely calls for further investigation and scrolling up to the severe results, we see the same file, the sample configuration file and it's showing the same Eval, Base64 and encoded gibberish, so clearly, there is an issue with our sample configuration file. We need to investigate further. Here in our file editor, we click to open the sample configuration file to see what's up.
It looks clean and let's do a quick search for eval and there are no results. Ah, but wait, that makes sense, because if the file were hacked, it would be hacked only on the server because the attacker would not have access to our local set of files. So let's switch to remote view and download the sample configuration file from the server. Here's the remote view, let me find our sample configuration file, and download.
Now let's take a look. Aha, there it is, right there and ugh, that's really nasty. This is the same exploit code that was detected by the Exploit Scanner plug-in. So let's go ahead and remove it and then we save and upload the file back to the server. Now let's return to the Exploit Scanner to run a final check. We click run the scan, and much better, the results look good.
We've removed the exploit code and there are no warning or severe results to worry about, only the safe notes we saw before. If this were a live production site, the next step would be to determine how the bad code was injected in the first place, then we would patch and secure any vulnerabilities to make sure that it doesn't happen again. Note that on most sites, interpreting the scan results can take time, especially if you have lots of plug-ins and themes. You'll inevitably get lots of false positives, but the chance to locate and eliminate any bad code is worth the effort.
When checking your site, here are a few big things to look for. First, look for any matches around unknown or external links. Keep an eye out for any strings of Base64-encoded characters. Investigate any instances of the eval function and of course, check out any bad code found in posts, pages and elsewhere and if you're unsure about a particular result, it's best to err on the side of caution. For help, ask around in the WordPress support forum and/or other forums or maybe search online for similar code and if you think you've been hacked, check out the responding to hacks segment of the Further Security Techniques video later in this course.
In this video, we've seen how to configure Exploit Scanner to scan our files and database for malicious content. It usually take some time to interpret the results, but even finding just one exploit makes it all worthwhile.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security