You’ve Been Hacked: What Now?

KEANAN KOPPENHAVER

@KKOPPENHAVER

HTTP://LEVELUPWP.NET

Who Am I?

• Developer at doejo

• Been working primarily on WP projects for the past 3 years

• Sites large and small

People on the internet are rude.

Part 1 | Discovery

Your host may tell you.

You may see some strange behavior

• Published posts you didn’t write

• Menu links you didn’t create

• Images you didn’t upload

(Check with anyone else who works on your site)

Google may tell you

Mysterious redirections

Part 2 | Recovery

https://codex.wordpress.org/FAQ_My_site_was_hacked

Backup Now

• Some hosts will disable/take down your site when they find out you’ve been hacked

• Peace of mind during the restore process

• Useful even if (especially if) you already have an existing backup

Restore from your backup

You’re un-hacked!

Questions?KEANAN KOPPENHAVER

@KKOPPENHAVER

HTTP://LEVELUPWP.NET

No backup?

Run local scans

• Some server infections start with your local environment, make sure that’s clean first

Start from scratch

• Difficult to identify everything, even the smallest backdoor could let attacker back in

• Fresh (separate) install, bring all content over via WP Export

Post-mortem Site Scan

• Sucuri Site Scan

• WordFence Site Scan

• Command-line diff-ing (on files that aren’t supposed to change)

Change everything• wp-admin password

• DB password

• FTP/SSH password (maybe use public keys instead?)

• Hosting admin panel

• SECRET KEYS (to kick out logged in users)

define( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' ); define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' ); define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' ); define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' ); define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' ); define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' ); define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' ); define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );

Part 3 | Prevention

Strong Passwords

• Use a password manager (1Password, LastPass)

• Don’t share passwords between services (WP, MYSQL, FTP) or installations

Updates

• WP Core

• Plugins, plugins, plugins (update and clean up)

• Themes (update and clean up)

Get a Security Plugin

• WordFence

• Sucuri

• iThemes Security

Hardening WordPress

https://codex.wordpress.org/Hardening_WordPress

Specific Tips• Don’t give the WP user root access to MySQL

• Change the default table prefix

• Hide the WP version

• Change the default login URL (/wp-admin)

• Don’t use admin as your username

• Block login attempts

Questions?KEANAN KOPPENHAVER

@KKOPPENHAVER

HTTP://LEVELUPWP.NET