Lately I’ve been noticing that my WordPress has been getting hacked constantly (this site is run on WP). Even if I update it, there seems to be some backdoor that gets executed every month.
So recently I took a few extra moments to take a look at these attacks. On the surface these attacks are not sophisticated, they mostly target un-updated WP installations and install malicious payloads that has a signature similar to:
Originally i started to write some scripts to remove signatures like this, but it seemed easier to re-use other’s code. I recently stumbled upon this:
basically what this plugin does is it matches the current install with the vanilla version of WordPress and tells you if there are any differences – a very good way to detect modification of php code.
the hashes exist here:
The other thing i do is that I track all my wordpress installs with git
everytime I install a plugin / update WordPress – i update my git with a commit, so if any of the WordPress installs get attacked, I can run:
git reset --hard HEAD to revert any changes made to the files and at the very least put me on a good baseline for cleanup
1&1 actually does some nice security scanning now. They detect attacks and then automatically lock the file so that it cant be executed on the web. In order to fix this – i usually do a:
chmod -R 777 * on the WordPress directory so git will have the right permissions to remove/delete files