When websites get compromised – 09/06/2019

 

Currently a great number of websites are getting compromised so that when doing a Google search for the website the results indicate that it was potentially hacked – see example below.

  • The above links point to the website’s landing/home page.
  • Being a local website in English, foreign characters should not exist.

Further search results show that other links on the website seem to be unaffected.

When the Web Admin was alerted of this compromise they discovered that the index.php file was compromised. For WordPress, this file is used as a fallback template if there’s no more specific template file to define rules the theme. Another way of thinking about the Index.php is it controls how your site behaves if there are no other settings. The main problem was an outdated WordPress installation and plugins.

WordPress as well as all its plugins are all types of software running on a server. As such, the software gets regular updates from its developers and these updates can include new features as well as security patches. If not updated, it’s possible to exploit the outdated security features.

Resolution:

Restoring the website to its former glory is the easy part. Making sure it does not happen again takes some knowhow.

Restoration steps:

  1. Restore a backup of website or the index.php (depending on how big the website is and how bad the infection/compromise)
  2. Update the WordPress installation (done from within WP admin portal)
  3. Update WordPress plugins
  4. Remove any unnecessary plugins – more plugins can slow your website down as well as increasing vulnerabilities

Now that the website’s restored. The site then needs to be revalidated by Google in order to correct the search results.

Revalidation steps:

First, you need to have Google get rid of the old/compromised search results.

  1. Log into Google’s Webmaster tools – Register for a free account if you don’t already have one.
  2. Add/Select your property (website)
  3. Navigate to Google Index à Remove URLs
  4. Enter your website url and select preferred option

This sends a request to Google to clear your website from their search index (search results).

 

Next you need to have Google re-index the website so that the search results only show the latest website information.

  1. Navigate to Crawl à Fetch as Google in the webmaster tools
  2. Add your website url in the provided space and select Fetch
  3. Your site will be added to the list below
  4. Select Request Indexing or Re-index
  5. The request will be sent to Google to process

How to avoid it happening again:

Hardening security is the best practice in this scenario and although there are no 100% hack-proof security measures one needs to put processes in place that will limit or control the potential damage caused by hackers, as follows:

  1. Protect the Web Server – install trusted antivirus to protect your files and network

(this is dependent on whether you’re using a hosting provider or your own server).

  1. Make sure all software and patches are up to date. This includes your server’s Windows Security patches (self-managed web server) as well as WordPress and its plugins.
  2. Backup your server and website regularly – make sure these are also kept off-site.
  3. Always change the default administrator usernames and passwords to something unique and complex.
  4. Access control: add users to allow access to the website admin portal – do not just hand out the main admin credentials.
  5. Install a managed firewall to help prevent brute force attacks.

Advanced Steps

  1. Secure your website – install an ssl certificate.
  2. Change the default WP-Login url – WordPress Admin Portal.
  3. Add 2-factor authentications for logins.
  4. Disable file editing in WordPress.
  5. Hide wpc-config.php and .htaccess files.

In order to do the advanced steps mentioned above see WordPress’ guide on ‘Hardening WordPress

F-secure Radar is a vulnerability scanning solution which will greatly assist in finding any weaknesses on your web server as well as web applications (WordPress). It checks for issues like outdated patches, open ports, server misconfigurations and many more. All scan results aree provided with the level of severity as well as remediation suggestions.

For more information regarding F-secure Radar, please visit the link below.

https://www.cybervision.co.za/radar/