my wordpress website got hacked

My WordPress Website Got Hacked – A Case Study

WordPress

Hello friends,
Yes, you heard right “my WordPress website got hacked”, may be possible this is a shocking news for you, but true. And if you think that I am a security expert and how is it possible for getting hacked?. So Let me introduce with a true fact “nobody is 100% safe and secure in this Cyber World”.

Everyone is vulnerable, and can be hacked.

So in this article I am going to share a case study of how a wordPress site got hacked and how did I find reality about this.? I will share each and everything what was happened with me.

my wordpress website got hacked

So Keep reading …

What was issue with my website?

Writing articles is my hobby, so in the early morning as usual I opened my website to write something. I accessed my login screen and entered the username and password, I got a message incorrect captcha. I was using Google Captcha (reCAPTCHA) by BestWebSoft. Why am I using this plugin, share with you later in this post.
I tried to login multiple times but I got the same message again and again

“Error: You have entered an incorrect reCAPTCHA value”

Error

I was totally confused how is it possible? because this is a Google recaptcha and user should prove he is not a robot by just click on its checkbox. I tried multiple time but no success. And Entering the correct combination of  username + password and as well as filling write captcha will give you the access of the WordPress website’s dashboard.

First Biggest problem for me

Without accessing dashboard, I cannot do anything with my website. Even I cannot modify content cannot Write new posts, cannot edit my post, Can’t add or remove plugin etc. but after a little struggle, I found my way.

Solution to first problem: 

There is only single way to disable plugin without accessing website’s dashboard is rename plugin directory by accessing website’s directory. you can do that with help of ftp client application filezilla or accessing file manager by hosting’s CPannel.
Rename google captcha folder: first I access the file manager help of Cpanel provided by the hosting services. Then I accessed plugin folder location was home/public_html/wp-content/plugins/ and I renamed “google captcha” into google “captcha_old”
Google captcha has been disabled by using this method now I have entered the correct combination of username and password and got access of my website’s dashboard.

Thank god, I move one step forward 
Again I rename Google captcha folder in its original name. And I have activated the plugin from my website’s dashboard. And after sometime I have deactivated Google captcha and delete it from my website.

How did I know My WordPress site got hacked?

Second Biggest issue I faced:

Another a big issue was waiting for me. I was completely unknown from this problem. What was the problem, I am going to share with you. I tried to install another plugin, because captcha is playing an important role to protect your site. I will discuss about this later in this article, what happened next:

When I click on add new plugin button, I got a message ERROR “An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration.”
I realised something went wrong with my website and website have lost connection with WordPress server. Why so I am not able to access WordPress services like plugin and themes. And I decided Lets check the health of my website.

second biggest error

How did I checked health of my website?

There is an option inside web hosting Cpanel called health check and monitoring.

health check and monitoring
Click on port 80 icon and if you got outbound port are open. It means the connection between your site and WordPress server is great, and you are lucky enough. there is not any issue found by wordpress virus/malware scanner. but I was not luck enough and,
I got following blocked ports:

blocked port by wordpress server

Why did wordpress server blocked my connection?

To understand about the blocking of the ports for my account is quite easy. WordPress has a Malware scanner and scan your website regular basis, if it found any type of the malicious files within your account, it will block the connection.
In the above picture you can see there was a lots of the infected files on my website.
I checked each location and files what have I found I want to share with you this was amazing for me because each file has nothing inside it. And these files have permission 0000 . If you are expert and want to say anything about the permission 0000 then please write comment below in comment box.

Alternate method I used to check my website for malware infection:

We cannot trust on single method for checking security, and I didn’t. finally I used the alternative method to check my website for Malware and Viruses. I used a good wordpress plugin used for checking security of your website. It is wordfence security. Yes I have installed a premium version of this plugin already. Scanned website and found 4 files are infected, which were listed already by WordPress .
Wordfence was showing critical infection within these files. I tried to find out how were these file infected. Finally I found the route of this problem and I removed that is correct.

My website is now malware free:

I downloaded all files and then I remove those files from the server with the help of file manager. And then I again check the health on port number 80 after 8 hours and I got open port for my website.

fixed problem

I also checked my website with following online scanners:

  1. Free Website Malware and Security Scanner Sucuri
  2. Virus Total 
  3. Safe browsing status by Google
  4. Quttera 

Best Practices for Hardening WordPress Website

Hardening-WordPress-Website

Vulnerabilities inside plugins and themes are best place for hacker to inject malicious code, because WordPress core files are easy to penetrate. if you want to minimize the risk of attacker, read following tips for securing your WordPress site:

  •  Regular Backup: 

    Regular backup always helpful when you website is destroyed  by hacker. you instantly restore your website in case of hacking. So don’t forget to backup your site regular basis.

  • Update website:

    New release has bug fixe, hackers are looking for known loopholes exist in older version of WordPress so update when new release are available

  • Change wordpress database fixes:

    It is very important to change database prefixes, As you know WordPress installation script is automated and created same tables for each and every websites. You can protect yourself by changing prefix table from wp_ to something else.

  • Change username:

    Dont put common username like Admin or administrator

  • Strong password:

    Use strong password with minimum 12 characters must include Capital letters, lower case letters, numbers, and symbols. Your password should not be in dictionary.

  • Use only well know plugin and themes.

    Don’t use nulled plugins or themes,  because most of the times they are the criminals. the theme or plugin has been nulled by coder and they have capability to inject malicious code. How can you trust them? 

  • Use Web Malware scanner plugin for your wordpress

If you have any question write in comment box

 

Cheers!

Vijay Kumar

Ethical Hacking & Penetration Testing Trainer, For more detail view My Profile

2 thoughts on “My WordPress Website Got Hacked – A Case Study

Leave a Reply

Your email address will not be published. Required fields are marked *