All my WordPress websites have been hacked, now what?

/0 Comments/in ,

What’s in this article

Plugins or themes regularly leak and malware ends up in multiple WordPress websites at the same time.
Wwhat should you do if you are responsible for 5 or 10 websites? Or when you manage 80 to 100?

Multiple websites hacked at the same time, how is that possible?

When 1 plugin is used on multiple websites or when 1 fixed theme is used, there is a greater chance that several websites will be infected at once.
Hackbots perform searches for certain plugins with a leak and use the leak to fill the website with advertising, spam, malware, backdoors and more trouble.

1 hack – 1 solution?

You would think that you can find the hack in the same files or folders on every website. Or in 1 fixed place in the database.
Unfortunately, hack scripts use the technique of dropping malware in random places.

Randomly posting hacks are done by the hack scripts to prevent the server from intercepting

In short, you have to solve and remove 1 hack in different ways.

Help to find hacks in your websites

Malcare
Malcare is a service that allows you to check multiple websites for hacks.
You have to register them 1-by-1, but once registered, Malcare shows exactly which files contain the malware.
It is then up to you to determine whether you want to manually remove the hacks/malware, or whether the files need to be completely removed.

The sucuri malware scan
The malware scanner from Sucuri shows you what hacks you have. This will help you find and remove hacks.

Google webmaster tools
The security page of the Google webmaster tools tells you which pages contain malware, phishing or unwanted advertising. find is.

Is there a One Click Fix to make all hacked websites hack-free in 1x?

We all prefer to see a “one click fix”. Where the computer/software detects and removes or corrects the hacks.
Unfortunately, there is no one-click fix as the difference between a hacker’s code and desired code cannot be calculated by software.

The tools we described above make it a lot easier to find the hacks among the hundreds of files and the thousands of lines of code, but you will still have to remove or modify the hacks yourself.

How do you know your websites have been hacked?

If WordPress has been hacked you will not immediately see it, the hacks themselves are usually well hidden by a hacker and his script/virus.

Usually you can see the effect of the hack.

  1. Your website is being redirected to another website.
  2. Your website shows advertisements or links from another website in your website. (You can read why hackers do that here.)
  3. You can no longer access your administration panel.
  4. Your website has completely changed its style or even shows a page from the hacker.
  5. Your website is slow.
  6. The security of your computer reports Phishing, a Trojan or other attacks on the PC.

You can do a scan if you are not sure if your websites have been hacked:
Rescan.pro – Good at detecting malware, hacks.
Sucuri malware scanner – Shows you if the site contains malware and often shows what type of malware
IsItHacked – Sees iframes and other hacker tricks before previous scanners

Remove the hack, what are you looking for?

Hackers use various methods to hide malware from the server’s virus scanner and from you so you can’t get it out easily.
Think of it as a thief, who also prefers not to be seen and has various tricks and disguises for that.

Base64
This is code that is executed through specific requests on files. The virus scanner does not make those requests, so the code remains hidden.
Base64 is an ugly plain line of code, usually containing the base64 declaration and/or an eval.
Note that some plugins also use base64. With base64 you can convert entire images into code!

Neat code intertwined with current coding
In some situations, hackers write clean code with professional formatting so that you can hardly tell the difference between code that belongs in the website and that of the hacker.

Java scripts
They load external files by means of 1 small piece of code. Those files contain all the hacks. Because the code is loaded externally, it cannot be found in your website. Fortunately, the aforementioned Sucuri & rescan scanner that does handle javascripts.

Code in disguised files
Code in “images”. A png file is an image type that the server will not execute as code. But with proper encryption, hackers can open the png and run it as a script. The server and other antivirus programs and especially people look over those “innocent” images in the uploads folders!

How to prevent all your WordPress sites from being hacked

  1. Install an antivirus plugin on every website
    Every website needs protection against automated hacks, viruses and/or malware.
  2. Make regular backups
    Preferably make daily backups, at least once a week. Retains at least 4-8 weeks as it sometimes takes about 3 weeks before you find out that malware has entered your website through a hack.
  3. Check the websites regularly
    Check the security plugins logs for suspicious file changes, login attempts, etc
  4. Keep plugins and themes up to date
    The programmers of plugins regularly release updates that fix security vulnerabilities
  5. Do not use more than 8-15 plugins per website
    Every plugin is a security risk
  6. Keep premium plugins and themes up to date as well
    Make sure the licenses are valid, premium plugins may be better maintained by the programmers but they are also targeted by hackers.
    Hackers download Nulled versions of the premium plugins and can test them for possible security risks for free
  7. Put each website on a unique hosting package or user account
    We regularly see multiple websites in 1 hosting package. The risk of this is that all sites are hacked if the ftp/database data leaks.
    And what is most common is that the malware can be placed in all folders.
    Prevent this with separate hosting packages or users under a VPS. This way you limit the write permissions and sites cannot exchange malware with each other.

 

Finding a hack in the uploads folders of WordPress

/0 Comments/in

The chance is high that during your search for a hack or malware on your website, you didn’t even think about the uploads folders.
But did you know that this is one of the most commonly used places for hacks?

The uploads folders are writable

The uploads folders are writable, and it’s a good hiding place.
Both plugins, the theme, and WordPress itself have permissions to place files there.

Finding a hack in the uploads folder from 2015

How quickly can you find a hack that is in the folder 2015 / 07?! You wouldn’t expect it, but that’s where the uploads from 2015 are, right?!

Resetting the upload date

The trick they use is resetting the upload date.
Scripts can manipulate that date to make you think they have been there for years.
That means they upload the hack, the backdoor this week or month, but manipulate the file’s write date so that you won’t discover it easily.

They make it look like the file has been there for years!

Okay, all these tricks from hackers and their scripts are worthless, but with this knowledge in mind, the question remains:

How can I find a hack, malware, or backdoor in the uploads folders?

Search for PHP files
A hack file usually serves a purpose, and it can only do that if it’s a PHP file.
So, you take an FTP program like FileZilla and press F3, which opens the search window. Then you search in the uploads folders for a file with the name or extension PHP.

Is a PHP file all you should look for?
No, unfortunately, hackers also know that you and scanners search for PHP files. Additionally, security plugins are aware of that trick and restrict PHP execution in the uploads folders.
So, what hackers do is upload a file with the name server-att.php.jpeg (for example).

What does the scanner think? It thinks it’s a JPEG file because that’s the last part of the extension.
Meanwhile, another script still loads this file as PHP and executes the hack.

ICO files, JPEGs with a PHP extension in the name, also require attention.

External scanning

It may be necessary to scan the files for Trojans, malware, and backdoors.
As you just read, advanced hacks are hidden.

Download your uploads folders to your PC/Mac and run them through your antivirus scanner.
You can also upload the files to virustotal.com.
This website checks the files against a large database of antivirus software, increasing the chances of detecting a hack file.

Note: The virustotal website does not accept gigabytes of information, so you’ll need to compress and/or split the files to scan them.

Found a hack in the uploads folder, what now?

Once you’ve discovered it, simply delete it. Then check if the rest of your website is not infected because such a hack file usually serves a purpose and doesn’t stand alone.

But

I don’t have time, it’s complicated

If you’re too busy or find it too complicated, I understand. It’s a specialized field.
You can also leave this work to us.

We remove hacks, secure WordPress websites, and ensure that YOU have no worries.

Take advantage of our service or contact us for any questions!

 

Link spam – what is it?

/0 Comments/in

Link spam, you may have never heard of it, and that’s a good thing! It’s a technique that hackers and online criminals use to make money at the expense of a website’s reputation.

How does it work?

A hacker, or in most cases, a script, discovers that you are using an outdated or risky plugin on your WordPress website that allows them to manipulate the database.

When this vulnerability exists, a hacker or script will execute a payload.

In simple terms, the hacker injects a series of links and articles into your database.

Within seconds, your website will no longer display the desired pages and information that you carefully created, but instead show the information that the hacker wants to display.

Google will index this information, and from that point on, your website will be used as a reference for products that I don’t even want to mention.

The hacker earns money by selling those products.

Meanwhile, the reputation of your website on Google is being destroyed.

Sooner or later, your website will be flagged as 18+ content or spam.

example links in Google

Preventing link spam

  1. Keep your website up to date.
  2. Install and configure a security plugin.
  3. Regularly check the status of your website on Google.

I understand that you may not have time for all of this.

Good news! I do this full-time for WordPress websites.
Monitoring reputation, checking for hacks, keeping everything up to date, and implementing preventive security measures.

Let me proactively secure your website and prevent trouble!

 

This is how to recognize a virus file!

/0 Comments/in ,

For me as a WordPress specialist, it’s easy to see which files don’t belong on the server. But there are also several ways you can recognize a virus file or a spam file!

This is how you recognize a virus file

  • The file has a different modification date on the server.
    All files have the modification date from when you installed WordPress, but the virus file has a more recent date.
  • The file has a code that is unreadable, all numbers and letters mixed together.
    The file is often encrypted, All you can read then is eval65. This is the encoding after which the numbers and letters come. The server executes this strange code like regular php but it is not readable to humans like regular php is.
  • The file has a strange name.
    Since files should not be recognizable by virus scanners from the server, the name is generated so you get random letters and numbers as the file name.
  • Often the file is located in the httpdocs/root of the website.
    Since directories change quite often, the hacking scripts often target the root directory of your website. But there is also a fairly good chance that there are multiple files. Consider the wp-includes folder and the uploads folder.
  • The file is 9-of-the-10x a .php file.
    Php files can execute scripts, which is why they are usually php files and very occasionally html.

These are some ways to recognize files put on your server by a script. However, if your WordPress is leaky, they can also inject lines of code into your existing files. These are therefore more difficult to detect.

They often put the lines of code in the index.php, the header.php or in the WordPress core files.

Beware! Once you have removed the files, the problem is not solved. After that, it is important that you secure WordPress and make sure there is no more code in your website. This is because if there is a so-called backdoor in your website, they can still place files on your server through that route. And yes, this unfortunately happens often.

Remove malware from server – here’s where to look!

/0 Comments/in

Hackers – actually automated hackbots/scripts, do everything they can to hide their malware well in the server between your WordPress core files, the uploads folders, or between the plugins. There is some strategy behind placing malware and there are specific folders where hackers usually hide their malware.

In which folders can you often find Malware in a hack?

Look in the folder above the public_html
The folder where your website resides is usually called public_html, www, or httpdocs.
Above (or in front of) those folders you have other server folders, and with a bit of bad luck, a hacker or script got access to those folders above and hid the malware there….
Ps: Keep in mind that sometimes you can’t even access those upper folders with a standard ftp program and a standard ftp account.
boven de public html

Look in the uploads folders
Many plugins have write permissions and access to uploads folders that are freely writable.
Therefore, all it takes is a small modification to a leaky plugin to store unwanted files.
With an extensive directory structure spanning years and months, there are plenty of places to hide malware!

Look in the WordPress base folders
WordPress itself is also where hackers often put files, think of the wp-includes and the wp-admin folder.
in de themamap

Look in plugins & theme folders
Many websites have between 7 and 30+ plugins, enough space to place a few unsavory files!

in wordpress

Waarom de mappen boven de public_html & de uploads mappen de grootste voorkeur genieten bij hackers en hackbots? Dat is omdat de map boven de public_html + de uploads mappen niet ge-update worden waardoor de malware er langer kan blijven staan.

Sluw hè?

Naast de beste verstopplekken om malware neer te zetten worden er ook diverse verstop-strategieën gebruikt. Hackers en bots hebben strategieën om de malware zo lang mogelijk in je website te houden.

De strategie bij het plaatsen van malware plaatsen

Strategie 1: het script zet de malware in elke map!
Als een hack eenmaal in je server is binnengedrongen gaat zo’n hack in 20% van de gevallen over tot het verstoppen van malware in ELKE MAP. In de hoop dat je er 1 vergeet wanneer je de hack probeert te verwijderen. De kans dát je de malware vind, of dat de malware door de server ontdekt wordt is groter, maar ja.. zie maar eens GEEN enkele map over het hoofd te zien bij het verwijderen!

Strategie 2: het script zet de malware alleen 3 mappen diep

Voor een script is het gemakkelijk om alleen malware te plaatsen in mappen met 3 lagen bovenliggende mappen. De malware wordt op deze manier zo ver mogelijk UIT HET ZICHT geplaatst.

Strategie 3: het script zet de malware IN een bestaand bestand

Dit zijn de ergste! Dan is de malware IN een bestaand bestand geplaatst. Je zult dan heel specifiek naar een lijn code op zoek moeten.. een speld in een hooiberg als je niet weet hoe je moet zoeken!

Oké, je hebt nu een idee WAAR je malware kunt gaan zoeken. Nu vraag je jezelf natuurlijk af: hoe herken ik een virusbestand, malware bestand of hack tussen tientallen legitieme noodzakelijke bestanden?

Dat kun je in het volgende artikel lezen: ,,Zo herken je een virus bestand“.

Why the folders above the public_html & the uploads folders are most preferred by hackers and hackbots? It’s because the folder above the public_html + uploads folders don’t get updated which allows the malware to stay there longer.

Smart huh?

In addition to the best hiding places to put malware, various hiding strategies are also used. Hackers and bots have strategies to keep malware in your website for as long as possible.

The strategy when placing malware places

Strategy 1: The script puts the malware in every folder!
Once a hack has penetrated your server, in 20% of cases such a hack proceeds to hide malware in EVERY MAP. Hoping you will forget one when you try to remove the hack. The chance that you find the malware or that the malware is discovered by the server is higher, but hey… try NOT to overlook a single folder when deleting it!

Strategy 2: the script only puts the malware 3 folders deep

It is easy for a script to place malware only in folders with 3 layers of parent folders. This way, the malware is placed as far as possible OUT OF THE SIGHT.

Strategy 3: the script puts the malware IN an existing file

These are the worst! This is when the malware is placed IN an existing file. You will then have to look very specifically for a line of code…a needle in a haystack if you don’t know how to search!

Okay, you now have an idea WHERE to look for malware. Now of course you are asking yourself: how do I recognize a virus file, malware file or hack among dozens of legitimate necessary files?

You can read about that in the following article: ”How to recognize a virus file”.

 

What is an SQL injection in WordPress?

/0 Comments/in ,

An SQL injection targets the WordPress database. In the process, data is added, modified or just retrieved – by hackers! What is the danger of an SQL injection? How does a hacker earn from an SQL Database injection? What is the danger in an SQL injection? And what can you do against an SQL injection? You can read about it in this article!

What is the danger of an SQL injection?

  1. An SQL injection allows a hacker to add data to the database
    The hacker injects a new WordPress user, an administrator.
    This allows him to log into your website’s backend and do anything he wants.
  2. Through an SQL injection a hacker can modify information in your database
    The hacker can thus modify the existing administrator accounts, the password is changed and thus the hacker can simply log into the back-end of WordPress.
  3. A hacker can delete information from your database
    This may not be the biggest problem of the 3. In fact, it is rare because there is nothing to gain for the hacker. But if you lose your posts and pages … and you don’t have a backup … you still have a huge problem!

How does a hacker earn from an SQL Database injection?

When you know why a hacker does this, you understand that the risk of an SQL injection is something you absolutely must avoid.

Here we discuss some types of websites, and the common injections:

Suppose you have a web shop
Then an SQL injection can cause your payment details to be changed TO THOSE OF THE HACKER!
The consequences
> Malware enters the website that you have to remove.
> The customer has paid so you have to deliver your product or service.
> You don’t get paid a dime.
> The scumbag (the hacker) gets the money deposited into his account.

Suppose you have a small business website
Small business owners are so not easily aware of the danger, but also underestimate what it costs if visitors refer the website to another unsavory website.
The consequences.
> Malware gets into the website that you have to remove (or have removed)
> The hacker redirects visitors with a redirect script.
> You lose your visitors, who can no longer purchase services from you. Visitors have absolutely no idea why your website is off their screen.
> Visitors no longer return to your website.
> The hacker has a website., web shop or an SEO client where all the visitors go.

In the case of a large corporate website
It took a lot of time to set up a business with a good reputation, there are a lot of visitors. An advertising (SQL database) injection unfortunately changes.
The consequences.
> Malware enters the website that you have to remove (or have removed).
> Visitors get to see advertisements or are redirected.
> You have lost your new potential customer.
> The established customer experiences that you don’t have your “online business” in order.
> Your reputation (ranking) in Google goes down, resulting in fewer visitors.

The risk calculator!

I haven’t added this before in the previous 300+ articles, but to add nuance and put the risks in perspective, herewith THE RISK CALCULATOR.

You have:

  • 5 plugins – Don’t worry, but keep them up to date and WordPress of course too!
    10 plugins – Pay close attention to which ones you use (wpscan.com)
    15 plugins – No problem yet, watch wpscan.com, update them, delete plugins that are no longer updated by plugin builders.
    20 plugins – I hope you have a web shop? For an informative website, limit the number as much as possible. Keep plugins up-to-date, check monthly wpscan.com to see if they are still safe.
    25 plugins – Then get someone to maintain your website. You run a lot of risk at 25 plugins and more. Reduce the number, or hire a security person who will check everything for you, update, check your website status in Google, scan your website regularly.
    30 plugins and more – Can be done, but get someone to maintain your website intensively!!!

What can you do against an SQL database injection?

  • BACKUP – Make sure you have daily, weekly or MINIMUM monthly backups.
  • SCAN – It is always recommended to scan your website monthly with the Sucuri malware scanner & Isithacked.
  • EXPERT – You’re going to forget to scan, hire someone to do that 7 days a week. (WPProtect, or another).
  • INSTALL A SECURITY SPLUGIN – Not 2, no. Just 1. Think WordFence, iThemes, Sucuri. And configure those properly according to your website.

Wat is een SQL injectie in WordPress?

/0 Comments/in

Een SQL injectie richt zich op de database van WordPress. Daarbij worden gegevens toegevoegd, aangepast of juist opgehaald – door hackers! Wat is het gevaar van een SQL injectie? Hoe verdiend een hacker aan een SQL Database injectie? Wat is het gevaar bij een SQL injectie? En wat kun je doen tegen een SQL injectie? Je leest het in dit artikel!

Wat is het gevaar van een SQL injectie?

  1. Met een SQL injectie kan een hacker data toevoegen aan de database
    De hacker injecteert een nieuwe WordPress gebruiker, een administrator.
    Daarmee kan hij inloggen op de backend van je website en alles doen wat hij wil.
  2. Via een SQL injectie kan een hacker informatie in je database aanpassen
    De hacker kan zo de bestaande administrator accounts aanpassen, het wachtwoord wordt gewijzigd en zo kan de hacker simpelweg inloggen op de back-end van WordPress.
  3. Een hacker kan informatie verwijderen uit je database
    Dit is misschien niet het grootste probleem van de 3. Het komt zelfs weinig voor omdat er niets te verdienen valt voor de hacker. Maar als jij je berichten en pagina’s kwijt bent.. en je geen backup hebt.. heb je toch een enorm probleem!

Hoe verdient een hacker aan een SQL Database injectie?

Als je weet waarom een hacker dit doet, begrijp je dat het risico van een SQL injectie iets is wat je absoluut moet voorkomen.

We bespreken hier enkele type websites, en de voorkomende injecties:

  1. Stel je hebt een webshop
    Dan kan een SQL injectie ervoor zorgen dat je betaalgegevens aangepast worden.. NAAR DIE VAN DE HACKER!
    De gevolgen
    > Er komt malware in de website die je moet (laten) verwijderen.
    > De klant heeft betaald dus je moet je product of dienst leveren.
    > Jij krijgt geen cent betaald.
    > De klojo (de hacker) krijgt het geld op zijn rekening gestort.
  2. Stel je hebt een kleine bedrijfswebsite
    Kleine ondernemers zijn zich zoal niet snel bewust van het gevaar, maar onderschatten ook wat het kost als bezoekers de website verwijst naar een andere ongure website.
    De gevolgen
    > Er komt malware in de website die je moet (laten) verwijderen
    > De hacker stuurt bezoekers door met een redirect script.
    > Jij bent je bezoekers kwijt, die geen diensten meer van je kunnen afnemen. Bezoekers hebben totaal niet door waarom je website van hun scherm is.
    > Bezoekers keren niet meer terug naar jouw website.
    > De hacker heeft een website., webshop of een SEO-klant waar al de bezoekers heen gaan.
  3. Bij een grote bedrijfswebsite
    Het heeft veel tijd gekost om een bedrijf op te zetten met een goede reputatie, er komen veel bezoekers. Een reclame (SQL database) injectie veranderd helaas.
    De gevolgen
    > Er komt malware in de website die je moet (laten) verwijderen.
    > Bezoekers krijgen reclame te zien of worden doorgestuurt.
    > Je bent je nieuwe potentiële klant kwijt.
    > De gevestigde klant ervaart dat jij je “online bedrijf” niet op orde hebt.
    > Je reputatie (ranking) in Google daalt waardoor je minder bezoekers krijgt.

De risico calculator!

Dit heb ik nog niet eerder toegevoegd in de vorige 300+ artikelen, maar om nuance toe te voegen en de risico’s in perspectief te plaatsen, bij deze DE RISICO CALCULATOR.

Je hebt:

  • 5 plugins – Maak je niet druk, maar hou ze up-to-date en WordPress natuurlijk ook!
  • 10 plugins – Let goed op welke je gebruikt (wpscan.com)
  • 15 plugins  – Nog geen probleem, let op wpscan.com, update ze, verwijder plugins die niet meer ge-update worden door de pluginbouwers.
  • 20 plugins – Ik hoop dat je een webshop hebt? Voor een informatieve website, beperk het aantal zo veel mogelijk. Hou de plugins up-to-date, kijk op maandelijks wpscan.com of ze nog veilig zijn.
  • 25 plugins – Neem dan iemand die je website onderhoud. Je loopt bij 25 plugins en meer veel risico. Verminder het aantal, of schakel een beveiliger in die alles voor je nakijkt, update, je website-status in Google nakijkt, je website geregeld scant.
  • 30 plugins en meer – Kan, maar neem dan iemand die je website intensief onderhoud!!

Wat kun je doen tegen een SQL database injectie?

  • BACKUP – Zorg voor dagelijkse, wekelijkse of MINIMAAL maandelijkse back-ups.
  • SCAN – Het is altijd aan te raden je website maandelijks te scannen met de Sucuri malware scanner & Isithacked.
  • UITBESTEDEN  – Je gaat vergeten te scannen, huur iemand in die 7 dagen per week daarmee bezig is. (WPBeveiligen, of een ander).
  • INSTALLEER EEN BEVEILIGINSPLUGIN – Niet 2, nee. Gewoon 1. Denk aan WordFence, iThemes, Sucuri. En configureer die goed aan de hand van jouw website.