Where hackers hide their code

/0 Comments/in

Hackers have their favorite spots to place their malicious code, and being aware of these common locations can help you identify and remove hacks from your WordPress website.

A Hack in the header.php

The header.php file in your theme is loaded first on every page and contains the <head> section where JavaScript can be loaded without drawing too much attention.

How to recognize a hack in the header.php?
To identify a hack in the header.php, you should know which JavaScript files should be loaded, both from your theme and plugins. Any additional or suspicious code, especially if it appears as Base64-encoded, should raise concern. Taking a backup and then removing the suspicious code is the first step to resolve this.

A Hack in the uploads directory

The uploads directory is often targeted by hackers since it is writable, making it convenient for them to spread their files. Hackers may use folders named after years (e.g., 2011, 2012, 2013, 2014) to hide their files.

How to find hack files in the uploads directory?
There should be no PHP files in the uploads directory. You can perform a simple search on the server for PHP files to identify and remove any suspicious files.

A Hack in the WordPress Core

If you notice hack files in the wp-admin, wp-includes directories, or other core files, it is best to re-upload a clean version of WordPress. The root (www or httpdocs) is also susceptible to hacks, as it is the base directory for all your files. Comparing your files with a clean WordPress installation can help identify any unwanted files.

Always upload the latest version of WordPress, but be sure not to overwrite the wp-config and wp-content directories (Remember to create a backup first!).

A Vulnerable Plugin

Plugins are often the weak point for WordPress. Some plugins may write files to the directories mentioned above, making them a security risk.

Always ensure that your plugins come from the WordPress library or are officially purchased. Avoid using illegally downloaded plugins, as they may contain backdoors.

Prevent a Time-Consuming Search!

If your WordPress website gets hacked, experienced WordPress experts may spend 1-2 hours searching, digging, and reading to find and remove hacks and backdoors.

To prevent this, consider using Ithemes Security PRO, which can help you track when and where files are modified or uploaded. It provides information on the file name, date, and time of changes. Furthermore, Ithemes Security PRO sends you an email notification whenever files are modified, allowing you to take prompt action if necessary.

A useful feature of Sucuri

/0 Comments/in

Sucuri Security offers a WordPress plugin that you can find in the WordPress plugin library under the name Sucuri Security. While it may not be an all-in-one solution against hacks and has some limitations, it does have one very useful feature that can save you a lot of time, especially if you have many plugins installed.

The Plugin Reinstaller

If your website uses 20-30 plugins (which is, of course, too many and poses a significant security risk), it can become a cumbersome task to remove each plugin, download a clean installation, and then upload it back to the plugins directory, especially when there are hacker files present.

Sucuri has a feature for this scenario where you can select all plugins at once and have them removed and reinstalled with a clean version in one go! This saves you a lot of time and effort.

You can find this feature under “Post Hack > Reset plugins.”

securi plugins installeren

You might be wondering if you can simply update a plugin instead. While updating a plugin does modify some files, it won’t remove any hack files that may be present.

In summary, download the Sucuri plugin and use the reset plugins function!

And then?

After using the Sucuri plugin to reset your plugins, it’s a good idea to install a robust security plugin like Ithemes Security PRO to enhance the security of your WordPress website.

My WordPress website is showing an error?

/0 Comments/in

If there is something wrong with the code, the database, or the hosting, you may encounter an error.

For many, these errors are not understandable, but as WordPress security experts, we often encounter them on hacked websites.

Not every error is caused by a hack, so to find the right solution, it’s important to understand what the error means.

The 404 error

The 404 error is the most common and occurs when a page cannot be found.

Your website may still be accessible since a 404 page is usually displayed within your website’s layout, but the page either no longer exists or the URL was mistyped.

The 500 error

The 500 error usually indicates an issue with the server. It could mean that the server is temporarily offline or needs to be restarted. In such cases, your website will not be accessible until the hosting provider resolves the problem.

Error establishing a database connection

You’ll see this error when the database is unreachable. It can occur due to incorrect database credentials, but it may also be caused by hosting issues preventing the database from loading.

A white screen without an error message

In some cases, you may encounter a blank white screen. WordPress sometimes suppresses errors for security reasons since displaying errors could provide information to hackers.

To debug this, you can set the debug_mode to “true” in the wp-config file of your WordPress website.

WPbeveiligen can help you solve the problem

We have the knowledge and experience to resolve most errors. You can contact us on a no-cure-no-pay basis for error resolution.

The cost of fixing an error usually ranges between €40-€60 excluding VAT, as it typically takes no longer than an hour to resolve the issue.

Remove hack files from WordPress

/0 Comments/in

You can recognize from the names of the hack files that they are related to programming; about 50% of the hack files have a logical structure that a programmer would develop.

Some of the most common hack files:

  • test.php
  • cache.php
  • files.php
  • options.php
  • view.php
  • diff.php
  • start.php
  • plugin.php

Note: These files can also exist in WordPress, so don’t remove them solely based on their names.

How do you identify if it’s a hack file?

In about 90% of the cases, the file contains a messy jumble of code—a base64-encoded code without any logic or formatting.

code example

Where can you find these hack files on your site?

They can be found in any directory. Although the “uploads” directory is a favorite target because it’s often writable, a hacker/hackbot can place files throughout your entire website.

If you want to systematically remove the files:

First, make a backup!

You can divide your WordPress website into 5 parts:

  1. WordPress core (try to refresh it completely)
  2. The plugins directory
  3. The themes directory
  4. The uploads directory
  5. The container directories

The plugins directory

This directory should only have an index.php file and the plugins. Refresh the plugins wherever possible, or check the modification dates to find the hack files.

The themes directory

This directory should also have an index.php file and one theme. Remove the themes that you don’t use!

The uploads directory

There should be NO PHP files in this directory. You can remove any PHP file.

The container directories

The “wp-content” directory usually contains only an index.php file and the directories mentioned above (2, 3, 4).

The “languages” directory should only contain language files and no PHP files.

The “upgrade” directory is used only for temporary upgrade files and is usually empty.

In conclusion

Removing all the hack files is a significant task and requires considerable knowledge.

And that’s not even considering the lines of hack code that are injected into your existing files. You can find these by checking the modification dates, and this code is often placed above or below the original code.

The more you know, the easier it is to remove hack files.

Good luck!

The invisible iFrame hack

/0 Comments/in

The “Invisible iFrame Hack” is one of the most effective hacks known.

Why is the iFrame hack so effective?

The iFrame spans across the entire browser width and height. So, wherever a visitor clicks, they will be redirected to the hacker’s advertising campaign.

But wait, there’s more…

The iFrame is controlled with a cookie and is displayed only once. Scanners, including you or security personnel, will see the site only once, creating the illusion that the problem was temporary or has been resolved.

Most people will simply think they might have clicked incorrectly and will hopefully return to your website.

The impact of the hack

Some visitors, maybe 1 out of 1000, might mistakenly believe they are in the right place and end up purchasing a service or product from the website where they weren’t supposed to be. This is exactly what the hacker, the creator of the script, aims for.

A small piece of code in a JS file

A JavaScript file (JS file) is supplemented with a piece of code that places an iFrame over your entire website. Despite your efforts, you might not find it easily as it’s just a small piece of code added to an existing file that belongs to the site.

When decoded by Sucuri, it looks like this:

click code

An effective method to remove the hack

You could search through your JS files, but the best approach is to replace all JS files with new clean ones that you download from the official WordPress website or your theme provider.

Preventing an iFrame hack

Of course, you don’t want the hack to reappear in your WordPress website a week later. To prevent this, update all your plugins, theme, and WordPress to their latest versions.

Additionally, use a reliable WordPress security plugin to enhance your website’s protection.

Hacked content detected, now what?

/0 Comments/in

Als je een bericht van Google ontvangt waarin staat dat er gehackte inhoud is gedetecteerd op je WordPress-site, kan dat inderdaad erg vervelend zijn. Hier zijn enkele antwoorden op de vragen die je mogelijk hebt:

Hoe komt het dat de website plotseling gehackt is?

Een van de meest voorkomende oorzaken van een gehackte website is een kwetsbare plugin of thema. In ongeveer 15% van de gevallen is WordPress zelf de boosdoener, maar dat gebeurt meestal alleen als je WordPress al langer dan 1-3 jaar niet hebt bijgewerkt. Hackers testen plugins om kwetsbaarheden te vinden waarmee ze kunnen inbreken op WordPress-websites. Zodra ze een lek vinden, verspreiden ze een script op internet dat zoekt naar alle websites met die specifieke plugin, waarna ze hun injectie uitvoeren. Deze injectie kan bestaan uit kwaadaardige code waarmee ze reclame kunnen maken via jouw website, wat vaak wordt gezien als ongewenste reclame of phishing door Google.

Wat kan ik doen om de website weer te herstellen nadat er gehackte inhoud gedetecteerd is?

De gemakkelijkste en meest betrouwbare manier om je website te herstellen en te beveiligen is door een gespecialiseerd bedrijf zoals WPbeveiligen in te huren. Zij hebben ervaring in het herstellen en beveiligen van WordPress-websites en kunnen je site weer veilig maken. Als je WPbeveiligen inschakelt, krijg je vaak ook garanties op het herstelproces, wat voor extra gemoedsrust zorgt.

Als je echter zelf je WordPress-website wilt herstellen, zijn hier enkele basisstappen:

1. Gebruik de gratis scanner van Sucuri om te achterhalen waar de gehackte bestanden zich bevinden.
2. Maak een volledige backup van je website, inclusief alle bestanden en de database.
3. Verwijder de gehackte bestanden en kwaadaardige code. Let op dat deze code vaak geëncodeerd kan zijn om ontdekking te voorkomen.
4. Update alle plugins, WordPress zelf en waar mogelijk ook het thema naar de nieuwste versies.
5. Beveilig je WordPress-website met een goede antivirusplugin specifiek voor WordPress.

Houd er rekening mee dat het herstellen van een gehackte website een complex proces kan zijn en dat er mogelijk meer stappen nodig zijn dan hierboven beschreven. Het is altijd verstandig om een expert in te schakelen als je niet zeker weet wat je doet.

Hoe voorkom ik de melding van Google dat er gehackte inhoud gedetecteerd is?

Om te voorkomen dat Google gehackte inhoud detecteert op je website, kun je de volgende maatregelen nemen:

1. Gebruik een goede antivirusplugin specifiek voor WordPress om potentiële bedreigingen te detecteren en te blokkeren.
2. Verwijder ongebruikte plugins en thema’s van je server.
3. Beperk het aantal geïnstalleerde plugins tot een minimum en houd ze up-to-date.
4. Regelmatige updates van WordPress, plugins en thema’s zijn essentieel. Maak altijd een backup voordat je updates uitvoert.
5. Controleer of je hostingprovider goede beveiligingsmaatregelen heeft om aanvallen tegen te houden en de gegevens van websites van elkaar te scheiden. Dit is vooral belangrijk in gedeelde hostingomgevingen.

Door proactief te zijn en goede beveiligingspraktijken te volgen, kun je de kans op een gehackte website aanzienlijk verkleinen.

Backing up WordPress!

/0 Comments/in , ,

A backup of your WordPress website is crucial, as a lot of time and money goes into creating a good website! Think about writing content, finding the right plugins, and sourcing beautiful images.

A reliable backup is your savior in case anything happens to your website. Especially the WordPress database, where all your posts and pages are stored, is crucial not to lose.

It’s important to have a complete backup of all the data on your server and the database containing all the information.

You can download Updraftplus Premium or Free here.

Making a complete backup with just one click

We have tested several free plugins, and one of the best free plugins we have come across is Updraftplus. This plugin allows you to create a backup of all your data, including the database!

backup restore wordpress

Restoring a backup

Having a backup is important, but it gets even better: Updraftplus also allows you to restore your plugins, themes, and more from the backup!

backup-restore-wordpress

This is useful when your website gets hacked, when you accidentally delete a plugin, or when an update of a plugin causes issues with your website. This happens quite often!

More advantages of Updraftplus

Updraftplus offers many features in its free version, including:

  • Restoring only plugins and themes
  • Writing the backup to another server
  • Automating backups based on hours, days, or weeks
  • Translated into Dutch
  • The ability to count the size of plugins, themes, etc.

Cloud services

If you want to use Dropbox or another cloud service, they even offer premium add-ons to further expand the functionality of the plugin.

Restoring WordPress after a failed update

/0 Comments/in

If a WordPress update fails and certain plugins stop working, you can follow these steps to restore your WordPress site:

Restoring WordPress after a failed update – 4 steps!

  1. First, create a backup of your current state (before anything else goes wrong!)
  2. Download an older release of WordPress (the last version that was working properly)
  3. Start an FTP program that allows you to view and edit your site’s data
  4. Delete the current WordPress installation, and manually upload the older version of WordPress (see the image above for reference)

Please note that restoring an older version of WordPress should be done with caution, and it’s always best to have a backup of your site before attempting any major changes.

Recognizing a WordPress virus

/0 Comments/in

A WordPress virus is not a familiar term to most people. However, this term is used to refer to unwanted files on the server.

Definition of the word Virus: an infection, a self-replicating bacterium in the computer world, referring to unwanted files within a system.

In other words, you have an “infection,” and there are files on your server that do not belong there. You are dealing with a virus as these files will spread once they find their way onto the server.

To determine if your server/website is infected with a WordPress virus, it is important to distinguish between the three types of files.

Explanation of Different Files on the Server

  1. Regular WordPress files that belong there.
  2. Regular files that are infected/injected with malicious code.
  3. New files created by the virus or at the beginning of the virus.

How to Recognize Virus Files on the Server

Note: You will need FTP access to the server using an external FTP program.

  1. Virus files are often created later and have modified or created dates different from all other files.
    afwijkende wijzigingsdatum
  2. These files are often encoded with Base64 and Eval to avoid detection by the server.
    gecodeerde code wordpress virus
  3. The names of the files differ from the original WordPress files (e.g., Core.php – deleteme.php – test.php – inc.php).
    afwijkende namen wordpress bestanden
  4. The codes supporting the virus are all concatenated together without proper formatting.
    code zonder opmaak
  5. With a good server antivirus, they are labeled as suspected.php.
    verdachte bestanden

Preventing a WordPress Virus from Infecting Your Server

As the old saying goes, prevention is better than cure, and this is certainly applicable in this case.

There are two factors to consider:

  • The hosting provider responsible for updates (Note: with a VPS, you need to do this yourself).
  • The antivirus you use for WordPress.

The hosting provider will always hold you responsible for what happens to your WordPress website and how it affects the server. Therefore, ensure your WordPress is up-to-date and secure.

If You Already Have a WordPress Virus

If you are reading this article because there is already a virus on your WordPress (and hence on the server), you can use the five points described above to make the server virus-free. However, this is not easy and requires a lot of knowledge of code, WordPress, server files, and file permissions.

WPbeveiligen works full-time to secure WordPress websites and, when it’s already too late, restore them.

Here’s how to fix a WordPress error

/0 Comments/in

An ERROR! Just when you were busy working on your website, suddenly an error appears on the screen. What now?!

Here, you’ll find everything about errors and how to resolve them!

Click on the error you are currently experiencing:

Fixing an Error

To get started, you need access to the files and a program to edit the code:

You can access the server using Filezilla (Or a file editor in DirectAdmin/Cpanel).
You can edit files using Notepad++.

Error 404

404 page not foundWhat is Error 404: Error 404 indicates that the page is not available. Many themes have a nice 404 page that matches the website’s style, but if you don’t have that, you’ll see a blank page with a 404 error.

Where is the problem: You may have accessed a page that is not available or has changed its URL, or the permalink structure is incorrect in your Htaccess file.

How to fix the problem: Make sure you have accessed the correct page. If you are sure that you are using the correct URL to access the page that is still visible/editable in your admin, you can reset the permalink. Go to your admin > settings > permalinks, then choose Default/Post name and save the setting.

Error 500

error-500What is Error 500: Error 500 is usually seen when the server is offline.

Where is the problem: This problem can be caused by the hosting (the server) or by a code error.

Determining the cause: To determine if your website is completely offline, you can access the server with the FTP details. If it is still reachable, the server is still working. You can sometimes test this by accessing yourwebsite.com/license.txt (change “yourwebsite” to your own URL). If that file is still visible, the problem is with the code, not the server.

How to fix the problem: If your server is unreachable, send a message to your hosting provider, and they will look into it. If the server is working but your website is not, you can deactivate plugins by moving them, as mentioned. Errors are often found in plugins.

The Error: Database Connection Error

database errorWhat is the database connection: The database contains all the texts and settings of your website. It is often located in a different location than the data, such as WordPress images, your theme, and plugins.

Where is the problem: The database is no longer accessible, meaning there is no “connection.”

How to fix the problem: To determine if your website is completely offline, access various addresses, such as admin, homepage, or license.txt.

If any of these addresses yield results, the server is not completely offline, and you need to specifically check whether the admin, a plugin, or theme is responsible.

If all addresses give a 500 error and this lasts for more than half an hour, contact your hosting provider to have them look into the server.

The Error: This Site is Unreachable

site not reachable
Why is the website unreachable: The address you entered is not linked to an address on the server, known as a DNS address.

Where is the problem: 9 out of 10 times, you have entered the wrong web address. Check carefully for any commas instead of periods and ensure you are using the correct domain extension (nl, com, net, eu).

How to fix the problem: Try googling the address. You might find the correct address in one of the search results.

The Error: White Page

white page wordpressWhy do I see a white page: You get a white page for simple errors. WordPress is still working but hides the error to prevent hackers from exploiting it.

Where is the problem: You will only know this when you can read the error, and you can enable this function in the wp-config.php file. Look for a line with “debug mode: false”. Change it to TRUE, and the error will appear (refresh the page).

How to fix the problem: The error often shows the path to a file and the line where the code needs to be corrected.