Finding WordPress hackers through server logs

Finding WordPress hackers through server logs
datum-geschreven 19 Sep 2023

Imagine your WordPress website has been hacked, but you don’t have any security plugins running. Or worse, the hacker has disabled the security plugin.
Then you have no idea what has happened, you don’t know which files have been modified, how the hacker gained entry…

Finding Server Logs in DirectAdmin

Server logs record EVERYTHING. However, they are in raw server language without any formatting. In DirectAdmin, you can find the server logs by logging in and navigating to Your Account » Site Summary / Statistics / Logs » Full usage log.


Understanding Server Logs

A lot of information will be presented to you.
There is a specific order in which we will guide you through the logs, so you can understand them.

server logs

  1. First, you will see the IP address.
    This points to the computer/router of the potential hacker.
  2. Next, you will see the date.
    Keep in mind that the server time may differ from your local time.
  3. Then, you will see a GET or POST command.
    This is important because a hacker or script will typically execute POST commands on your server/website.
  4. After that, you will see the requested URL.
    Here, you should see regular pages and information that a visitor can request.
    If you see URLs such as XML-RPC.php and other files on the server, you can assume that it’s not a regular visitor.
  5. Finally, you will see the User Agent.
    This refers to the browser/operating system being used.

Now that you can read the server logs, you can investigate the history of your website and the actions of the hacker.
Here, we use the term “hacker,” but in 9 out of 10 cases, it refers to a script executed by the hacker or even an automated script that the hacker no longer pays attention to. They only look at the outcomes and results.

Finding the Hack(er)

A server log can easily contain 2000 lines, and you may only have the logs for the last 24 hours.
(We assume that you have discovered the hack on time or that it is a recurring hack.)

What to look for:

You will search for specific keywords, which can be done by opening the log file in your browser or using your favorite text editor.

  1. POST – As mentioned earlier, a hacker or script executes a command on your website to achieve something.
  2. XML-RPC and other PHP files – A visitor opens pages and posts, NOT PHP files.
  3. IP addresses from strange countries – If you have visitors from China, Russia, Germany, France, etc., while your website is targeted at a Dutch audience, and they access a large number of pages and/or files, it is highly suspicious. Use the IP Location finder to determine the country of origin for a user.

As a programmer, you can do this using Notepad++ or any other code editor that allows you to highlight lines directly.

Knowledge is Power, but not Victory Yet

Now that you can read the logs, have found the hacker, and know which actions they have taken, you can start undoing the consequences of the hack.

In many cases, the hacker has placed files or inserted text ads. These can be removed or reversed by restoring a backup.

But! You’re not done yet

The hacker has gained entry, whether manually or through a script, and it will happen again unless you secure your website with a WordPress Antivirus plugin.

Configure the plugin properly and follow all the necessary steps to make your WordPress site secure and hacker-proof!

And as always, back upback up, and back up some more backups!

De meeste artikelen worden geschreven door Mathieu Scholtes, de eigenaar van WPBeveiligen. Op de hoogte blijven van het laatste WordPress nieuws? WordPress tips? WordPress aanbiedingen?
Connect dan op Linked-in!

Heb je een vraag? Tip of gedachte? Deel die!

Breng me op de hoogte
0 Reacties
Inline Feedbacks
Bekijk alle reacties