18 Feb 2024
- What happens when your WordPress website is hacked?
- The snowball effect of a hack
- Who writes hack scripts/viruses?
- What can you do against these scripts/viruses if your website is hacked?
- Can the server detect and remove hack files based on their content?
- Is a security plugin enough to prevent a hack?
- What is the next step after removing the hack scripts from the website/server?
What are possible indications that your WordPress website is hacked?
- If the website loads very slowly for days/months, your WordPress website may be hacked. (Test the speed: Speedtest)
- If your WordPress website unexpectedly redirects you to an unknown website.
- When your hosting provider takes your WordPress website offline due to spamming.
- If the visitor results in analytics show large numbers of visitors from countries like China, while the website is in Dutch.
- If the website no longer appears without any modifications or updates being made.
What happens when your WordPress website is hacked?
If your WordPress website is hacked, a script has found an unsecured opening through which it can modify or place files on the server.
Since WordPress is open source, scriptwriters can look for vulnerabilities and exploit them.
These vulnerabilities can be found in plugins, themes, or WordPress files themselves.
Note! The scripts made to test WordPress websites for vulnerabilities are automated. They are written by people all over the world, with the aim of advertising their own websites or products to a large number of websites.
The snowball effect of a hack
A PHP file written to hack WordPress websites can simply be placed on a server by someone unknown and will spread itself.
It starts with one website, the snowball, and once it starts rolling and spreading to multiple websites (i.e., servers), it multiplies the reach of the hack. Ultimately, you end up with an avalanche of scripts that test and infect websites.
All these scripts send requests to the website (and thus the server), causing files to be requested so often that even a well-secured website becomes slow due to the influx of requests.
Who writes hack scripts/viruses?
The authors of the scripts can be teenagers looking to get rich quick at the expense of others, or “poor but brilliant programmers” in countries where there may be no work. They sit at home and can set up this cybercrime relatively anonymously. They may have never hacked a WordPress website of someone they know and often see it as innocent “entertainment” or a financial necessity, not considering themselves cybercriminals but rather creators of “something big” that is successful.
What can you do against these scripts/viruses if your website is hacked?
You can look for and remove them, but always make sure to create a backup of the website before deleting any files.
The files that a script has placed are often cleverly hidden, sometimes up to three directory structures deep. Think of locations such as httpdocs/wp-content/plugins/the-plugin/incl/
The names of the files often change, making it difficult for server software to recognize them. Some examples I often encounter on hacked websites:
- Object.php
- Incl.php
- Article.php
- Index.html
But they can also use randomly generated numbers or letters at the time of infection.
Then you get changing filenames like:
- 15738.php
- rfjrjgh.php
Due to the changing filenames, the server security cannot add them to their database as a recognition point.
Can the server detect and remove hack files based on their content?
The server cannot differentiate between plugins that are allowed to send emails, such as Contact Form 7, and a script designed to send spam. Even if it detects a potentially dangerous function, it will not block its functioning.
Is a security plugin enough to prevent a hack?
A plugin developed to secure WordPress reduces the chances of scripts gaining access to your website.
These plugins set write permissions correctly and adjust the standard WordPress values that are most commonly used by scripts and hackers. iThemes Security PRO NL even sends you an email when files are unexpectedly modified, indicating that a script is active on the server.
Security plugins like iThemes Security PRO NL block most scripts. However, well-crafted scripts, coded by an intelligent team, can still find ways to access the server or the database.
What is the next step after removing the hack scripts from the website/server?
Removing the files is only resolving the consequence; the cause and vulnerability still exist in the website, and your WordPress needs to be secured to prevent a recurrence.
You can read more tips on how to secure WordPress on my website www.wpbeveiligen.nl.
And you can choose a security package where we remove infected files, secure the website, and you can opt for 3-6-12 months of additional warranty.
