Yep, this site.
I’d been a bit quiet here for a few months due to some other commitments going on, but I was finally getting to a point where I could start blogging again. Upon trying to log in to WordPress Admin, my username/password wouldn’t work. After a few attempts I left it for the time being to come back later, figuring my browser had an incorrect password cached or I’d forgotten something about my credentials.
A few days later, I received an email alert from my hosting provider saying malware was detected on my website, from the ImunifyAV plugin running on plesk:
Yikes, I tried to log onto my website again unsuccessfully, but then tried the wordpress.com login option which worked – weird.
First thing I thought to do was to update my password, maybe my account had been compromised? I was still using the username ‘admin’ (yes I know), but I had a unique password in place, as well as a plugin installed called ‘Limit Attempts by BestWebSoft‘ which was configured to block an IP after 5 bad attempts for 1 1/2 hours. With a unique password and that in place, I thought it was still unlikely someone worked out the unique passsword here.
What I did notice in WordPress after going to the users section, was that there were 4 accounts, none that I recognised and none called admin. All the usernames had been changed to try and lock me out – which it had, but they’d not bothered dropping the wordpress.com login link.
I immediately created a new admin account (not called admin) and deleted the other accounts.
Next step was to work out what had been changed or infected. If I’d been running daily backups then it’d be easy (probably), roll back until the usernames weren’t changed. I had backups, but going back too far and I didn’t want to do the rework. All I really care about here is the content anyway, and I’m cheap so I wasn’t paying for a daily backup service, or the storage costs associated with that.
Since I don’t know PHP, the next step was on plesk to see what ImunityAV could do – it had an option to scan and repair these files, and at this stage I’d taken a new backup so had nothing to lose and let it do it’s thing. After a few passes it claimed it couldn’t find anything malicious and my site was all good. I checked over a few other things and couldn’t find anything wrong, so thought I was done. I also decided to de-activate a few plugins I didn’t think I needed any more, as that was a possible and common entry point to WordPress too.
A few days later someone told me they were seeing questionable content when clicking a link going to my site. Obviously my site wasn’t repaired, so I needed to sort it out or shut it down – the last thing I want is to be dealing up bad content. Just in case, I thought I’d go look at the user list again, and the usernames had been changed AGAIN. OK, it definitely wasn’t compromised credentials anymore – and sure maybe they’d put a backdoor in somewhere, but I pruned a few other WordPress addins and again cleaned up the accounts.
The owner of my hosting provider Expeed had suggested I try something like Wordfence as a WordPress plugin to help protect my site in the future. I found that this also had a scanning option, which I ran – and this found more malicious code within PHP files, as well as a bunch of HTML files around replica watches.
Several passes of scanning cleaned up all the PHP detections, but the html files weren’t getting removed.
I had a look at a few of the files out of interest, and if nothing else, it makes me feel better about the quality of the writing in my own posts here. The links were going back to different but non-reputable looking stores.
I’m guessing the idea of this attack was to purely drive purchasing traffic through to certain websites – if you wanted a replica watch, or a real life … doll, I was apparently helping you with that choice. Sorry.
Weirdly, they’d put all of the HTML files in the uploads folder for WordPress, so I manually went through and cleaned them out. That part didn’t take too long.
My site seems OK now, and wanted to be as comfortable as I could that it was now safe before posting up this explanation but how do you ever know if it’s fully safe? If anything else does come up I’ll either look at paying WordFence to clean it up professionally, or just rip the content out and start with a fresh WordPress instance, and import my posts. I’m pretty sure the culprit was one of the several abandoned plugins I had – about 12 or so were active, I didn’t need half anymore and a few of those hadn’t been updated for a couple of years. Just updating plugins isn’t enough, as all plugins were patched apart from one, but that was only two weeks outdated.
The real take-aways from this is have more frequent backups and an easy recovery process; there is no foolproof way of protecting anything online. Also, don’t feel too bad if your personal blog has been compromised – you’re the victim here. You can still do some things to protect yourself, here’s a reasonable article that lists 25 Simple WordPress Security Tricks to Keep Your Website Safe in 2021.
This really isn’t a good selling point overall for WordPress. You shouldn’t have to do this much work to protect what should be a platform to share content on.
If you want somewhere just to do simple text posts, check out GitHub Pages – but doing anything that’s not very basic will require a lot of time and effort if you’re not a developer. If you want to type and don’t mind giving your content and traffic to someone else, just use a platform like Medium. If you want a WordPress alternative that you can host yourself or with a hosting provider, then Ghost is worth a look.
How to avoid being hacked on WordPress
- Install a login attempt limiter plugin
- Update WordPress and Plugins frequently (automatically ideally)
- Run regular backups saved somewhere outside your hosting provider (automatically ideally)
- Remove or replace outdated WordPress Plugins
- Use a unique username and password for WordPress, and enable 2FA (now supported natively)
- Use a WordPress.com account to have another path of entry to your WordPress site