Last month we posted about 6 Common WordPress Exploits You Need To Know and this week we’re going to focus on knowing when your site isn’t in YOUR control.
Someone or something has hacked your site.
What are the telltale signs?
Imagine finding yourself in front of your home and your key no longer works to get in.
If an attacker gains access to your site, they may disable or change your accounts to maintain access to your site.
Some signs that your site was exploited:
- Content defaced
- Spam/advertisements appear on your site
- Visitors are redirected to other sites
- Malware is installed to spread the attacks
- Admin accounts are created or changed locking you out of your site
- Data is missing or changed
- Core/plugin/theme files have been modified
1. Content defaced
This is a pretty common ‘hack’ on vulnerable websites. You may have seen it yourself, when you visit a website expecting to see particular content, only to find foreign language, or images unrelated to the website or content that is unrelated to the original content. This is super harmful to website owners, as you may end up with content that is harmful to your brand image, and it simply looks like you’re snoozing on the job of maintaining your website.
2. Spam/advertisements appear on your site
Everyone is familiar with ads and the revenue stream that it can bring in. However, when you start to see abnormal content on your site that is trying to sell your customers something that they don’t need (or trying to sell cruises, but your website sells hammers) then it’s a clear sign that something is wrong.
If you do have Ads on your website, it is best to keep an eye on your Ad impressions for abnormalities in traffic to make sure that your site is not compromised.
3. Visitors are redirected to other sites
Redirecting your users away from your site to inflict harm or capture information. One of the common signs is when you try to login to your admin page and you don’t recognize the domain that is trying to capture credentials from you.
Always check the domain before you sign in to ensure that you’re logging into the correct site.
4. Malware is installed to spread the attacks
Malicious software or Malware has many variants (backdoors, spyware, adware, ransomware) designed to cause damage to computers, servers, or networks. Malware is generally spread through emails, hijacked websites, or infected programs.
How can you tell if your site has Malware? Crawlers may be the first to identify an issue and flag your site as having malicious content based on rules. The next time you visit your site after its has been flagged you will see a bright warning to capture your attention.
Once your site has been flagged by the system your web administrator will need to take action to identify and resolve the issue. Once resolved follow the steps defined by “StopBadWare.org” to get your site rescanned and ultimately removed from the list.
Checkout this infomercial by Google on tips to spot Malware.
5. Admin accounts are created or changed locking you out of your site
Did you receive an email that a new user has signed up for your site? Double-check that you do not have open registration enabled. This setting will let anyone sign up for an account that could lead to additional access to your site.
It is possible that existing accounts could have been modified to regain access. It may be a good idea to exercise caution and reset passwords or look into two-factor authentication solutions.
6. Data is missing or changed
Some malware is designed to modify web code to encrypt database content over time and eventually remove access. Investigating your database structure will show the encrypted content that can be viewed with a decryption key.
In those scenarios, we may see new service accounts with access to the database service.
Similar to spam emails you might find typos and references to pharmaceuticals which you may not be associated with.
In many of these cases, it can be expensive to recover from these events. Having a recent and viable backup is important to improve your chances of getting your site back.
7. Core/plugin/theme files have been modified
WordPress implemented several safeguards that helped increase the security of installations in the wild. The WP-CLI can be used to confirm that the core version and plugins have valid checksums from the source of truth. If you want to confirm that your source code is not modified run the following commands. This command does a SHA256 check against files that are associated with core cms. This is useful to identify if your sites have drifted somehow from one release to another or if a malicious user has modified your code.
wp core verify-checksums
That is really great and the manifest files are accessible for every version from the wordpress.org API site.
At Web Teks, we use this functionality to ensure that, pre and post updates, that the site is in a known state. We have identified through site migrations that core/plugins may receive updates directly to satisfy a need. In these cases, any future updates will cause functionality to change and the need for analysis and resolution. By validating the source before and after we can automate decisions to increase the reliability of our patch process.
Similar to core we can perform the same checksums with plugin. At this time themes are not supported and would require validations through alternate means.
wp plugin verify-checksums
So there you have it – 7 Telltale Signs That Your Site is Out of YOUR Control!
As creatures of habit, we often log in to the WordPress Admin site and follow a routine. If you notice some messages related to updates don’t just brush them off for another day.
Reach out to Web Teks for assistance with keeping your site updated and secure!
Stay tuned for our next post on the checklist of things to do after a security incident and preparing for the next!