wordpress break-in analysis and protection

How to protect WordPress – an example of break-in and protection against infection

Gaps happen in every software. The more popular, the greater the chance that someone will find a gap in it. An example of such gap has recently been present in the very popular GDPR Compliance plugin. The gap was quickly patched by the developers of the plugin, but even a short time was enough for the infections that took place immediately by browsing websites (as it has been shown in the internet forums). Previously, a similar wave of infections was performed by the attacks of the Duplicator plugin.

How to protect WordPress from infection?

There are huge studies on this subject, but one can assume that the general principle is that the themes, plugins and WordPress itself are up to date. Of course, you can perform various other forms of security, but for novice users, a constant system updates should significantly increase the level of resistance to intrusion.

And what if keeping up to date system is not enough?

Sometimes there is a gap in the software. As long as the software developers do not patch the vulnerability and provide access to the new version of the downloadable software, it may happen that the site is vulnerable to hacking. In this case, for example, you can disable the “leaky” plug-in and wait for it to be updated. However, it may happen that the update is not quickly enough

What are the side effects of hacking the website?

When the software is vulnerable, the most common way to attack is to attach a snippet of code to existing files on the file server. These fragments are usually encoded into an unreadable form for the ordinary user. After adding the code to the files, they can have different negative effects, e.g.:

  • spam mailing,
  • launching the console (so-called bind shell), which can be used to “open” the server for break-ins for future use,
  • waiting for a sign to take part in a DDoS (Distributed Denial of Service) attack on some other websites (e.g.: bank or office sites),
  • displaying content that links to other websites (link form)
  • impersonation (phishing) – displaying, for example, a fake bank website or payment systems used for phishing.

Each of these most popular attack effects is very unfavorable and you should do everything to ensure that this pasted code does not appear on our website.

Each of these most popular attack effects is very unfavorable and you should do everything to ensure that this pasted code does not appear on our website.

What does the WordPress hacking look like?

Below is an example of a file that has been infected by sticking an encrypted piece of code into it. This is a file from the popular (over 300,000 installations) WordPress plugin called: MailPoet Newsletters.

The file is located in the directory: /wp-content/plugins/wysija-newsletters/core/autoloader.php

See the code attached? And you should already notice that 😉 Although at first glance, the file looks quite ordinary. However, pay attention to the horizontal scroll bar…

Just move this bar slightly to the right and you can see immediately that in the first line after a few hundred spaces there is a fragment that should not be there!

Another option is to switch the view to “wrapping lines” – you can also see the beautifully attached code right away…

This particular infection is the result of a breach in the GDPR Compliance plugin. Interestingly, the code was detected while moving the page to our server from one of the hosting companies specializing in the so-called hosting for WordPress. The customer told us that the break-in was diagnosed and specialists removed its effects. As it turned out, the removal of the effects was not complete.

And how should we know that the files are infected? Because we have a special system that detects and protects against intrusions…

Anti-exploit system – effective anti-intrusion protection system for WordPress

We have a special protection system installed on all Smarthost.pl hosting accounts – a system that checks every file at the time of its modification. It is not important whether the modification is done by uploading the file via ftp, sftp, or uploaded the file in front of the form on the page, or … uploaded using the gap in the certain theme or plugin.

From the point of view of the anti-eploit system, it is important that the file is modified on the disk. In this case, the system checks if the file contains malicious code. The anti-exploit system contains a database of several thousand known malicious scripts. The malicious scripts are fortunately relatively easily to recognize (as it can be noticed in the examples above) – in a simple and effective way, it is possible to detect and block a file containing such malicious code on the server.

The anti-exploit scanner also checks files for viruses based on a database of known viruses, which in combination with the exploit signatures creates a very effective barrier against attacks.

In addition to blocking malicious scripts, the anti-exploit system also sends the information to the website-owner that certain attempts have been performed in order to save a file containing malware. It gives a convenient tool for taking care of your own website.

Does the anti-exploit system detect all intrusion attempts? Probably not … but the ones that it detects is the sufficient reason, that since two years of its use we did not have a single request coming from our customers to recreate the page from the backup “because it was hacked”. This indicates clearly its effectiveness. We publish a server file scan report for 2016 online here:

If you need a security system against uploading a malware software to your website

just move to our hosting site that cares about the security of clients’ files

Migration to our hosting site is free, we do it efficiently and quickly, without a significant interruption in the operation of the website (you can find more information on the migration to our hosting site on this following webpage)

The anti-explite system (read more about it) works on each of our hosting accounts:

In the background. Unnoticeable. Efficiently.

Check out our hosting packages

Leave a Reply