Tips to find malware in WordPress websites

Tips to find malware in WordPress websites

WordPress always the hot choice of website hackers and thus it is one of the web applications that receive major attacks. Especially on a shared web hosting server, it is very much interesting to check and compare the WordPress websites logs against the other websites on the same server. The result will be pretty self-explanatory in most cases, where you can see a ton of brute-force attempts, generic attacks like and targeted attacks to exploit the WordPress websites. The rate of attack attempts will be much higher for WordPress websites compared to the other web apps.

Where you can find the infections 

There are many methods to exploit WordPress websites and new types of attacks/vulnerabilities are being reported as time goes on. You can often find the infected code in  a WordPress website in 

1. The File System where you physically store the Website Files
2. The database associated with the website

 In both the above cases, the hackers will add some external code to execute their logic and thus exploit the compromised website. 

1. How to find hacked WordPress Files

The hacker targets the files and tries to update/upload the file contents with the malicious code many times. Many times they target the plugins, themes, or the uploads directory but it is not limited to the specific directories. When you can a manual lookup, you can start with the following steps

 

  • Check the DocumentRoot of the website and ensure that there are no unknown files/folders there. Especially if you find any unknown folders or files ( with gibberish names ) you should check them specifically
  • Check the wp-content/plugins directory and make sure that there is no plugin directory exists that is not installed by you. Also, search for the latest updated PHP files under the plugins folder and verify the list
  • Check the wp-content/themes directory and make sure that there is no themes directory exists that is not installed by you. Also, search for the latest updated PHP files under the themes folder and verify the list
  • Ensure that no PHP or other interpreted files are uploaded to the wp-content/uploads folder. This folder is specifically to store media files and thus not supposed to execute any code from it.
  • Use wp-cli tool to check the integrity of the core and plugins files. You can refer this link to know how to use it
  • You can use any WordPress security plugins like Wordfence to scan and find any other hidden hacked files under the website. 

1. How to find hacked WordPress Database contents

This is more tricky compared to finding the compromised files as it needs more manual effort to track the injected code from the database. It is advised to take a backup of the present database before any changes on your website database. To start with the investigation, you can do the following

 

  • Check WordPress admin user list and make sure that the list does not contain unknown users
  • Take a dump of the database and search for suspicious content (i.e., spammy keywords, links) that you found abusive in your website
  • Check the post contents and take note of any kind of JS injections
  • Take a look into the wp_options table and ensure that there are no unexpected entries there.

As I mentioned already, this needs some kind of expertise and if you do not know how to do this please look for an expert hand to do this for you. 

How to automate these checks for your website?

The search for malicious code in your files and database is not an easy task and doing it regularly is not an easy task. If you own a single website, what you can do is to depend on a security plugin or a Cloud solution to scan your website regularly and report any bad files. Also you can choose a hosting platform that has automatic virus checks enabled ( cPGuard does it along with WAF protection specifically for WordPress websites ) which can protect your website without any additional installation and cost. If you are a server owner, it is essential to install an anti-virus to protect your customer websites from such attacks and save your server reputation.

cPGuard contains built-in tools to protect your WordPress websites and the WAF module has explicit rules to stop attacks towards WordPress website/components. Our distributed network helps us to detect latest attack attempts, keep the software up to date and to defend the latest WordPress attacks.

How nulled WordPress Plugins can damage your website

How nulled WordPress Plugins can damage your website

It is a well-known fact that WordPress is one of the web applications that get the majority of web attacks when installed on a domain. In addition to the conventional attack vectors, there are plenty of other attack methods that are being used to attack WordPress website and applications. So all WordPress website owners should protect their websites using an additional security layer to protect their website from common attacks like brute-force, SQL injection, Cross-site attacks, etc and other unconventional types of attacks.

Nulled Plugins and Themes

When we talk about other types of attacks, one of the most tricky types is the installation of “Nulled Plugins and Themes”. We recently had a customer, who came to us regarding clean up of his websites which had nulled plugins installed. The funny fact is that the client knew that they were nulled but decided to install them as they are free but never knew they will open up a backdoor to his websites.

So how it can damage your websites?

The severity of the damage that can be done is based on the source of these nulled plugin/theme. In the specific case that we are taking as an example here, the plugins where downloaded from thewordpressclub [.] org and the websites faced the following issues.

  1. Repeated JS injections into the database which resulted in redirects to malicious websites upon website visit.
  2. Added junk records to the wp_options table for the backdoor
  3. The admin user password kept resetting without the knowledge of website owner
  4. Unwanted posts created under the websites

and many more…..

 Interestingly, the terms and conditions at thewordpressclub [.] org has a section Remote Access stating that by downloading and installing installing these plugins/themes you are allowing TheWordpressClub to remotely control your website 

What kind of injection were added to the nulled plugins?

We have noted the following files added to the plugin packages, which contained the core code.

rms-script-ini.php
rms-script-mu-plugin.php

For example, following are some sample paths in actual plugin installations

wp-content/mu-plugins/rms_unique_wp_mu_pl_flnm.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/rms-script-mu-plugin.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/plugin-fw/templates/panel/rms-script-mu-plugin.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/plugin-fw/templates/panel/rms-script-ini.php
wp-content/plugins/YITH Product Description In Loop For WooCommerce Premium 1.0.6/rms-script-ini.php
wp-content/plugins/WP Smush Pro 3.6.3/rms-script-mu-plugin.php
wp-content/plugins/WP Smush Pro 3.6.3/core/external/dash-notice/rms-script-mu-plugin.php
wp-content/plugins/WP Smush Pro 3.6.3/core/external/dash-notice/rms-script-ini.php
wp-content/plugins/WP Smush Pro 3.6.3/rms-script-ini.php

In addition to that, they have added the following lines to other files to use  the malicious function and active the remote handler.

require_once('rms-script-ini.php');
rms_remote_manager_init(__FILE__, 'rms-script-mu-plugin.php', false, false);

How to get rid of such issues?

The answer is pretty straightforward; do not install plugins/themes from non-trusted sources. If you want to install a plugin/theme, you should use WordPress official repository to search and install or use the official website of the provider to download the package. If you try to enjoy the premium features of any paid solution for free using such shortcuts, you will end up with serious trouble including your data loss.

Though cPGuard can detect and clean the majority of these malicious injections, we strongly recommended to stay away from such plugin providers and use only the genuine software

Recent changes and features in cPGuard

Recent changes and features in cPGuard

What are the new features in recent cPGuard versions?

At OpsShield, our engineers are always keen to hear the feedback from our customers, read each of them carefully and make amendments to the software to make it useful and user-friendly. So in each versions, we try to add at least one of the requested features along with the other updates and bug fixes. So in recent cPGuard versions, we have added few such options which you might not have noticed yet. 

1. User-defined Captcha protected URLs

We have introduced our recent Captcha protection techniques a couple of months back, which will handle the Captcha requests in our cloud . This is one of the best and effective mechanisms out there and it will take out the load to handle attackers out of your server. This method can stop majority of the attacks against your server and reduce server load in a great scale.  We used to protect a set of pre-defined URLs like WordPress login page, Joomla login page, etc which get most of the attacks. But to make it flexible and to protect other web apps and URLs, we now make this list user-defined. So the user can now decide which all URLs should be protected using Captcha and it is the unique feature that is available to protect your web apps. You can simply add the  new URL from Settings >> WAF of cPGuard UI.

2. Weekly Scanner

We have added a weekly scanner recently, which will scan all files which are updated in past 7 days. This will ensure that all files will scan again using the updated rules set and thus can eliminate many bad files from the server. The scanner is designed to consume very few resources and finish in a short time span. This is also an optional feature, where users can opt to disable this from Additional Settings page, though we recommend to keep it enabled

3. Revamped License Checking 

One of the often complaints that we receive from our clients was about the license status. It failed to detect the license status some times because the license system was  located in central Europe and some clients had connections issues to the resource. So to fix it, we have migrated our licensing system to AWS and distributed the checks through their worldwide network. So now the license check can be done from any location without any failure

4. Command Line Utility

This is one of the other feature requests that we received in past…a clean and simple tool to manage settings from the command line. So that is available now…you can refer our KB  to know more about this tool and various command-line options it has. This is  a very useful tool for people who wish to change settings quickly and on multiple numbers of servers using some automation.

5. Enhanced daily reports

We have changed the daily report formatting and style to a modern way, in which a user will get all activities with a graphical representation. It is good enough to understand the whole attack statistics happened on the server.

The features are not limited to the above but you can find all the details about each version update in our changelog. Also if you wish to add any specific features into cPGuard, please feel free to contact us and we will see what we can do with it. 

cPanel Version 88 and ClamAV

cPanel Version 88 and ClamAV

cPanel recently announced the latest version update v88 with a handful of features like MySQL 8 support. It is so nice to see the much-awaited MySQL 8 support in the test version, though they have updated their internal ClamAV package and it is started to conflict with ClamAV package that is installed into the Operation System.

This change is because they have started offering one one solution by default which needs ClamAV to function. We do not have more details but the update to v88 will be blocked if you have ClamAV is installed in your Operating System. This is going to affect so many scripts and software built on ClamAV integration and depending on the default ClamAV installation. Given below is the error that you may expect during v88 update.

Error: cpanel-clamav conflicts with clamav-0.102.2-4.el7.x86_64

Error: cpanel-clamav conflicts with clamav-lib-0.102.2-4.el7.x86_64

Error: cpanel-clamav conflicts with clamav-update-0.102.2-4.el7.x86_64

Error: cpanel-clamav conflicts with clamav-filesystem-0.102.2-4.el7.noarch

cPGuard is integrated to LibclamAV and thus need ClamAV packages to function. Since this change is inevitable, we are making updates in our code and from cPGuard version 3.20 we will use a different approach and comply with this change.

So if you have cPGuard version 3.20 installed on your server, you can safely uninstall ClamAV on your server and it will not affect cPGuard functioning as we will handle it internally during the health check. Please note that it will take a while to run the health check and fix it automatically,

If you need any clarification or if you have any questions, please contact support

How to Secure your CMS ?

How to Secure your CMS ?

As of 2020, the majority of internet traffic comes from automated sources such as hacking tools, spammers, impersonators and bots. Keeping your website safe and secure from hackers is a constant process. The more you neglect the security of your website, the more likely your website and business will suffer. We, humans, look at its easy way to get things done, therefore the majority of the websites are built through CMS.

A content management system(CMS) is application software that helps users create, manage and modify content on a website without the need for particular technical ability. Imagine starting a podcast of your own or setting up a website that can easily manage your content and the context.

WordPress, Drupal, Magento and Joomla are some of the most popular content management systems used. The four open-source CMS’s I mentioned are software source code that anyone can test, modify and improve.

Open-source software is like two sides of the coin. On the one side, open-source software allows people the option to match their specific needs and preferences, and everyone can see what this is doing behind the scenes. On the other side, people with bad intentions can study and search for publicly available source code until they find a bug, weakness, defect, or feature for abusing activities.

When using a CMS, you need to keep an eye out for updates, especially the ones that are popular. Apply them according to your sense of duty, and be sure to do it quickly if the updates are intended to fix a published vulnerability. Website hijackers will make sure they are aware of the latest vulnerabilities and will follow any non-patched site.

In 2019 alone, more than 20 million CMS users have experienced security breaches. About 79.6% of well-known websites managed using WordPress, the most widely used CMS, contain vulnerabilities that can be exploited by standard attacks.

Here I am going to provide you with some mastery, to keep your website safe and protected.

Ways to tighten your CMS website security

Enable Two Factor Authentication
This is a great way to protect your website accounts. In addition to providing a password to your account, you will also need to provide an additional code that you will need to create with a personal device.

Restrict the number of login attempts
Controlling the number of login attempts will eliminate brutal force, as well as reduce the risk of hackers and bots gaining access to the system.

Install verified plugins, themes and extensions 
Before installing any web-components(plugins, themes etc..) to your website, think about what the downfalls of the web-components are versus the benefits. Only download web-components from well-rated developers in the community to avoid the risk of malware. Check for updates on the web-components authoritative websites and see how long ago the developer has patched any security issues.

Use a Firewall/WAF
The server hosting your website uses the rest of the untrusted internet to connect to your online files. Going unsafe will led to the website allows to potential viruses. So it’s important to use a firewall on the hosting server. The firewall acts as an additional layer of security to prevent this kind of harm and is useful for tracking suspicious activity

Keep website up-to-date
The CMS website and all web-content related to the websites need to be updated at regular intervals whenever an update is available. Developers often come up with solutions and upgrades that include new security solutions that ensure the website stays away from abusing/phishing etc…

Install an SSL Certificate
Add SSL certificate to enhance the website’s security layers, the SSL certificate is a bit code on the server that provides security between online communications. When a web browser server connects to a secure website, the SSL certificate establishes an encrypted connection.

Monitor your website
If someone injects malicious code into your website, it may interfere with your website’s downtime. However, website monitoring can quickly get you to this problem. It notifies webmasters via text and email at regular intervals.

Scan your local PC
Always, recommended scanning your local computer on a regular basis. Since you are connecting your website back-end from your local PC for activities download the files online or install the executable files, which may seem reliable but come with viruses. Some people can steal your website’s logins and inject malicious files into your website. It is important to perform an in-depth scan of your machine regularly with powerful and reputable antivirus software.

Change your passwords
Increase password strength by changing passwords frequently with special characters and other unique sequences. Changing passwords often oppose details that a hacker might record. Changing passwords means that even if a person has access to your account, they won’t be able to keep track of it for long. Therefore, it is best to change passwords once a week to make your website safer.

How cPGuard can help to protect CMS on your shared servers?

1. cPGuard automatic scanner will scan all the files under each account and thus prevents installing any bad code into the website
2. The WAF module protects the websites from all generic and known web exploits
3. The domain reputation monitoring will help to make sure that there is no harmful contents in your website
4. The brute-force and Captcha modules will stop brute-force attacks against the websites
5. Promptly alert the end-user about the latest attacks through the control panel end-user UI so that they can take proactive actions


Please check https://www.opsshield.com/cpguard-features/ for more details or contact our team to know more…