February 22nd, 2017
WordPress is a huge online, open source website creation tool. Probably one of the easiest and most powerful CMS system for blogs and websites that you can find today. In being so well used, it makes them a prime target for hackers who are consistently searching for ways to exploit vulnerabilities in the system. And when they do, which they did just a few days ago, the outcome can be detrimental.
On the 20th of January, Sucuri, the security firm discovered the WordPress REST API bug, that led to a feeding frenzy of hackers not only defacing tens of thousands of sites but also hackers who were then trying to exploit the bug further and take over the hacked sites.
Click here for the full technical details regarding the discovery of the bug and how WordPress handled it.
WordFence found evidence that at least 20 hacker groups were trying to meddle with vulnerable sites. Initially, the vulnerability was deemed of such a high-risk that the WordPress team kept it a secret for almost a week, updating as many website as it could till both WordPress and Sucuri experts announced that the new WordPress 4.7.2 would include a secret fix for the REST API.
The patched version of WordPress was formally released on the 26th of January.
How do I know if I’ve been hacked?
If you suspect your site has been hacked, the first thing you should do is to establish if you really have been hacked. Many times it can be something as simple as your site misbehaving or a spammy comment.
You’ll know your site has been hacked if;
- If you conduct a site search on Google (search: yoursite.com) and see pages that you do not recognise or that look malicious.
- Your website is being redirected to a malicious or spammy website. Pay special attention to these because many times, as the site administrator, hackers will neutralise this for you whilst redirecting your visitors and site engine crawlers.
- Your hosting provider detects something spammy or malicious and flag it to you.
- Google’s Search Console – Google will scan your site for problems and report it back to you. Unfortunately, the same way it’s great at warning you, it’s just as good at warning your customers. They will normally show this warning or a similar variation to your visitors.
Note: This warning will only appear to those who find your website from Google’s search engine results or are using Google Chrome browser.
Needless to say, the above is simply a few of the various different ways to determine if you’ve been hacked. Services such as Sucuri or WordFence will scan your website for you on a subscription based plan, alternatively, you can also use the software ClamAV which is installed onto your web server which scans your website detecting any malicious activity and more.
What should I do if I’ve been hacked?
Once you are certain that you’ve been hacked then it’s time to pull the plug on your server (not physically)! Whether it’s just a minor hack or a serious hack to avoid any further damage it’s best to just take it offline move it to a safer place and;
- Ascertain how you were hacked and what has been compromised
- Remove any malicious software
- Update everything – server software, operating system, anti-virus system and update your website (WordPress or Magento)
- Re import from backup (checking first the backup doesn’t have a virus)
- Update all passwords to be more secure. Try: strongpasswordgenerator.com to generate them and howsecureismypassword.net to check them!
In all cases, prevention is always better than the cure. Although, WP have now been able to carefully contain and avert the worst possible case scenario, the matter of fact is that, there is always going to be a risk. Our jobs as an integrated digital agency is to help you minimise that risk or contain it in the unlikely event that your website is hit. Therefore, if you’d like to be better protected have a quick look at our WordPress page and do not hesitate to get in contact with us here.