As you may know already, Wordpress is one of the most common solution for rapidly building small to medium websites, offering powerful customization capabilities, many times trough it's large repository of plugins.

Wordpress powers more than 35% of the websites on the net. This reason alone makes it a highly likely target for random attacks, scanning for vulnerable wordpress versions, themes or plugins.

The reason I'm writing this article is because a couple weeks ago, I got a staging server hacked, that was hosting some old, un-updated wordpress installations. Because I wasn't really using that server, I got the chance to sandbox it so I can try to mitigate and and patch the breach, which might come useful for other people online.

So down below you can find a quick, on point tutorial that will help you with mitigating hacked wordpress servers and prevent further attacks.

Note* This is not a definitive guide, so it might not detect the newest and complex attack vectors / shells but it will definitely bump up your security.

1️⃣ Part one - Mitigating a compromised site / server

Before proceeding with any cleaning you should make sure that you have isolated the attack changed any server passwords ( like ssh/mysql ) and any existing API keys. You should also check your server logs for last logins, any suspicious users or processes.

Once you do that, we can proceed with installing Clamav and webshells definitions, so we can scan for any standalone webshells or wordpress core files injected with shells or other types of malware.

Installing Clamav and configuring it for the first time:

sudo yum install clamav clamav-update clamav-scanner-systemd clamav-server-systemd
sudo sed -i -e "s/^Example/#Example/" /etc/freshclam.conf
sudo sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf
sudo freshclam

Adding fresh virus definitions

cd /var/lib/clamav
wget http://cdn.malware.expert/malware.expert.ndb
wget http://cdn.malware.expert/malware.expert.hdb
wget http://cdn.malware.expert/malware.expert.ldb
wget http://cdn.malware.expert/malware.expert.fp

Scanning for webshells and malware

The way I approached this was to generate a report of infected files then analyse each one individually in order to avoid any false positives. I advise you to to the same.

clamscan -r /var/www/html | grep FOUND >> /var/www/html/full-report.log

You could also automatically remove all files detected with something like this, but beware of false positives.

sudo clamscan --infected --remove --recursive /var/www/html

Additional shell detection patterns

Besides the clamav scan, you can additionally also scan your files with these commands and analyse any match, then analyse each match individually. These patterns catches some even more obfuscated shells and backdoors.

cd /var/www/html/

grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|GLOBALS.*exit|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*
grep -nrl "@eval(" *
grep -nrl "chr(99)" *
grep -nrl "$O00OO0" * 

Checking for rootkits and server backdoors with rkhunter

sudo yum install rkhunter
sudo rkhunter --propupd
sudo rkhunter --checkall
sudo cat /var/log/rkhunter/rkhunter.log | grep -i warning

2️⃣ Part two - Securing your wordpress site and server

First of all, make sure you update your wordpress version and all the possible plugins, including premium plugins and themes!

Secondly, I would like to recommend installing these three plugins:

1) https://wordpress.org/plugins/wordfence/ This is a really popular web application firewall that managed to block the attacks I was receiving trough an updated, but still vulnerable plugin. 

It has two main features that we are interested in:

• Firewall ( Make sure you enable the firewall protection with all of it's vectors enabled if possible.  )
• Malware scanner ( Run it after installing the plugin and delete any additional infected files reported)

2) https://wordpress.org/plugins/ninjafirewall/ This is another web application firewall that offers additional security to common attack vectors, but the feature we are interested in is located in Monitoring > Snapshot. Taking regular snapshots of our files structure and comparing it with newer ones offers the most reliable way of detecting malware on your application/server.

3) https://wordpress.org/plugins/ninjascanner/ This is a separate malware/webshells scanner and file integrity checker which some of the times, it detects infections that the other solutions are not. 

Overall, installing all of these three plugins on a wordpress instance did not result in any visible site load speed decrease.

Couple additional measures

Ensure your (wordpress) file permissions are correct

sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
sudo chmod 600 wp-config.php

Disable dangerous PHP functions (without messing up your site functionality )

disable_functions = show_source, system, shell_exec, passthru, phpinfo, popen, proc_open, allow_url_fopen, eval, exec, parse_ini_file, open_base, symlink

Of course, these is just part of the measures you can take. In my particular case, it seems to have cleaned the server and stop the infection but any additional measures you can take are recommended.

If you got any questions or if you would like to add something to this article, don't hesitate to add a comment.

🏠 Stay safe!