Compromised websites

Website hacking is a growing trend with many unsecured sites getting modified by hackers, having content added to them or being blocked entirely. In most cases the site’s index.php file gets compromised and it is necessary to re-build the site with backed-up files which once again relies on keeping all modifications to a website saved in a secure backup. Such hacks of websites are typically caused by outdated website creation software such as WordPress which is one of the most popular tools used for creating sites.

Below is an example of a site that has been hacked which is revealed after searching for the site using an internet browser such as Explorer or Google Chrome.

 

 

The above links point to the website’s landing/home page and being a local, English-language website, foreign characters should not exist. In fact, Google Chrome reported that the site has possibly been hacked, as indicated in the text under the domain.

For WordPress, the index.php file is used as a fallback template if there’s no more specific template file to define the rules of the theme. Another way of thinking about the Index.php is it controls how the site behaves if there are no other settings.  Looking at the file, there is usually a large amount of injected foreign code in such a scenario and this code changes the content of the web page.

WordPress as well as all its plugins are all types of software running on a server. As such, the software gets regular updates from its developers. These updates can include new features as well as security patches. If not updated, it’s possible to exploit the outdated security features.

Restoring the website to its former glory is the easy part. Making sure it does not happen again takes some knowhow.

Restoration steps:

  1. Restore backup of website or the index.php (depending on how big the website is and how bad the infection/compromise)
  2. Update WordPress installation (done from within WP admin portal)
  3. Update WordPress plugins
  4. Remove any unnecessary plugins – more plugins can slow your website down as well as increasing vulnerabilities

Now that the website’s restored. The site needs to be revalidated by search engines such as Google in order to correct the search results.

Revalidation steps:

Firstly, one needs to have Google get rid of the old/compromised search results.

  1. Log into Google’s Search Console – Register for a free account if you don’t already have one.
  2. Add/Select your property (website)
  3. Navigate to Google Index à Remove URLs
  4. Enter your website url and select preferred option

This sends a request to google to clear your website from their search index (search results)

Next you will need to have Google re-index the website so that the search results only show the latest website information.

  1. Navigate to Crawl à Fetch as Google in the webmaster tools
  2. Add your website url in the provided space and select Fetch
  3. Your site will be added to the list below
  4. Select Request Indexing or ReIndex
  5. The request will be sent to Google to process

The last step is to remove the ‘This site may be hacked’ message on your website’s search results. Remember that this should only be done when you’re sure all the issues have been addressed.

This will be done in the Google Search Console by navigating to the Security Issues tab. Here you’ll see any detected issues for your website. Simply select ‘Request Review’ and complete the popup form to proceed.

When the security review has been completed and all issues were resolved, you’ll see clean search results and have a better site ranking.

How to avoid:

Hardening security is the best practice in this scenario. There are no 100% hack-proof security measures. The best we can do is put processes in place that will limit or control the potential damage cause by hackers.

  1. Protect the Web Server – install trusted antimalware to protect your files and network.

(this is dependent on whether you’re using a hosting provider or your own server).

  1. Make sure that All software and patches are up to date. This includes your server’s Windows Security patches (self-managed web server) as well as WordPress and its plugins.
  2. Backup your server and website regularly
  3. Always change the default administrator usernames and passwords to something unique and complex.
  4. Access control: add users to allow access to the website admin portal – do not just hand out the main admin credentials
  5. Install a managed firewall to help prevent brute force attacks
  6. Define blacklisted words for comments and forms

Advanced Steps

  1. Secure your website – install ssl certificate
  2. Change the default WP-Login url – WordPress Admin Portal
  3. Add 2 factor authentication for login
  4. Disable file editing in WordPress
  5. Hide wpc-config.php and .htaccess files
  6. Implement strong user input validation on all forms – prevents comments containing foreign characters which could be used for attacks like SQL Injection or Cross Site Scripting.

How to do the advanced steps mentioned above, please see WordPress’ guide on ‘Hardening WordPress

F-secure Radar is a vulnerability scanning solution which will greatly assist in finding any weaknesses on your web server as well as web applications (WordPress). It checks for issues like outdated patches, open ports, server misconfigurations and many more. All scan results will be provided with the level of severity as well as remediation suggestions.

For more information regarding F-secure Radar, please visit the link below.

https://www.cybervision.co.za/radar/