Thank you very much for attending our webinar on how to fix your hacked WordPress websites. So I work at Sakura. I’ve worked security for three years and I work on the remediation team, and so I’m part of the team that goes in and identifies where the malware is removes the infection and tries to identify new kinds of malware new kinds of hacks that are that are going On and occurring so just a little bit about me before we begin I’m from beautiful Victoria BC, Canada there’s a couple of others to curry employees that live and work here as well.
So if you’re ever in the area come say, hi and I’ve worked in software and security for a total of six years and I’ve cleaned a lot of WordPress websites, um we’re not limited just to WordPress. You know we do a lot of clean a lot of Magento ecommerce websites, Joomla Drupal mod X, whatever you know we’ll clean whatever you can throw at us, but for the purposes of this webinar we’re just going to be focusing on WordPress WordPress, of course, is the Most common CMS – and it’s very frequently you know, there’s uh it’s it’s the platform that we deal the most often with and so part of my job is to identify new strings of malware, sending samples to our research team, identifying trends and, what’s going on in the Website security, world – and I also last year, spoke at WordCamp in Vancouver and Toronto and Portland.
So I’ve broken down this presentation into three different sections, so the first one is going to be just signs that your website was compromised. You know I’ve actually worked with clients that their website was hacked a years ago and they had no idea without proper monitoring in place and and logging things modifications to files, you can your site can be hacked and you would have no idea. So it’s really important to take that into account.
Also, the next section is how to actually find the malware and remove it how to identify where it’s coming from what the culprits are, and the third section is what to do after a hack – and this is arguably the most important part that a lot of people Forget so you need to take some proactive measures to make sure that the bad guys aren’t going to come back. You know the next day because you don’t want to be back at square one right so without further ado how to tell if your website was compromised.
There’s a number of different symptoms that you want to look out for, and I’ll just briefly go over each one of those here. So, of course, the most obvious one is that your website has been blacklisted. Google, of course, is the most common one, but other search engines like Bing and Yandex and whatnot also maintain their own blacklists. Antivirus vendors such as norton mcafee malwarebytes, have maintained their own blacklist as well, and we maintain a blacklist also.
So if you want to check to see if your website is blacklisted mosey on down to virustotal, calm type in your website domain name, and it will check your website against a whole bunch of different blacklist to see if it’s getting flagged anywhere. There’s an example image on the right of a website: that’s getting flagged by five different vendors. Now I in this presentation I’ve included as many practical examples as I can, because it’s one thing to talk about website security, but it’s another thing to actually understand what you’re.
Looking at and be able to understand what you’re seeing right, so I’ve included as many practical screenshots and examples as I can, and also one thing. That’s really important is to listen to your website visitors and what they’re reporting on your site. You might not be getting any warnings on your end, but they may be using a different antivirus program, for example, so they might be getting warnings and you’re.
Not so you know pay careful attention to what your website visitors are saying. If you try to access a website that is blacklisted by Google you’re going to see something like this pretty strong indicator, that something’s gone wrong right, and this is the most common way that people realize that their website has been compromised. The second thing that you want to look out for is, if you see any spam in Google search results.
Spam infections are actually really really common over websites, and so, if you notice some sort of weird contents showing up in Google related to your website, for example, pharmaceuticals, adult content or I’ve even seen a cat food spam, there’s all sorts of strange stuff. And so what you can do is go to google and type in site colon and then your domain name and Google will give you a result of all the links that have been crawled there.
And if you see stuff like in the example screenshot there, then there’s a strong likelihood that your your website has been hacked, especially if it’s a website that doesn’t sell pharmaceuticals right. So if Google does suspect that there is spam on your website, they’re going to label it with this site might be hacked right. So it’s important to recognize the different warnings that Google will show if your website is throwing malware or redirecting visitors to no exploit kit landing pages they’re going to issue a different warning that says this site might harm your computer right.
If you find that your website traffic is getting redirected elsewhere, so, for instance, if you try to access your website and all of a sudden you land up at adult dating web sites, then that could be attackers that are redirecting your traffic to a location of their Choice sometimes it’s just sort of innocuous spam, but other times it can be something way more serious, phishing pages or ransomware exploit kits that kind of stuff.
The image on the right is a hacked htaccess file, which I’m going to go into a little bit more detail. Later but suffice it to say any visitor to your site that matches one of the listed user agents. It’s going to get redirected to the the Russian bogus domain at the bottom, so again make sure that your you listen to what your visitors are reporting. It was a really common infection that we saw last year, where only traffic from mobile devices was getting redirected to like adult dating websites, so sometimes it can only affect certain user agents, certain computers and other ones the website functions.
Normally, if you notice any weird pop-ups new tabs opening up pop-ups pop-unders, this is a strong sign that there’s been some malicious or spammy modifications made to your website. So if you’ve noticed that every time you go to your site, all of a sudden, you get some weird pages, like the one displayed here, that that’s a big red red flag for sure. You can also use, are very handy site check tool which is free.
You can go to WWE camera net and scan your websites for malware and spam. It will also check your website against a number of different black lists, so it is a very useful tool to see if there’s any malicious stuff loading we update site check very frequently malware is changing all the time right. There’s always new variants of code new infections going around, and so we update site check frequently to make sure that it’s catching the most.
You know, especially the most common malware that we see and, of course, if you go to your website – and it looks something like this – that’s a pretty strong indicator – that’s you’ve been hacked. Defacement attacks like this are very unsophisticated, very basic, but they do happen and it’s kind of scary, to go to your sites and see something like this right, so are cool. We’ve decided we’ve determined that your website’s is compromised.
What do we do now? Well, WordPress is a really powerful platform, particularly because it’s so straightforward and so easy to use. But for that same reason, it’s actually fairly easy to determine the source of hacked WordPress website, because the platform is so straightforward and you can actually, even if you’re not super sophisticated with you know the backend of websites or malware or whatever you know you can go Through the process of elimination, using some tools to basically find the source of the problem that way, um and well, what I’m going to do is I’m going to go through this whole list here, help core files, plugins, etc and elaborate a little bit on each section And we can just go through them one by one by one and eventually we’ll find the source of the hack right and, if you’re wondering what uh this weird thing on the right is: that’s a nice juicy piece of malware heavily obfuscated code.
So I want to go through a couple of tools that you’re going to want to be familiar with before we begin. All these tools are free, I’m not going to cost you any money and unfortunately I can’t go into like super huge detail about all of them, because I could do a whole webinar just on this slide, but I do want to mention them before we get started. So um the security scanner, WordPress plugin, is a really good tool to have.
You can download it for free from wordpress.Org, and it’s a really good diagnostic sort of monitoring tool will it’ll check your core files, the core integrity of your files, it’ll log who’s logging into your WP admin page and from which IP and when it’s a very useful Thing to have you’re also going to want to have an FTP client like FileZilla, so you can actually check the the files on your on your server also, please be sure to install a script blocker such as no scripts for Firefox, which is a browser add-on.
Google Chrome has a very similar one several to choose from, but basically the the script Locker is the most important tool that someone can have in their arsenal when they’re working with a hacked WordPress websites, because you know you don’t want your computer to get infected when You’re trying to fix the Hat right so make sure you’re not allowing scripts to to execute and, and that way you can protect your browser from getting infected too right, um, VirtualBox or VMware.
Some sort of virtualization tool is a very useful thing to have um. That way, you can work in a sort of sandbox environment where you don’t have to put your main computer at risk. An ad blocker is also very useful. There’s been quite an increase in in malvert izing, lately, rogue ad networks, bogus ad networks spreading trojans and bad stuff and actually uh. You block origins my favorites and it’s actually quite a good diagnostic tool and it can help check all the all sorts of different third-party content.
That’s loading on your on your website. If you need to check your database, you can use PHP my admin or admin er. A PHP myadmin is available from your cPanel. If you don’t have cPanel you can head on down to admin org and that that will allow you to connect to your database and check for spam and iframes and that kind of stuff. Anything weird, that’s loading. Honorable mention goes to a user agents.
Witcher some malware or spam will only a deploy if it’s a certain user agent is triggered. It’s really Commons, for example, for spam only to show the search engines but won’t show to regular website visitors right and, of course, the support forms at wordpress.Org are a really important thing to to use. There’s a really great community in place that can can help you troubleshoot help guide you in the right direction, if you’re kind of lost and not really sure what to do or where to look.
So I do want to say that really important to back up your website. First, before you make any changes here, because removing malware can be tricky and if you especially do not entirely sure what you’re doing you could damage your websites and leave yourself with a blank white screen of a website. And, of course, a blank white screen is the cleanest website you can possibly have, but it’s not particularly useful right so make sure you or your hosting provider, has a full backup of your files, backup of your database, because you don’t want to lose all your hard Work right we have to if anything goes wrong, you want to be able to reset and go back to square one and try again right right.
So that’s particularly true if you’ve made any modifications to your theme, files and customizations to the code that you’re using you want to make sure that you back up everything before we begin. Okay, so uh. The first thing that we can we can go through here are the core files for those of you who don’t know the core files are. The WP includes WP admin and files in the root of your your website and there’s some files that tend to get infected more more frequently than than other ones.
So, for example, the index.Php file is very common. We can see in the screenshot here from our secure scanner plugin, that this person’s index dot PHP file, has been modified and has had a whole bunch of code added to it. I know from working with WordPress sites quite a bit that that’s a really big index dot PHP file. There’s you know, it’s been modified, there’s been some code added to it, that’s a very big red flag and in all likelihood that’s that file has had malware added to it same with the WP prong right.
So you want to make sure that you have some sort of monitoring in place to check to see when your core files were modified if they were modified. Because if something bad happens, you need to know about it right and if you’re really not sure you can just download a fresh copy of WordPress from wordpress.Org and just replace all your core files and and just overwrite it with no good comms right. So this is an example of an infected WP load.
Php core file we can see all the code at the bottom is is legitimate, but there’s two big ugly strings of an encrypted code at the top right labeled with do not delete. Of course, it’s really common for malware to be encrypted like this and and WordPress does not allow encryption to be used in in any files that are part of the software part of the repository. So if you see something like this, you know it’s a pretty pretty big red flag right.
The next thing you want to check are your theme files. This is a really common place to hide malware and the reason being is because you know no matter what page or posts your visitors are on. These theme files are going to be in use, I’m going to be loading, so it’s a very effective way of deploying malware and making sure, because the attackers want to infect as many visitors as they can for the most part right.
So in this example image we can see that the header dot PHP file was modified recently at a totally different date than all of the rest of the files that they were within. The theme right – and this is a really common thing – that I do if so, for example, if a client comes to us with an infected websites and we scan it didn’t know, everything kind of seems clean. I always check the team files first right, um because uh you know it’s it’s just it’s one of the most common places to check common files.
Index header footer functions, 404 dot PHP. These are all files that you’re going to want to check and again much like the core files, if you’re just not sure what you’re looking at and you kind of aren’t comfortable with this download a fresh copy of your theme, and you know upload it and reinstall. It and that will fix any modifications that have been made again. I want to remind you, if you’ve made any modifications to your theme files, any customizations, anything like that make sure you have a backup.
Another technique that we use is, if we suspect, perhaps it’s the theme, but we’re not sure what you can do is download a copy of one of the default WordPress themes from WordPress or something like 2016 2015 whatever and switch your active theme to that, and if The problem still remains or if the problem is fixed, then you know it’s your theme right. So, for instance, if site check was flagging, some spam or flagging some malware on your website and you switch to new theme and you rescan and it’s clean.
You know this is the theme right. Here’s an example of an infected header.Php file. We see all the code here is legitimate, except when we get to the bottom. We see this weird ugly, purple string of numbers when decoded all this script does is just redirect. Someone to a bogus pharmacy website, but the reason it’s encoded like that is because, if you notice that your website traffic was redirecting to you, know bogus pharmacy com, you could just search your website files for pharmacy and you would find your culprit like right away.
So this is the motivation behind a lot of the encryption obfuscation in use that we see right. Plugins are the next thing that you’re going to want to check. Um plugins are very problematic, particularly old, out-of-date plugins. They pose a whole big set of problems. I would date: plugins are one of the most common reasons why websites get attacked due to vulnerable code in them. So you want to make sure your plugins are up-to-date all the time.
Plugins files are also a pretty common place for attackers to place backdoors, and you know also malware can can be hiding in plugins. Bad guys can add malicious code to plugins, and if the plug-in is active, then the code will be present on your site right, avoid. With both themes and plugins, please avoid using pirated software. It’s almost always infected, so you want to make sure you’re using legitimates.
You know the sources for the software that you’re using and much like things. You know if you are not sure what to do just remove any plugins you’re, not using download fresh copies of the ones that you are replace the files with fresh copies and away you go here is a an example page that world very familiar with WP admin. Page full of a whole slew of out-of-date plugins, so this is something we want to avoid.
Make sure you update, update, update security, guys can’t stop saying that enough. This is an interesting example. This is a bogus plugin entirely bogus, but unlike a lot of the malware that we see it’s not encrypted, it’s not obfuscated it’s properly, formatted indented. It looks normal at first glance, but what this plug-in code actually does is generate a whole. Thousands of focused torrent, download links through your your website, so it doesn’t have to be encrypted to be bad um.
The database is the next thing you want to check. This is a really common place for spam to hide um. So if you see spam being flagged by site check – or you see spam and Google search results, it’s there’s a very good chance that it’s been lodged in your database somewhere, but also like the example in the image here shows it’s uh. It is also somewhere where they can inject malicious code also, so you want to just just for those of you that don’t know the databases where all that your sort of content is stored.
So if you make a blog post says hello world, the text hello world is launched is is loaded into the database. That’s also where your settings, Earth or theme settings user settings all that kind of stuff. So this is a for example. This is a really common kind of infection that we see here. This is, if you look at the top, it says: style.Display equals none. So the code is there, but it’s not displayed.
So you can look, you know just be browsing your website and normal everything seems fine, but when search engines browse the page, they see all these spam likes and that can really hurt your websites SEO actually and that can take a while to repair a repair that Htaccess, a very interesting file, htaccess file, sort of instructs. How certain links behavior on your website is handled on. The right is what the default wordpress htaccess file looks like certain plugins will make legitimate changes to HT access, so, for instance, caching, plugins or some security plugins will modify it, but this is also pretty commonplace for attackers to insert bad code, especially as it applies to Redirects, so if some of your traffic is getting redirected to places, it shouldn’t make sure to check your HT Access file, that’s that’s where, if you wanted to redirect a user somewhere else, that’s usually where you do it, but it’s also where you can, for example, redirect Http traffic to HTTPS, you know, there’s legitimate uses for it, of course, but it’s a pretty common place for attackers to modify.
This is a really interesting example of a spammy htaccess file very interesting to look at, but actually what it does. Is you guessed it spam links in Google? This allows for all sorts of you knows spammy stuff, to generate there’s a lot of different variations of this kind of malware, and we can see from the top of the file there how it’s referencing index.Php. That’s because the index dot PHP file was modified.
Also, advertising networks can be problematic. A lot of website owners choose to employ the use of advertising that works on on their website. That’s fine, but they can post their own set of problems. They especially less reputable less well-known advertising networks can have problems of malvert izing rogue ads that deliver Trojans to do to visitors, and it can be quite difficult to to troubleshoot this, particularly if you’re using multiple advertising networks.
It can be hard to sort of track down which one it’s coming from. We see this problem a lot on a lot of article streaming, websites that employ you know three or four different ad networks. So I would recommend that everyone, if you, if you do choose to run ads on your site, use a well-known reputable network and none of the cheap ones. So this is an example of some bogus ad networks that were injected into a client’s database.
So there were, you know thousands of these links and what it did was anytime. Anybody clicked on one of the the links on the page. It would redirect them to spam sites right and sometimes it can actually be the server itself. This is not as common, but sometimes the server can itself be. Routed can be compromised, and so you notice this weird iframe, that’s generating on all your pages, but it’s also happening to like 150 other people they’re all on the same server right.
So these are really tricky to handle. It is possible to clean a rooted server, but really the what we would recommend doing. The sort of safest option is to migrate your site, your website to another server change, all of your passwords, and you know. Ideally, the server should be wiped and reformatted, because you know it’s hard to know. If it’s, you know fully fully fixed right and you want to make sure on this topic, you know, make sure your hosting provider is.
You know this is consider security to be a priority, because you know when, when, when things go wrong, your website gets compromised. You know your hosting provider, is, you know, you’re going to need to be in touch with them, and it’s good that they have good supports and take security seriously right um. The last thing I want to mention here is back doors back doors. Are there the trickiest part of all of this right attackers will sometimes inject you know, maybe one or two back doors onto the server, sometimes they’ll upload, hundreds of them, or sometimes in every single PHP file that they can find.
So you know, if you can, if you, for instance, website traffic is getting redirected elsewhere, you found the infected file in the header of your theme. You remove the malware and the redirects gone awesome great uh, the job’s done, but you’ll have exactly the same problem tomorrow, because the taggers always make sure that they can maintain access right and actually pretty common thing for them to do is to place a backdoor on The server and then wait for weeks or longer and the reason and then they’ll, deliver the payload, and the reason for that is because a very common thing for people to do when they realize they’re they’ve been hacked, is to restore backup from you know a week Or two ago, all the backdoor still there so they’ll still have access.
We find new kinds of actors, all the time, there’s new ones being written constantly, and it can be really tricky to track them all down. So this is why it’s important to make sure that you have some sort of logging of what files have been modified on your server and also a useful trick, if you’re not sure what you’re looking for or where you can check your server logs to see. If there are any files that are being directly accessed from you know, strange IP addresses or whatever we’ve written a little bit about finding and we’re moving back doors on blog dot, secure on net and I’d suggest, giving that a look and checking that out.
So, just so, you know how to recognize a backdoor when you see one there’s one injected at the very top of this file. Now this was a client’s, footer, dot, PHP file from their theme and at the top you can see the part. The first opening and closing PHP tag where it says: basics, t4d, code, post, ZZ Val. Basically, if that code exists or is present in one of your files, attackers can send a request to it and the backdoor will do do the attackers bidding essentially, so you don’t want to find yourself just back at square one after you worked so hard to get Your get the infection removed right.
I wanted to mention just a couple other helpful resources that that are useful when, when dealing with hacked sites, of course, site check, dots and career net is, as I already mentioned, is very useful. Um Redlegs File Viewer at Austin, app dot info is also super helpful for finding spam malvert izing redirects. That kind of stuff webpagetest.Org is also quite helpful. What it will do is it’ll load your website and just log every single thing: that’s loading every all.
The third-party content, all piles and just gives you a nice long list that you can you can investigate. Burp suite is a very, very useful application. Web application testing tool very useful for determining malvert izing. If any third-party content on your site is causing issues, it’s a little bit more advanced. So if you’re, not super tech savvy, you might want to hold off on that one, but a very, very fun to mess around with.
And if you find a nice big encrypted chunk of PHP code – and you want to see what’s inside, you can mosey on down to DD code column or unpinch P net, and it will attempt to decrypt it and do obfuscate it to let you know. What’s hiding inside so all right, we’ve we’ve found the infection we’ve removed the malware. What do we do now – and this is the part that people very frequently overlooked, and we have to remember that the attackers are going to be back alright once they determine that? This is a vulnerable website.
We can exploit that they’ll just do it again and again and again and again, because they know that the root causes are rarely addressed. It’s you know, people a lot of site owners, don’t update their plugins, don’t change their passwords. They don’t update WordPress, so we need to just you know: leave no stone unturned. Make sure you update all your stuff here and just acknowledge that the attackers are.
They will be back in as much as working with a hacked website and can be stressful. Nobody really wants to do it, no one wants to get hacked, but this is just the reality right. So the most important thing is update, update, update update. I can’t stop saying this enough. Out-Of-Date software is by far the leading cause of infection, and you want to make sure that your website is properly maintained, properly updated all the time.
This is a constant process. This is not something that you can just do once and then forget about it. You know there’s new updates constantly right, so please make sure that you’re taking proactive steps to maintain your website properly, and this is really the best thing that you can do to prevent attacks change all your passwords after a compromised and just assume that all of your Passwords were were leaks, right, FTP, cPanel, WP admin, everything just change them all.
You can’t can’t be too careful right and I would I would recommend that you use a password manager like LastPass and in my line of work I have seen some atrociously bad passwords. So please make sure that uh that your passwords are complex, that they’re, you know difficult to brute-force. You know can’t be too careful right review. Who has access to your website? Also um. You know I’ve seen cases where I’ve seen WordPress sites with 15 or 20 different admin users.
You only give administrative access to who absolutely needs it and for the amount of time they need it for at which point revoke their their access. You know I’ve seen cases where a client will have hired a developer to work on their site like a year ago, and they just left the admin account there and the password was weak and it was brute forced and their their website was compromised because of it.
Um, so you know I have as few admin users as possible. It’s also not a bad idea to have like a set. It’s account that you use for just basic stuff, like updating blog posts and uploading media files, that sort of thing and a separate admin account for doing admin stuff that you, you know, keep under lock and key, and a nice term that we like to use in The security world is decreasing the attack surface, and what that means, and in simple terms, is just decrease the amount of things that could possibly go wrong.
So what that means is getting rid of plugins that you’re not using getting rid of old themes that you’re not using anymore, if you have any old versions of your website and backups or whatever, laying on your server migrate them off just have as few stuff on Your server as necessary, and that will really go a long way in preventing problems in the future you’ll also want to make sure you scan your workstation.
This is really important because, if your workstation, your laptop whatever website or whatever computer you’ve, used to work on your websites, if it’s infected, that can cause your website to get infected too. I remember a client I worked with once he. He followed our post infection steps to a tee. He changed all his passwords, he updated all his stuff and he was hacked again two days later because his computer was infected and it had a Trojan key logger on it and when he updated the password to the new one they just stole it again.
So you want to make sure you’re, you know scanning your your your workstation effectively and frequently, because that that’s that’s another piece of a puzzle that we don’t want to forget right. Make sure you have a backup schedule make sure that you’re performing backups of your websites regularly and that’s uh. You know they’re that they’re not stored on your production server. We do have a backup service for five dollars per websites per month.
It’s very easy to use. There’s a ton of other backup services to some hosting providers perform backups for um, but this is something you want to. You want to make sure you have a spare tire as it were if something goes wrong. This is a screenshot from our backup service and very easy to use. Super nice, simple interface and it’ll. Just do backup of your site every day and you can download them. You know at your leisure whenever, whenever you need to a copy, you can also perform some hardening of your websites.
You can do this. This image right here on the right is an HT access file which we you can place in WP content, slash uploads or in image directories places where PHP just doesn’t need to execute from our our plugin. Can the WordPress security scanner plugin can help you with this? You can also add some additional security rules to your WP config file, such as disallowing file edits. So in that sense, even if your websites, you’re in your WP admin page, is compromised, the files can’t be actually modified, so some developers really like the file edit function.
It’s very convenient, but unfortunately, convenience and security don’t always get along super well and last but not least, use of a Web Application Firewall. We offer one called cloud proxy, which is part of our security services, and it will proactively defend your website against attacks. In fact, the the malicious requests won’t even touch your server at all, because we will filter it out on through our servers right.
So we’re constantly updating a cloud proxy to make sure that it’s catching the the newest attacks. Though then it was attempts at compromised. It can help prevent against brute-force attacks, and you know attempts to access your WP admin page. It can do a whole lot and it’s it’s really good. Just for you know peace of mind, knowing that you have some. You know layer of defense between you and your websites and the broader web right so yeah, that’s so that’s pretty much it.
I hope you all found that helpful and informative and yeah. If any of you guys have any questions, then yeah, I would love to answer them. Well, then, we’ve got a lot of questions we’re going to try to get through some of them. I think it went through all of them. We’d be here for another couple hours. So first one this participant wanted to ask: is there a way to figure out how the hacker got in so we can catch the vulnerability.
For example, they can clean up all the plugins, but if the vulnerability is within a plugin that they’re using they can always get back in even with a fresh copy. This is one of the most common questions. That’s that we get asked at security. People almost always want to know who hacked me: how did they hack me when did it happen on? These can be really difficult questions to answer, and sometimes it’s not even really worth answering you know because the hack is done.
It’s already happens, you know, but you I mean you can look at your server logs. If you can, if you have any plugins on your website, that’s have known vulnerabilities, then you know that that’s a pretty strong indicator, that’s probably what happened, but it can be really difficult to to determine the source. We, I think, it’s it’s better to focus on just defense-in-depth, just taking every possible defensive measure update all of your software just be really proactive about it, because it can take a really long time to you know, do forensics work and try to figure out how they Got in exactly you use server logs are probably your best friend when it comes to that, but you you have to be cautious because that’s a rabbit hole that you may or may not want to go down.
It goes pretty deep at some times right. You can spend a lot of time trying to figure out exactly how they got in and come up fruitless at the end of it. You know there are companies that do forensic services too, but there’s like pretty expensive work, but in my opinion, it’s probably better. Just to focus on the road ahead of you, rather than behind you and just to try to you, know, be proactive about it and just follow the the the regular like you know: updating maintenance, site maintenance having good passwords.
Just it’s. I think it’s better to focus your energies on on that to try to prevent problems going forward. Then then, you know kind of getting caught up in the minutiae of how they got in where they got in. Why did they hack me all that kind of stuff? Because they’re hard questions to answer, you know there’s no two ways, two ways about it. So yeah I mean it can be done, but it’s time-consuming and you know just make sure that you’re focusing more on like proactive measures to to ensure that the problem doesn’t happen again.
Um. If there’s, if you have a vulnerability in one of your plugins um, it depends on whether or not that vulnerability is known or not. It could be a brand new one that someone just found and there is no update for the the plug-in. So it can be kind of impossible to tell um, but yeah, just you know, maintenance, your site regularly. Just you know, defense-in-depth have backups and, and you know, focus on the on the road forward is, is, I think, in my opinion, a better use of of time? Okay, um one of our viewers was curious to know.
What’s your browser of choice Firefox, I am a huge huge, huge supporter of open source. Uh open source is best source. I encourage everyone to support open source software whenever they possibly can. I love Firefox because it’s so modular there’s so many different add-ons available tons of different security, plugins and add-ons and that stuff and it’s all all open source, all free, so yeah Mozilla is awesome.
Firefox for the win. Okay, um! This person had a question. If your database gets compromised, can they decode your passcode password? Can they one string if your database got compromised, can they decode your password? I well. The Cass words are usually hashed and insulted, so it can be. It can be done, yeah um. So if you do suspect that your database was ever compromised, it’s best to just assume that they were compromised, that all the passwords were were were hacked right.
It’s better to be paranoid. Uh it’d be apparent. Oh yeah is a really big asset when you’re working with security. So if there’s any modifications done to your database that you didn’t authorize any spam links whatever change your database, passwords change all of your WP admin administrator passwords. You know it’s better just to assume so the passwords can be compromised. Yes, it does take a little bit of coaxing and trickery and it can be done so just assume that they were hacked yes, okay, um next question: do hackers only have access to the things and plugins that are active, or can they access inactive things? Things and plugins as well.
That’s a really good question. I would I would err on the side of caution and just assume. Yes, I think it probably depends um. I think some plugins that are deactivated. The the the hacks might not work if they’re turned off, but you can’t be too careful. You know just assume that they can. If you don’t, you know if you have a deactivated plug-in on your website that you’re not using it shouldn’t be there anyway.
You know just remove it. Um remove any software you’re, not using um. It’s a you know. We have to assume the worst. So just you know, as I mentioned earlier, just be paranoid, nice and paranoid and remove any and everything that you’re not using like. If you have a plugin, that’s deactivated on your website, you’re, not using in any way right. So just err on the side of caution, and you can’t be too careful.
Okay, uh. This next question is: how would you best monitor a file system? That’s on a hosted site, uh! That’s a really good question. There’s a few different ways to do it. I mean, I think it probably depends on your hosting provider and the kinds of tools that they have at your disposal. If you, if you’re, not really sure I mean what you can do is if you have a backups of your site, for example, you can compare the two so in Linux, the command that you would use is is diff, and so you have a backup on your Site on the left and you’ve got a more recent copy of your site on the right and you diff compare them and it will spit out the differences.
So that way you can check to see if, like what files have been modified, what code has been changed? So this is another reason why it’s important to have backups running right. So I believe, if you have a virtual private server, you should also be able to employ some file integrity, monitoring but yeah. It does kind of depend on your hosting provider and what what they offer so. Okay and our last questions.
There were a couple of questions that came around the freemium no portion of your presentation. Can you elaborate on that just a little bit just a more clarification around that? Oh absolutely yeah um. When I say no, the freemium, I just mean pirated um, so you know there’s a you have on one hand the WordPress repository, so basically everything that you could download from wordpress.Org all the free open-source, plugins themes, etc.
And then you also have companies that sell premium themes. So you know nice fancy, themes and plugins that cost you know 21 40 $ 60 whatever, and I’m talking about the free versions of those paid plugins and themes um. So you know uh it’s if you find a theme, that’s normally $ 60 and you find a website where they’re giving it away for free. Your first thought is probably wild. That’s wonderful! I just saved myself 60 bucks, but there’s a reason why someone hacked that theme and put it up for download for free and 99 % of the time.
It’s not because the Robin Hood, it’s because they’ve added their own malicious code to it, and once you install that pirated software onto your website, then you know they its backdoor words or you know. You’ll, see spam on your site or whatever and also using pirated software. Is kind of a crappy thing to do to to developers that work very hard and – and you know do that for a living, so whatever web, whatever software you’re you’re using on your website, make sure you obtain it from legitimate source.
If it’s paid, you know, pay the pay, the developers and for their hard work and just don’t use any stolen software. Essentially, and that’s what I mean by you – know freemium kind of stuff all right. Thank You Ben well. That brings us to the close of our webinar. We want to thank everyone for their participation. I’r sorry that we weren’t able to get to all the questions that were asked. But if you do have a question that you’re still wanting an answer to you can use our Twitter hashtag, ask the query and we’ll try our best to answer.