As the popularity of WordPress increases, so too does the number of hacked websites. Having to fix quite a few hacked websites over the last several months, we decided to keep a log of how hackers gained entry to the website and what they did once they got in. A pattern started to appear that prompted this article. Read on to discover the common WordPress hacking fixes we applied to get the websites up and running again.

How do hackers get in

The first step we take is to discover how the hacker got into the website. The most common method used by hackers to gain access to the website is due to the website having outdated versions of WordPress, themes, and plugins. The hacker took advantage of known vulnerabilities in unpatched software. Once in, the hacker takes over the website. On several occasions, the hacker also infects websites on the same shared server. One hacker infected eight websites on one shared server, affecting several different companies.

Different hacking outcomes

Once in, the hacker changed files to deliver their payload. One hacker changed the .htaccess file to create a redirect away from the website. When someone visited the website, it immediately redirected to a spam website. This hack required root access to the web server software. This means that the hacker had access to the complete file system. After finding and repairing the changed file, the website was back online and functioning properly.

Tricky hacking

Another hacker changed the footer.php file of the active theme. This means that the hacker had admin access to the WordPress dashboard and knew the administrator login and password. This hack was a little tricky to find because the hacker used the JavaScript eval() function to hide the code. Security software was displaying the offending JavaScript filename, but the filename did not exist on the website. The eval () function dynamically created the file and ran it. Once found, we applied the hacking fix by cleaning the footer.php file.

Several hackers added users with administrative privileges so that they could login at any time. The hackers did not take over the website but added software that ran in the background while the website was running (slowing the website considerably). After removing the unauthorized usernames and software, the websites once again ran at their normal speed.

Common issues leading to successful hacking

All the infected websites had the following common characteristics. They were running outdated software. None were running any security software. There was no maintenance plan in place. The owners neglected their websites after going live. Several had developers that were no longer available (either they left the company, or they were out of the website development business).

Our new clients have a better appreciation for having a regular WordPress maintenance plan and keeping their software updated. We removed unauthorized administrative users from the systems. Next, we installed the Wordfence security software that automatically locks out illegal logins and sends alerts letting us know of the failed login attempts. We also installed Two Factor Authentication to further secure the websites. Our clients do not have to worry about their website getting hacked because we have it locked down. We hope that your website never falls victim to hackers. If it does, you can apply some of our common WordPress hacking fixes.

Need help with a hacked WordPress website?

Let’s chat.

Share This