Just last evening, my friend asked me to check one of his WordPress blogs. Apparently, he’s not able to access his WordPress admin login page (www.website.com/wp-admin). Weird thing is his site is up and running, all the posts and pages were ok. I checked the files under his website and it all seems intact.
So, I looked at the error logs and found out that it was raising an error ‘unexpected T_STRING’ on the wp-login.php file, which was probably the cause. So I downloaded the php file and looked into it and guess what, I see this long string of eval base64_decode line all over the page.
That definitely looks bad, and it appears it has removed some of the code inside wp-login.php, that’s why he wasn’t able to access the admin login page. So to get his admin up and running, I just uploaded the wp-login.php from a fresh copy of WordPress and everything seems to be running again.
Surely enough, the problem doesn’t end there. We need to make sure it doesn’t happen again, and it felt pretty insecure that some hacker was able to modify one of his php files. After searching the problem on Google, I found out some things about the injected script.
- It is definitely a hack or an attempt at hacking his site.
- The hack can be done not just on the WordPress platform but also on other PHP sites.
- It is normally done by uploading a PHP script somewhere in your site directories, like wp-content/uploads and executing that script to gain remote access that would allow them to modify your files. So after you clean all the infected files, you have to make sure there are no other scripts lying around.
- It is done through an automated system, that means the hacker isn’t probably targeting just your site, but he is targeting all sites with the common vulnerability though some automated script.
- It is usually caused by outdated WordPress versions, which have a lot of security vulnerabilities.
So if you’re here looking for a quick fix, you’ll be disappointed. These kinds of hacks are not very easy to guard against. They often attack your site in a lot of ways that it’s hard to pinpoint how they were able to enter your site. But most often, taking the necessary precautions will stop their attempts. So here’s what I did.
Back up the hacked site
First thing I did was to back up the hacked site. Download the entire directory of your site and save them locally. This way, you can investigate further on how your site was attacked when you have the time.
Fix your site
Next thing I did was upload a fresh copy of wp-login.php to fix the admin login page. Then, I reinstalled WordPress through CPanel to make sure all files are clean and that there are no malicious scripts lying around.
Change all passwords
Change all passwords, which include your cpanel login password, your database passwords, FTP accounts passwords, and your WordPress accounts passwords. These passwords can mostly be changed through CPanel. Also make sure that you change the values in your wp-config.php to reflect your database passwords.
Secure your WordPress site
Install the following security plugins for WordPress:
WordPress Firewall 2
Better WP Security
And finally, back up, always!
Don’t know how? Check out this tutorial on how to backup your wordpress sites.
Another thing, hacks hidden using eval and base64_decode can be decoded online, so if you’re a programmer and are curious on what the malicious code does. You can copy paste the encoded string in an online decoder and examine the code:
The above decoder did not work for me. I’m not not sure why, but in my case, I’ve used the following decoder, just copy paste the entire eval code into the text box.
What about you? Were you also hacked? I am curious to know what you did and the things you’ve found out about your hackers. Let me know in the comments below. Thanks!