Yes, welcome Jeff from Oklahoma, Nancy from Ontario Luis from UK Doug, welcome. Good to see everybody. Just about to get those captions connected and working. All right captions should now be connected and going for everyone if you'd like to follow along. Welcome Barbara from Germany folks. We're just about two minutes away from getting started. We will officially start at three minutes after the hour. We are almost there. glad you've chosen to invest an hour with us. Today we're gonna be talking about cleaning hacked WordPress sites with our friend and expert Kathy Zant. If you're just now joining us in zoom, open up the chat say hello and tell us where you are logging in from today or tonight wherever it happens to be in your part of the world. I've also dropped in once again today's link bundle that has the slide deck if you'd like to download that the follow along and several other links that I'll talk about as we get started Abednego welcome from Kenya. Good to see you all just about a minute and a half to go. You have a lot of fun things to talk about today. Very useful information as we deal with cleaning hacked WordPress. Sites. Welcome Tanya from Finland Bob from Michigan. Jeff from Canada. Peter from Sweden. Welcome. Good to see everyone here. I'd invite you all as well to open up the zoom q&a. That's going to be the place to ask your questions. I'll talk about that as we get started here. Just about a minute to go before we launch officially welcome Kevin from New Jersey. Great to see everybody here. Lots of folks just from around the world today. It's great to see all the countries being mentioned there in the chat. WordPress is certainly a global community. It's great to see you all here. Less than a minute ago now. Welcome rob from Chicago. Indeed, Nicholas, welcome. Once again, if you're just joining us in the chat, I am dropping in our link bundle that has today's slides and the replay link and some other helpful links as well. We are just about ready to go about 30 seconds to start. Hey Paul from California welcome
just about ready to start. Gaius welcome from Rwanda. This may be Kathy the most internationally represented livestream I've ever done. So wow, we credit that to you.
I love bringing the world together. You're
bringing the world together with hacked WordPress sites. Right. Welcome, Chris from Iowa. A bat Yeah, Chris map. A map pin would be pretty cool. All right. It's three minutes after let's get the recording officially started and get underway. Well, good morning. Good afternoon. Good evening, wherever you happen to be around the world. Welcome to another solid Academy livestream. My name is Nathan Ingram. I'm the host here at solid Academy and I am joined by my friend Kathy Zant. Kathy is an internationally recognized expert on WordPress security and marketing and data driven website development. Kathy has spoken at countless events worldwide. She's a frequent guest on all sorts of podcasts and live stream and I'm thrilled that we have her here today. Kathy, how are you doing?
I'm doing good. I just recovered from a cold so if my voice cracks in just bear with me, I'm I'm going to do my best.
It is that time of year for sure. Nathie we're talking about a very important topic today with hacked WordPress sites. Tell us about your history. Dealing with hacked WordPress sites.
Yeah, so the first hacked WordPress site that I cleaned up was my husband's. He was a victim of the Tim thumb vulnerability about 15 years ago, maybe 1415 years ago. And so I had to get into the file system of WordPress and put everything back together. Take all the malware out. And that's where I got started. I later a company put out a call for people who could clean hack sites. I'm like, Well, I've done that before. And security is fun and interesting. So I ended up working for a company in their remediation department and helped to manage that department for a while. And we estimated over the course of two years that I cleaned over 3000 WordPress sites just by my little old self and created a lot of policies and procedures to make that faster and easier and trained a lot of people as well. Now my goal is to train as many people as possible so that everyone feels empowered when it comes to this stuff.
Wow. 3000 hacked websites that is that's pretty it's pretty amazing. So what are we going to be talking about today specifically for the next hour?
Okay, well you're not going to walk away from this as the expert in cleaning hacks sites. It took me a couple of years to get to the point where I was cleaning six of them a day and it was just kind of like alright, set up like three or four of them and oh, look at this. You will, however, understand the strategy of how to do this because, like with the recent vulnerability that I saw with the BRICS builder happening in February, I saw a lot of bad advice being given to people who were just like I just need my sight back. And it really, I started. I really took that to heart and I don't want people to have bad advice. I want people to get some solid foundation of what they should be doing in order to hit solid. I worked that in their foundation so that they would understand security so that when things like this happen when there's a vulnerability and it's like you wake up to it and all of a site, your site attack, those types of things that you do not feel disempowered, that you feel in control, you don't shut your business down because something happens. You feel like you can handle it. And if you are in the business of helping other people with their sites, that that you feel more empowered to help other people. So I will be talking about this both from the from the mindset of people who own a site and want to feel empowered. But also if you are helping clients, what are some of the things you should be doing?
Yeah, very good. So we have a long way to go today, folks, and I am going to drop an extra couple of links in the chat right now. This is a more detailed look at cleaning a hacked website from a couple of past live streams a couple of years ago, but the information is still relevant. So again, today more of a high level view of the processes involved and just what it looks like to clean a site. If you want to get into more detail about each of the things Kathy is going to talk about the two links I just dropped in the chat get into cleaning the file structure played in the database. That's from I believe it was one of our disaster weeks, maybe in 2022 but still really good information and you're all welcome. That's that's those links are free and open to anyone. If you'd like to go back and rewatch those. Let me give a couple of logistical notes and then I'll turn things over to you Kathy and let you get started. First, folks, we're super happy that you've decided to invest an hour with us. Hopefully this is gonna be a good use of your time. Kathy is an expert in this area and just has a real gift of presenting detailed information in a simple way. So I would encourage you to take advantage of her expertise while you're here. And so we do have live q&a going I asked questions will end with with a time of q&a at the end of today's live stream. Please do not use the chat though to ask your questions. If you mouse over the shared screen, you can see the zoom q&a icon so please click that icon go ahead and keep the q&a window open now because as folks are asking questions throughout today's live stream, there's the little thumbs up icon that will let you upvote those questions. It is unlikely we'll be able to get to all the questions today given the number of attendees that I'm seeing right now. So we'll take the questions in the order of up votes at the end. So please just keep that window open and upvote the questions that come along if you also have them and you want to vote for an answer to be received for that question at the end. Also, I'll mention there's a couple of points during today's live stream will where we'll be looking at an FTP app and some other settings apps. And it's just going to be smaller print, right it's going to be a smaller font, not gonna be able to zoom in on that. So what you can do if you're on a smaller screen if you mouse over the shared screen, you'll see a little view options drop down at the top where you can zoom in your zoom view if you need to zoom in. Probably though, you'll just be fine watching what Kathy is doing. She's really dealing with a high level at a high level on this topics. A couple of other notes I'm going to drop in one more time today's link bundle if you'd like to download today's slide deck that link is now in the chat. Also there's the link for the replay. So this is being recorded. It'll be up about an hour or so after we finish. The link to rewatch or share. This live stream is there in the chat now. Also, there's a link to subscribe to Kathy's YouTube channel and I would just encourage you all to do that because she is constantly putting out great content for folks and all and all sorts of security related topics. So with that, Kathy let's get started. Yeah,
I'm gonna do a plug for my latest video because it's very interesting on the YouTube channel. There's this fishing kit that is super sophisticated. So I walked through the security researchers and what they found with that fishing kit. These packers are getting really creative. So go watch that one. But do that later, of course because we're talking about cleaning hacked WordPress sites. Now a lot of people ask, Should I even try? Should I try to do this? Or should I just leave it to the professionals? I saw a lot of that with the bricks hack that I mentioned. Know your limits, know what's important to you. There's no right or wrong answer. You should look at the wall where you should try to clean it yourself. But if it gets to be too much, don't feel bad when you have to turn to a professional who's probably cleaned up after that same intrusion vector 1000 times with my car. I will check the air pressure on the tires I will look at the oil levels I will do some basic things but if something's broken, I go to the mechanic that I trust that I know is going to put things together so know your limits, but also get to know what's going on with your WordPress site. You'll learn something and it's it's really not that hard. The reason why I got good at cleaning hack sites is I knew WordPress. I knew the file structure. I knew database I knew I knew how PHP and MySQL worked together. I knew hosting I knew a lot of different things. So when my husband's site got hacked that first time I was able to piece things together because I could see what belonged to WordPress. And what was you know, the purple sofa somebody moved into the living room that didn't belong there. When you get to know WordPress, it means that cleaning a hack site is so much easier because you recognize patterns. You recognize what PHP code looks like. You recognize what files go in, you know the root of WordPress and what maybe shouldn't be there. So it's just pattern recognition. It's just becoming familiar with your WordPress site. Or with WordPress as a whole. So, now a lot of people will say, is my site you know, they'll assume their site is hacked and it might not actually be so there was one person their site why they updated some plugins and the site white screened and they assumed that the site was hacked because it's broken. So therefore, Something bad must have happened. Well, something bad did happen to it. They were using a very old version of PHP, they updated a plugin that required a more recent version of PHP, the site white screen, so they requested a hack clean, but the site wasn't hacked it was just a PHP problem. So the first thing that you want to address is whether or not the site is actually hacked. It might not be it might be an issue like that. But there are some indicators that the site has been compromised in the security world. They call these IOCs or indicators of compromise. Now a lot of different things can mean something's wrong with the site, and we need to do some maintenance. Or it could mean that the site's hacked, but you're going to have to investigate that. Now. If you're using something like solid security as a plugin it does file change modification alerts. So if a file changes, or if there's like a new file where it shouldn't be, it will alert you you know, you get an alert that a file has changed. If you have that turned on with solid security, and that might be your indication of a compromise. That something is wrong, having these kinds of intrusion detection. Services looking at your WordPress site are amazing because it tells you right away, what would you rather have your customers telling you that there's something wrong with your site that's redirecting to them to install malware on their computer? Or would you like to find it because a file changed, so make sure that you have some kind of intrusion detection going on? Otherwise, all of these things on the screen can be the sign of a compromised site just stops working? New users are there and you didn't add them? That can be a sign. You might see unusual outbound traffic. If a hacker has compromised your site, and they're using your server resources to send out spam. A sudden drop in site visitors can be a problem. Maybe your site has that red malware screen of death and chrome because Google has detected malware on your site and you're gonna have to do reputation cleanup as well. Unusual popups unusual logins another indication of an intrusion. Not being able to log in can be a number of things you forgot your password or user forgot their password. Your search engine results could change. You could have the Japanese keyword hack and you go in search something specific to your site and what showing up all these Japanese characters in your site is in English or Italian, these types of things so there's all sorts of things that could be going on could be hacked, or it could just be broken. But once you determine that the site is actually hacked, and we are dealing with an actual intrusion that has happened, the very first thing you do before you touch a piece of malware, you back it up. And I would back it up using either your hosting providers backup methods, or you know running a command on the command line where you can like zip up the file, that type of thing. I wouldn't necessarily use a plugin for a backup when you have sites hacked. Here's the reason everything on that hosting account should be considered compromised. So you want to do things at the higher level than PHP because the hacker has access to PHP. They have had access to the site they have access to all of the plugins we have seen plenty of malware scanners that have been modified after a hacker gets into a site to make sure that that plugin based malware scanner can't see the hackers malware. I've even I've even seen hackers get into an already hacked site. The site's already been hacked. And another hacker comes along cleans up the malware from the previous hacker and then sets up shop and turns off the malware scanner and basically it's his site now he's basically owned the site. So anyway, don't back off or don't use malware, scanners that are PHP bat based. Get the back up above that to run it on the command line or use the hosting providers backup tools. I mean, you want to backup the hack site, the files, the database, the log files all off of the server. Here's the reason why you want everything off of the server and why you can't use the PHP malware scanner. The Hacker has own that site, right. So if you are trying like using a malware scanner, it says fix this file. And the hacker is over here fixing another file. It's like playing Whack a Mole. It's it's like brushing your teeth with eating Oreos at the same time. You just it just doesn't make sense. You want to clean the hacked site in an isolated controlled environment that the hacker doesn't have control of. It's like you know trying to clean your house with your children playing. It just doesn't work or trying to clean the kitchen and your husband's decided to cook something Yeah, husbands are in the kitchen kind of like sorry husbands but it's kind of like occurs in your WordPress site. Just trying to add love it he to a very dry topic here. Alright, so next thing you need to do once you've got the site backed off and in a controlled environment. We want to determine whether or not the site needs to be taken offline. And we do this by asking ourselves the question is harm being done by this malware? Or is it just annoying? Now if it's just spam links that have been added to your database? If it's you know, your search engine result pages are having problems but that all is gonna get taken care of later. It's annoying, it's bad for business but it's not actually doing any harm to users. It we are not we don't have a credit card skimmer if like our indicator of compromise is that people are checking out with WooCommerce and people's credit cards numbers that they're typing in or getting scammed and sent to malicious thieves. That is a problem. If people who are visiting our site are being maliciously redirected to a pop up that says Install. Adobe Flash needs to get updated. Any kind of malware type of thing or phishing kits that somebody has installed on your site where users are being directed to your site to put in their credentials for Outlook or whatever these types of things. If somebody is going to be hurt by the malware that is on your site, I highly recommend to take it offline. There are lots of reasons why but it's just like good business practices. You don't want that blame placed on you. It's better to just put up we'll be back soon. Any kind of under maintenance type of page while you are doing the cleanup. But if it's just spam links, you can live with that.
And the next thing we're going to do is we're going to make an educated guess on the intrusion vector because this is going to inform us of what we're going to be doing. For example, the bricks vulnerability when that happened in February news spread very quickly that the vulnerability was very, very severe and that hackers had gotten busy within five hours. It became very apparent after a while that it was a certain number of malicious actors that were doing it and they had an IMO they had they were doing a certain thing. So then we can very quickly isolate what they've done. It doesn't mean we don't look at all of the files. We want to make sure everything is clean. But it will at least give us an idea of where the intrusion vector is where are they getting in? What's the vulnerability, and it will help direct us towards our cleanup efforts. And we want to also look how long has the site been infected? What changed and when did it change? Again, another reason why solid security's plugin is so helpful because it's going to tell us when those files have changed. Because then if you have good backups if you've been making backups, you can do a quick restore because you saw when that change happened, you just go before that change and you can restore from a backup. So it's going to help these first steps of making educated guesses on what happened going to help inform us of like what's going to be the fastest way to get this remedied. We're going to look at plugins and themes that need an update. We're gonna look at logins if anybody's like logged in from a we know our user with a specific username is in Long Beach, California, but somebody from Athens Greece logged in there might be a problem. Another thing if there's more than one WordPress site in a hosting account, for example, with cPanel add on domains. We are going to have to clean everything all at once. If it's under public HTML, you have to assume that it's compromised. So we're going to look and see if there is another WordPress installation in the hosting account. If you're on a cpanel you go into the file manager do a quick search for the number of WP config php files if you find more than one there is more than one WordPress site. This happens a lot you know you'll find a customer who just wanted to make a quick test to see if something was going to work and rather than doing it on a staging server, or maybe they install a staging server on that particular hosting account as an add on domain. And so they make a quick test and they forget about that particular test site because it worked and they copied it to production and everything's fine and they're not keeping that that sub site updated. That can be an intrusion factor. Hackers find those and one of those sub sites can be the intrusion factor for the entire hosting account. All right, if you're doing this work for a client, if you are an agency and you're cleaning up a hacked site for them, if you are doing this as a service for other people, you need to create a report you are working on someone else's site. You need to figure out what's the scope of the cleaning process if they're like okay, I just want you to clean this this site that's hacked don't bother with all of the other ones in my cPanel I'll don't bother with the add on domains. You need to draw a boundary right there and say I have to clean them all at once. Negotiate all of that. So is it going to be more than if it's going to be one site ask them to move it to an isolated place? Because if you go through the process and you clean just that one site, you clean it all on a subsequent or on a protected site and you write that back to the infected site. You have to assume everything else is infected, the cleaning that you've done is going to get reinfected. Hackers don't just leave indicators of compromise. They leave backdoors they make a note of your database, password, they make sure that they can get back in you have to assume that the entire thing is polluted. You are going to have to report to the customer. What was the scope? What did you do? What was the intrusion factor? You're going to have to figure that out. It's just good security practice, especially if it is a credit card skimming situation, and they have to go to their bank and their credit card processor and explain what happened. They need a report from a security professional if that's what you're doing. So you need to tell the intrusion vector. Now if you're just trying to get your site back up. Maybe this report is not important to you. But if you're doing it for someone else, you just have to do that you have to scribe what malware was found what you removed. If you make any updates to the site, it's very important that you document all this security. 95% about security is not just knowing what malware is and knowing how to clean things and get things secured. It's communication. It's communication to your clients and so that they fully understand what was going on. So you're going to want to communicate what updates you did and what updates they need to do changing of the passwords when you're done all of that stuff. So make sure you keep this in mind if you are going to do this for clients. When it's time to do the clean. If you got a backup. You're thinking it's always great to be able to restore from a last known good backup. You have to know that indicator of compromise though don't just restore the backup and then not do any kind of investigation. Because we don't know how that site got hacked. It's gonna get hacked again. So know how the site got hacked. Figure out was it a bad password do we need to you know, re educate a user on how they are sharing passwords or how they're reusing passwords, all of that kind of stuff? You're going to have to figure out are there plugins that need to be updated after we restored from that backup you still need to have some kind of an idea of what happened and how this intrusion happened. The next thing you're going to do is you're going to remove Malicious code from the files, that's existing files, as well as new files that have been added. And we'll talk a little bit about more of how to do that in a second. You're then you're going to have to remove Malicious code links from the database and then reviewing your log files for Abbott any evidence of that malicious activity and how it all happened? Alright, drink of water time. Sorry, cold. All right. Where you're gonna find malicious code. Assume everywhere, even in the hosting account, anywhere and everywhere. assume everything is infected. Don't limit it just to oh, well, it's just in this one file because that's where I saw this redirect. And I got the redirect out. So we're good now now you can't work that way. There's backdoors guaranteed. I've never seen a site that just get hacked and hackers just do one thing. It's always multiple things backdoors and weird places. So existing files, existing files. If you don't want to go through every single file, the easiest thing to do is to build an exact clean version of the site's files based on the wordpress.org repo and compare that to what's what you found. This is if you don't have a backup, you have to do like a full on clean. So this is the easiest thing to do. And when I worked previously, we had automated systems that kind of built replicas so you could do a very quick death. And we had tools that do did all of this if you're just cleaning it on your own and you don't want to build out that kind of infrastructure. There are tools like ultra compare and beyond compare where you can build out an entire WordPress site. Go get all of the free plugins go get happy, fresh copies of the exact versions. Of everything that exists on that site, and just build two copies and do a comparison. And these tools will highlight in color. This file is not the same. This file wasn't in that file. And so you know, you've got a new malware file. So doing these kinds of diffs these kinds of comparisons will highlight where the issues are. So I would use if you do not want to build out the infrastructure if you don't want to do regular expressions and build out systems to do this. You can use tools like this to do this, but you have to have you can't have sites that's been hacked hasn't been updated in a while. And you've got old versions of WooCommerce and an older version of core, you have to go get the previous versions of core, the previous version of WooCommerce. And you can do that by on the repo all of that code is there you just have to know where to look for it. At the end, if I have time and you guys want me to I can do a demo and show you where on the repo you can find all of that just go to the plugin go to Advanced and then down at the bottom there's a place you can find the exact version and the similar things for themes and core. Malware. Isn't it beautiful?
This and I know this is small if you download out of the chat the slides you can zoom in on this, but this is malware that was appended. This is obfuscated PHP code that was appended to the top of the base configuration for WordPress. So the WP config file. So this is what they'll do a lot. They'll take an existing known file so like WP config, you cannot go find the exact same copy of WP config on the repo because it's different for every single site. So they love to put malware in there because they know you can't do a comparison on it. You're gonna have to go look at WP config and see what's in there. So at the top, if you can see, see if I can make this bigger. So at the top, you see it starts PHP, and all of this app eustachian up over here. And then down at the very bottom of this obfuscated piece of code you see that PHP is ending and then PHP begins again. So what they do is they add it to the top of known good file. So you'll see that a lot with WP config. You'll see it with the index file. You'll see it in the theme functions file, but it can be anywhere. And this actually is a backdoor so doesn't say hey backdoor, but it's obfuscated code. Here is another piece of malware. Again, we've got some PHP it's all obfuscated you can't really tell what's going on but here you see this is this one was appended you can see here this is the front to the WordPress application. This is the index php file that's at the top of WordPress core. When you hit you know, your site.com this is the file that engages and kind of pulls everything together and says here's the site to your user. So this is I believe this is a backdoor also, I didn't go to obfuscate it to figure it out. But you see, start a PHP, then garbage and then end of PHP and then start up this is the actual file down here and you would see this in a comparison. If you did that actual file comparison here's another piece of malware. This malware is actually JavaScript and it's obfuscated JavaScript. So I used to play this game with my daughter when she was eight years old, and I was cleaning hack sites and she was doing homeschool third grade math, and I would play a game called malware and malware. And I would show her PHP code and then I would show her malware and she could always tell that it was malware because it looks like this. It's there's no pattern to it, right? It's just a string of a string of obfuscated garbage actually. So again, look at everything backdoors are going to be in files that you know existing WordPress files. They are going to be in their standalone files with weird names buried in the WP includes folder it's going to be every everywhere. So it can be obfuscated, or it can be very simple and you're not quite sure what's going on with it. But if it's not in WordPress core, it is and your site's been hacked it's it's likely a backdoor malware files themselves will often have error reporting zero and set time limit is zero because they don't want you to see any errors with malware because it's you know raising to the surface the fact that there is malware going on. setting time limits because there are scripts sometimes timeout and they don't want to see any timeout errors. They don't want to alert you that they are in there we will see application that looks like this. And then we will see code P Reg, replace and base 64 decode. There are some plugins that do have obfuscated PHP that is actual obfuscated, PHP, but it's not very common. Um, some paid plugins have that but 90% of the time when I see base 64 decode, there's power happening. So once you have the site clean on your hard drive and another server someplace away from the server that was compromised, you are going to restore the site files once you're sure 100% sure that everything is clean. You have an exact replica of that site. We're going to restore it but we're not going to just like wipe out the entire public HTML that has been cleaned. Because a lot of times we will take things out and there might be I I've seen hackers, they have a, a file that's malicious, and they're including it in another known good file and if you miss that, the whole site is going to throw an error or not load or you'll get those 500 errors that are so much fun to troubleshoot. So we're going to upload this adjacent to our public HTML, and we're going to call it public html clean. Now not all hosting accounts. Can everybody see we can see the FileZilla here. So this is this is my Sally's cat blog. This is actually an old copy of it that is on Dream hosts servers. And you see here dream host servers. It has a user and then Sally's cat blog.com And that's where the site is. So if I click on like the user, we see Sally's cat blog.com here, so I am not going to restore anything under Sally's cat blog. This is all hacked if if it is indeed hacked and yes, cat blogs do get hacked. I am going to create a another directory here and we're going to call this Sally's cat blog at calm, clean. And see it's adjacent. So then here is where I'm going to take all of these files. And it's yes, it's much easier if you do this on SSH, but bear with me. Now I'm just going to drag all of these over here. So then once I have all of my files written to I'm not going to do it now because time once I have all of those files written over to Sally's cat blog.com clean then I'm going to rename this one and this will be hacked and then I'm going to rename this one and that will just be the replacement. Okay, so now that hacked file now, at this point, the hackers locked out all the backdoors are gone. The site is back to being where it should be. We might need to do some updates and whatnot. But we don't have to play Whack a Mole. We're not looking at each individual file on the server. We basically take all of that malware, clean it elsewhere and then swoop lock out that hacker right there. Now Now they're not completely locked out because we have to change passwords and whatnot. But now we go to Sally's cat blog. We load that via HTTP. We clear our cache all of that and we look at the site. Does it look the way it's supposed to? Or are we getting 500 errors? Are there problems? If it was just spam links that we were wiping out or something like that? If there's a problem, we can quickly you know, do cat blog hype and clean and you know, swap those back so that we can take a look at the site and and see what's going on. But this is the way and then once you're 100% Sure. All right. We've got everything locked down, everything's fine. Then you can delete that entire hacked directory. You don't need it anymore once because you have a backup of it elsewhere, right? And now we go through the process of locking everything down. We're going to change the database paths. We're going to change all of the removing the malicious users patching the vulnerability, all of that fun stuff. And so we have a backup of the clean site. We have a backup of the hacked site. We're going to hold on to those for a while. Um, so again, we're going to secure the site removing malicious users, you're gonna go to your
you're going to go to your settings page in WP admin. And it's saying my internet connection is unstable. I apologize if I'm breaking up a bit um, we are going to go to our settings. And oftentimes we see hackers saying anyone can register and the default user role is admin. We're going to want to make sure that they didn't do that. Then we are going to go change the database password and update our WP config file. So we're going to go to our hosting account and change the database password. And then we're going to have to change that in our config file. And then we're going to change the salts also I should have move that up on the slide. Since we're in WP config change the salts you can go to that page on API wordpress.org and just refresh it and it'll give you fresh salts. And wherever you see those salts in WP config. You're going to write new ones into that refreshed clean WP config file. Once you change the password, I know a lot of hosting providers who have that cached and so then things like get funky Good luck. But that's what you're going to do. If you're going to change the WP config and you want to keep a copy of it and do that same thing where we're changing it to old. Make sure you do old hyphen WP config dot php preserve that PHP at the end otherwise you're turning it into a text file. You don't want to do that. Check your file and directory permissions make sure that all files are 644 directories or 755. And then you're going to want to check the hosting account. Let's take a look at we've got next s here. I'm going to do this stuff as fast as I possibly can because I know we are going to have questions. So on the hosting account, you're going to want to go to scheduled tasks or cron jobs. And you're going to look and see what cron jobs are down here. Hackers will add cron jobs that rewrite the malware if they have gotten access to your hosting account. If you're reusing passwords, and your hosting account gets compromised, you're gonna have to look at all of the stuff and then the databases as well. You're going to want to go to the database. And you're going to want to look at users here because you can have more than one user. You want to make sure that you only have the user that you're using unless you have some other weird reason why you need another user. I've seen them add users here as well. We'll talk about PHP myadmin in just a minute. Once you have the hosting count, I want those passwords change to change passwords for your cPanel for FTP for SSH, look for additional FTP users I have seen those added and then you're going to want to go update all of the plugins and themes. You've gotten all the malware out but if there is a plugin or theme with a vulnerability still there, you're going to want to make sure that that is updated as soon as possible. And then of course, configure your security plugin. Do all of this stuff with the file system. That's where most of the damage happens. Yes, we're going to look at the database very quickly, but most of the like heart, the backdoors and all of that kind of stuff is 90% of the time it's going to be in the file system. So once you have all of that secured, then you can turn your attention to the database. So in the database, the tables, let's look at Php. MyAdmin really quickly. These are the tables in a very basic WordPress set up. You're going to find malware in WP options, WP posts of course WP users, I would even look at this here from WP from PHP myadmin as well because I have seen malware excuse me, I have seen malware that has hidden malicious users from WP admin. I haven't seen it in a while but I would just look at options and posts to begin with. That's where I would start that's where I see most of the malware. You know of course WordPress will save auto drafts and all sorts of things like that. And so your table might be huge, but these are the you know, might be like double the size of what you actually need to clean. All you really need to clean is anything that's live. You don't need to go cleaning auto drafts and things like that because they're just auto drafts that really don't matter. So you can use WP atomizer and that will remove all of those post revisions. Now if you're on PHP myadmin you you can there's two things you can do. You can download the table you can download the whole database you should have backed that up to begin with. But if you're just like okay, I see the malware I see what that spam links and WP posts. You can actually clean using SQL commands and PHP myadmin but what I would do is create WP posts hacked or WP posts clean and then you can just use this SQL command here to copy all of WP posts into a separate table and then do all of your work there. And then you can just again swap the clean the clean table for the infected table once you have that all cleaned. And you just do that by rename table and you can do all of the words just to copy that and paste that into your PHP myadmin and you are renaming your posts table to the hack table, which of course you'll delete when you're done and you're cleaned table once you clean that to WP posts. We're not done, site's clean, it's locked down, everything's fine, but you still need to take a look at the reputation of the site because it has been affected. Go into Google Search Console. You're gonna want to look for malicious users and malicious Sitemaps that have been entered into Google Search Console. I clean up all of that. If you have a red malware deceptive site or had going on with Chrome. You have to clean up all of the stuff in Search Console and then you know you might be tagged as malicious by Norton safe web by McAfee which is trusted source and then you have to go look at your site's IP address on Spamhaus. And there are a ton of spam blacklists. So you'll want to go look and see if your site is affected with those. The fun just never ends. It just doesn't. And of course you should stay in touch with me. As as always because I'm doing fun stuff. I'm still doing security content, kind of going more general. I want to help people like Aunt Mary make better decisions about their security as well as WordPress site owners, but I want to empower you guys to so these are the things I'm doing. I do have a WordPress security mini course for people like you that's unbid secured. I'm going to build that out and and do more there as well. So you can take a look at that. Or just get on my newsletter and I'll mail you when I'm doing fun stuff.
There you go. Lots of great places to stay connected with Kathy really appreciate all of this information, Kathy, lots we just covered in the last hour, excellent top level overview of what hacks look like and some of the steps to take books if you joined us late. I dropped in just now another set of links into the chat that I dropped in earlier. These are two live streams from back in 2022 that were Kathy goes into more detail a full hour on looking at malware in the file structure and then another full hour on cleaning up the database, the WordPress database with malware so save those there are a couple of years old but they're still very relevant and helpful information. And you can speed up the playback speed if you want to and get through it twice as fast right. So
colors changed.
Mine too. I'm not sure how. Yeah, so we have plenty of time here for questions about 15 minutes left. Let me invite everyone to open up the zoom q&a If you've not done so yet. And just scroll through the questions that have been asked and the questions that you would like to hear the answers to. And let's dive in first with this one from Joan. So Kathy, is it safe to clean sites in a local environment meaning some, maybe you've got a local app that's allowing you to run WordPress locally like wham or x app or local or something like that. Is it safe to clean hacked sites locally? Or could that cause a security issue? On your personal computer?
Yeah, um, if you don't have a PHP engine on your computer, and you are not opening stuff, I wouldn't open stuff in a browser I would open it in like Notepad or Sublime. Some kind of text editor. If you're doing that you're fine. Otherwise, you know to be ultimately saved, do a virtual machine VM and do that type of cleaning there because that's that's going to isolate everything but if you don't have a PHP engine, on your site or on your personal computer, PHP isn't going to engage. But like if you go and you open an HTML file, or you go open a JavaScript file in your browser to see what's in there. You could engage JavaScript and it might do a REIT malicious redirects that brings you to a bad neighborhood type of thing. So I wouldn't open anything in a browser just open stuff in text editors. And then if you're, I wouldn't do anything. If you have a PHP engine, and you're doing dev environment. I would be very, very careful. But if you're a dev, you will know. I hope.
Yeah. And that kind of brings up a question that you and I talked about in the pre show, Kathy of when should I try to do this myself versus hire hire this out to an expert? Yeah.
Um, again, like if you I think everybody should at least look, if your site is hacked, I You should at least look and maybe try to clean it yourself. Make sure you're doing backups. You know, there's only so much you can. When you get to the point where it's like, this is too much for me, don't feel bad, you know, engaging an expert, engaging someone to help you with the clean, they're going to go through and do the report. They're going to tell you about indicators of compromise. They're going to tell you how this happened and how you can protect yourself. If there's any kind of legal or PCI DSS type of thing going on with your credit card processor, you're going to want that kind of backup up but don't be afraid to look. Now, another thing is like if you're on your your desktop environment, and you download malicious files, and you have anti virus, which you probably should have, it's going to scream bloody murder at you even with PHP malware. I like to look at that stuff and you know, like the job used to make me have to have a vast and Avast does have we just do not get a lot because I like to look at the malware. I know what I'm doing. I'm not going to infect my computer with PHP, so but don't be afraid, or you should look at it. It's very interesting to me. Yeah, indeed, but I don't fix my car. So
here's a great question from me. My clients website was recently compromised. by hackers. Despite being fully updated, including both PHP and WordPress versions. We received notification indicating excessive bandwidth usage. Further investigation revealed the website had been hacked. So could you explain the connection? This is a great question. Explain the connection between bandwidth usage and hacking.
Hackers don't necessarily want your website because you know you've got this beautiful website. They want your website because of the resources they can use as a part of a spam mailing campaign, phishing campaign, just one other server that they can put in there command and control networks to go in fact, other WordPress websites. So your resources are what they're after. So that is one main indicator of a compromise where you're not getting a lot of traffic but resource utilization through the work through the roof that doesn't make sense and should be investigated. So
indeed, yeah. They're not up to your website. They're after your web server, which that's folks. All those millions of spam messages we try to filter every day come from hacked hacked websites around the world. A good question here from an anonymous attendee, you mentioned Kathy credit card skimmers a few times. How safe are payment gateways that store card details externally, like pay stack or I would say stripe also stores payment details and makes those accessible to a WooCommerce store for example, but how safe is that? And then maybe I would also add, what is the what is a card skimmer specifically and how is it working? Yeah,
so where I've seen them on storefront WooCommerce, storefront their JavaScript, and what they're doing is they're only on that checkout page. And I've seen them they're not even obfuscated. So you just, they're just there and they're taking basically customers typing in credit card number and it's taking that information and sending it off to malicious hacker and they immediately go and buy you know, a camera on Amazon or something that they can be sell on craigslist. If the PCI payment card industry the credit card industry does not want you to store any information on your on your WooCommerce store and WooCommerce doesn't do any of that it's all stored you know like if you do have recurring payments and stuff, Pay Pal handles that stripe handles that whatever. I don't see a problem with that. I mean you should be securing your your payment processor with the utmost you know to have a like it's your bank account, right that customer information in there personally identifiable information that's in there. Very, very important. But also your WooCommerce storefront you're storing your customers information, their email address where they live, you're taking shipping addresses, all this kind of stuff. So it's still all personally identifiable information even though the credit card information is stored by stripe or whatever. You still have to keep that personally identifiable information secured, and there are plenty of laws that are coming out in the books saying that if you have a breach if you work WooCommerce storefront is breached and you have customer data, and that gets exposed, you have to notify people right? So that's why you backup back this stuff up. you backup your log files, you get that all off the server. That's a forensic investigation, you might actually there might be legal proceedings, so you want to make sure you have all of the evidence preserved. Like it's a crime scene because it is so
it is a crime scene.
Yeah, it is.
I'm seeing several questions coming in to the webinar chat. Let me invite everyone if you have a question please to open up the zoom q&a. You can find that by mousing over the shared screen clicking the q&a icon, you can ask your questions there. We're taking the questions in the order of up votes. So please also if you haven't taken a look at the questions that are in queue, do that really quickly and upvote the questions that you also want to hear the answers to our next question in the list is from another anonymous attendee, who asks what tools are available to check for malicious code that might be buried in the database?
Um, there are malwares Okay, so there are external scanners like sicuri has an external scanner. Usually stuff that's in the database is going to be stuff that is displayed out so it is an actually visible indicator of compromise like that security's site check can't find a backdoor buried in you know, your includes folder. It can however, tell you you know, they obviously use it as lead generation for their Hakluyt hack site cleaning but it will at least give you peace of mind or send you to the experts when you can do a scan and see something. So those external scanners are really great. I know, like wordfence is great for finding files, historically hasn't been that great for finding stuff in the database. Unless you have like a local cache plugin and it's pulling stuff out of the database and building all these HTML files then it will find that kind of stuff but there's no real great and server scanner i i was just like look at every single page like I mean Posts page or the posts table is usually pretty easy to get through. So I will go through and look for any JavaScript. So I'll I'll download the posts table. I'll don't like the options table. And I will go through those in a text editor and I will just do CTRL find and look for all of the links to these links make sense? Does this JavaScript make sense? Why is there a JavaScript embedded on this particular page? And then that's how all like, it's pretty once you get to the database, that stuff is like glaringly obvious. You know that there's like something going on. I hope that answers it. Yeah. Great tool.
I'm going to post once again the link to the previous livestream, where you looked at cleaning the WordPress database. Yes, you will. You went in and looked in PHP myadmin and showed examples of how to find this. There were some SQL commands you gave
yours. One of them that didn't work, but it's close. Just Yes,
exactly. So take a look. At that. And again, folks, please use the webinar q&a to ask questions rather than chat. We are taking the questions in the order they receive not I'm not ignoring you in the chat, but we do have a list. Great question coming up here from Tanya, is it possible for malware only to to only present to someone that is not an admin user? So let's pause there as they
love doing that. I do love doing that. Yeah, so Oh, hey, didn't even talk about the htaccess file. You guys gotta go just look at that. Go on. wordpress.org or do a just search for like standard htaccess file and do a comparison on that. There's going to be some stuff in there that you know, like caching plugins and all kinds of like, appended stuff but the L man so they will actually hide malware from logged in users. They will hide malware from people who are searching that comm that are searching the site, but they want to show spam links to someone who's just searching. So go in incognito mode and look at your site that way because they will hide it from logged in. You they want to hide it from anybody who can do something about it.
Indeed, that we actually had a client come to us years ago who was a furniture store and they said our client we have customers reporting that they're being redirected to some of this other weird site. But when we go there, it's just fine that we took a look Sure enough, they're logged in and that it was this login malware crazy. So Tonya says should we consistently look at our websites with a with a guest browser or incognito like you said or a VPN? Is that something we should be doing? regularly? Would you say?
Um, yes or just make sure you have like solid security on there because that's going to be an intrusion detection. I would also make sure that your site is hooked up to Google Search Console because if they see something, they're going to let you know right away too. They want you to be successful right? They want to be able to send you traffic and stuff. So if there's a problem, they're going to tell you what's going on. And so these intrusion detection, these are the canaries in the coal mine that you need to go look at something so you don't have to like go do a full on scan every single week. But every single quarter, I would do a security audit. And I will just tease the fact that one of my future solid security trainings is going to be about security auditing. And I would do that quarterly to just go look at everything and like oh my gosh, I can't believe I forgot this staging server. This test site that I set up last month. I need to delete that. There's stuff that happens and you are Oh my gosh, I gave contractor access to this one individual and they still have an account. I've totally forgot they haven't done anything for six months and I need to delete that. So it's really important to do routine security auditing. I would do that quarterly. And we'll talk in that that session about you know, establishing some policies and procedures to make sure you keep your site safe. But yeah, that'll be part of like a regular security audit, but don't use all the tools available to you yeah,
we don't have that security audit webinar livestream webinar scheduled yet. It'll be probably later this summer, I would imagine.
Okay, yeah, I think it's like July, isn't it? Is it? I have to go back and check.
Let's see. injury would like to know how do we track malware or other malicious code, I guess and remove it completely from our environment. So is there let's just focus on that first part of the question. How do we track how would we know that malware has been added to our WordPress site?
Well, there's lots of different types of malware based upon what its intent is. There is malicious mailers, you're gonna know by resource utilization, there's phishing kits. You're gonna get blocked really fast by Google for that. There are spam links. Your search engine results are going to be wonky. There's tons of different indications that there's a problem. malware itself, how do you track the malware itself like? Honestly, all of this IP skated code I like looking at it and reverse engineering it but you don't really need to write you just like okay, well, there it is, again, or, you know, you could just wipe it out, just keep a record of what's there. If you need to create a report, you know, you put in, you know, what file was found where and maybe a timestamp of when it was when it was put there. I hope that answers the question. I don't know if I understood the question. Yeah.
Let's so let's do one more question. We're right at time here from Christina. Christina says our hosting site has our server hosting company, I believe, has us on a partitioned server with other WordPress sites that are also on the same server. Does this affect the way that we should be addressing cleanup?
partitioned? So your site should be running one site, one server user, so PHP or Linux operates with users on the server, so your site should be running on one Linux or Unix or whatever user so that one user, you know, engages php. If you are in a shared server like that, I would just really monitor your domain IP address reputation, because if another site is using the same IP address and what ends up happening, they'll have like 40 sites on the same IP address. And you have no control of you know, Jane's cat blog over there. You don't even know Jane, but she's on the same IP addresses you you have no control over. What she's doing security wise, but your IP address can get influenced and impacted. So I would just make sure you're monitoring your IP address to make sure for deliverability otherwise, you're gonna end up on a spam blacklist, and you don't want that so you know, the more your business is going to grow the more it just makes sense, because your WordPress site is an asset that's bringing new business to you. It makes sense to and to invest in more robust hosting at some point. So if you are going to do the shared server thing, I would just just monitor your site's reputation by IP address. Yeah,
very good. Kathy, this has been great. If you had to sum everything up with one final thought, what would it be?
Don't be afraid of hackers, but definitely treat your website like the asset that it is and protect it with everything all the tools that you have available.
Yeah, very good. Well, thank you, Kathy, so much for persevering with voice problems today. It's been excellent information. Folks. I've dropped several links in the chat as we're wrapping up here for today's slides. If you came in late and you want to download Cathy slide deck, you can do that. Also the recording of this event will be ready in about an hour and the link to that replay is also in the chat. You can subscribe to Kathy's YouTube channel you can see it right there on the screen and that link also in the chat and finally, a particularly if you build and manage WordPress sites for others. Every month we do here on solid Academy a free WordPress news roundup. And our goal is to give you all the important news as it impacts those of us that are working with clients doing WordPress things. That next news roundup is coming up Tuesday 1pm Central time this same timeframe. So join us for that that link is there in the chat if you'd like to sign up for that live stream as well. Well, thanks again, Kathy. Thanks all of you for being with us as well. Hopefully you've learned a few things I certainly have. I will see you back here next time on solid Academy where we go further together.
