Welcome everybody. I see a lot of folks are starting to pile in here to zoom. We're about four or five minutes away from getting started with how to clean up a hacked WordPress site with Kathy Zant had a lot of fun stuff to go through today. And I'm just about to get our captioning set up. So that should be working now. So welcome. Wow, lots of folks checking in there in the chat. Let us know where you're logging in from today and good to see Tomas from Hungary. Stacey from Colorado, Jiang from Holland Andreea from New York. Natalie from Canada. There's no way I'm gonna be able to catch all these things. Many people, many people logging in from across the world. It's good to see everybody today. My name is Nathan Ingram. Kathy Zant is with me. We're gonna get started. Here in about three, four minutes from now.
We are talking all about how to clean up a hacked WordPress website today. And we have an expert in the field with us today and she's going to walk us through all these things. Let me also share once again, the hacked website cleanup checklist. This is all the things Kathy is going to be showing us no slides today. This is all live demo. And so we've got a great resource checklist there for you. It's in the chat. Yes, I do see questions about the replay. And yes, the replay will be available in about an hour after we wrap up today. I'm dropping in another link in the chat. So we'll be we'll be posting the video replay the transcript of the event and the log of the chat will all be there at that link about an hour or so after we wrap up today and also just because you got here a little bit early. I'm going to share with you this is part one of two we decided this week. We can't fit all the things in this time. So we have another a part two of this webinar scheduled for June the 21st. That's two three weeks about three weeks out, I guess. Yeah. There's that right. I can't do math. It's more than a month away. It's about six weeks out. We'll do a part two of this event. And make sure you register you can do so right there in the link on the chat.
It seems like forever from now. How is it may already?
Exactly. That is for sure. So I once again if you're just joining us in zoom, welcome to iThemes Training. We're going to get started in about three minutes from now. We're talking about how to clean up a hacked WordPress site. Kathy Zant is here with us. My name is Nathan Ingram. And I'm going to drop in once again several links in the chat that have all the things that you might want to know about today's webinar, the the checklist, download the replay link, and how to register for part two of this webinar coming up on June the 21st.
Just about a minute to go now before we get started. As you get over to the chat room, say hi and tell us where you're logging in from today. Folks logging in from around the world for this event. Really glad you've all decided to take an hour to join us. We'll be doing plenty of q&a today as well. And I'll talk about that in just a minute. Just a less than a minute to go
this is a topic we have not ever done before on I iThemes Training. I'm really excited and curious about how this is how this works. I've never seen a hack actually being dealt with live before. So I am very curious about this. I hope you are as well. It's good to see everybody logging in. We're just about ready to get started. I'm going to drop in a the link bundle here for anybody just now coming in. Check there in the chat room for the links to download the checklist and the replay links and how to register for part two of this event. All right, we have three minutes after so I'm gonna be quiet just for a second and get a good stopping place for us to begin. And we'll get things kicked off with Kathy All right, welcome everybody. We are live in his I iThemes Training. My name is Nathan Ingram. I'm joined today by Kathy Zant who's going to be talking to us about how to clean a hacked WordPress website. Kathy has been working in WordPress for more than a decade and she has deep deep experience in WordPress security cleaning infected WordPress sites. She's also worked in marketing for a number of brands in the WordPress space. She has been an organizer for WordCamp Phoenix and WordCamp us and she currently lives in Texas where she can be found walking Golden Retrievers are hanging out with some horses. Kathy are things in Texas
today. Things are warm and humid. I guess it's time for summer.
You know it's supposed to be like that down here in Birmingham. But it is beautiful today. I just got back a walk. It's like 75 degrees and no humidity and sunny. It's just gorgeous. It's a great day.
Oh, beautiful. Enjoy it for me.
Yeah, you guys have all the heat over there.
Yeah, it has gotten hot here and I'm not quite entirely sure why. Like little early.
It is a little early. So today we're talking about how to clean up a WordPress site that's been hacked. Give us a just kind of a brief overview and points about what we're going to cover today.
Sure. So we're going to talk about first of all, how do you know that you've been hacked? What are some signs? What are the first steps you should take as soon as you even suspect that you have been hacked? How to devise a strategy, a quick and easy way to get the site cleaned up, have some tips towards making sure that that that is done well. And then we're going to get that site secured. And give you some tips also on how to recover that site's reputation. Also very important.
Definitely. Now I've just dropped a bundle of links here in the chat. There is the checklist that you'll want to download and follow along with. You'll see that right there in the chat, Google Drive link. So all the links that Kathy is going to talk about and the process. There's no slides today. So everything is in that great little checklist. So make sure you download that and we've already had a number of questions about a replay and yes, this will be available as a replay in about an hour after we wrap up today. We'll uh we'll have the replay video as well as the transcript which you'll see it should be live captioning for you there at the bottom of your zoom window. And also we'll have the log of the chat that will also be posted there on that replay page. We also want to remind you this is part one of a two part event. And so the last link that I shared is how to register for part two which is coming up on June the 21st at one o'clock pm Central Time. You can click that link and sign up right now to make sure you don't miss out on part two of this event. Now one final thing before I turn it over to Kathy, we will be using the q&a feature I know if you're a regular I iThemes Training attendee we've been using the chat for questions, just because there's a lot of folks on today's webinar, we are using the q&a feature and if you'll look you should be able to see today all the questions that had been asked and you'll see a little thumbs up icon. That's the up vote that question so if you have that question to make sure you click that thumbs up and it'll make sure we that gets more of our attention when we get to the q&a time. We do encourage asking questions. It's a live event and you've got a WordPress security expert with you. So absolutely take advantage of that. With that, Kathy, I'm gonna turn it over to you. Let's get started.
Sounds good. All right. So I have a question for you guys. Before you start asking me questions. I want to know why you're here. I want to know if you're here because you've been hacked or you've dealt with a hack site or you're scared you might get hacked. If you're just curious or if you do this for your customers. If cleaning up hack sites and getting them security is part of your business. So Nathan's got a pull up for you. If you could answer that. I would really that will help me sort of tailor this conversation so that I help the majority of the people who are here if you're just curious, that's fine, too. I've got tons of stories. I did this for a while I started cleaning it well. The first site I ever cleaned was my husband site got hacked in like 2009 or something like that. And I had to learn you know, basically on my own put the site back together it was the Tim some vulnerability that caused his site to to get hacked. So I had some experience I had some experience you know being in a technical field even before WordPress, I dealt with a hacked server. So I had some basic understanding of security, but I was no by no means a six. Okay, great. So we have a lot of people who are cleaning for others. Great. I will make sure I give you some tips for that as well. I was not a WordPress security expert. I just kind of knew WordPress. I had been working with WordPress for a very long time. And so when an opportunity I was homeschooling my daughter living up in Mount Shasta, California, and a lot of jobs or anything to do and I was really bored just homeschooling my husband's business was kind of running itself and I just helped out every once in a while and I needed something intellectually challenging. And so I applied to clean hack sites and had a lot of fun doing it. The thing that made me good at it was that I knew WordPress and if you think about it, if you know basically how WordPress is structured, how the file system looks, you understand what should be there, and what shouldn't be there. It's kind of like you know your house, right? If somebody broke into your house while you're at the grocery store and put a giant purple sofa in your living room and you came home you'd be like whoa, what the heck is this doing here? You understand the patterns you understand the way things should look, you understand how things operate. So therefore it makes it very easy for you to understand when there's something wrong when there's something that's out of place. I actually would sit next to my daughter and clean hacked sites. She was eight years old at the time. And I say to her, Hey, you want to play a game? It's called malware, not malware. And so I show her different files. And she was able to just by pattern recognition understand what didn't look right versus what did look right. And so we play every once in a while. It was like you know homeschool? That's a little more interesting to me than you know, basic third grade math. So my point is, anyone can do this. I am not a WordPress security expert, although I've had a lot of experience with WordPress security. So I have I don't know if there's another word for that but there is no like, you know, higher level than there's no looking down on WordPress users here. This is all collaborative and this is the one of the things I love about WordPress and why WordPress security is so fun is because as a community we help each other. So you are here to learn. You're here to find out all the tips and tricks learn from my experience, but you guys are going to be the experts and you guys are going to be the ones who ends up going to your customers and helping them become better at security. So that's what I'm here for. I hope you're here for it too. So really important to get to know WordPress Core. So I am going to share my screen hopefully all of it so that everything shows up I want to show you what WordPress looks like. Basically WordPress this is my little hacked WordPress site. And this is what WordPress looks like. You have basically three directories WordPress admin WP admin, WP includes and WordPress always looks like this WP admin and WP includes those two directories always kind of look the same. It's wp content that ends up start starting to look a little more unique and we're going to focus a lot of our our energy there on you're always going to see like a basic as she accessed file, and that tells the server Hey, do this stuff before you start talking to PHP. So it's kind of like a pre WordPress File. And then you have the WP config file which basically tells WordPress Hey, this is where the database is. And here's some configuration things that are very specific to this site. So basically we have something that always basically looks the same except for wp content htaccess and that WP config file. This if you can get this cleaning a hacked site is super easy.
But how do you know you're hacked? What's the first sign? Well, obviously something's wrong. That big purple sofa has showed up in your living room and there's a problem something is wrong. But you know, you've dealt with clients who you know, maybe there was a plugin conflict and the site white screens and they they're convinced they're hacked. Or I had one person I was helping with their WordPress site and they had a.com and a.net. And they really liked their dot that they split their.com Go while all of the images were being linked to the.com. And so their other images disappeared and they were convinced that they were hacked. When something is a mess. People usually jump to the first conclusion that somebody has gotten into my site and made this terrible thing happened or maybe they can't log in. And all of these things could mean that the site is hacked, but it doesn't necessarily mean the site is hacked. So there's some initial investigation. You know, was the site really hacked? What are the indications of compromise or in the security world, the column IOCs indications of compromise that tell you that the site has been hacked? And, you know, just because the site's broken doesn't necessarily mean that there's that there has been an intrusion but you want to basically identify Is this a hack? Is this a problem? What is going on? What are indications that there is a problem? So that will basically start to inform you what it is that you're going to do? What's the strategy, but the first thing you want to do, no matter what is backup the site now maybe it's somebody who's coming to you. Maybe it's maybe it's somebody that you've been working with for a very long time, and you have backups, great. Restoring that site is going to be super easy, but maybe it's somebody who, you know, their web developer wasn't taking care of their site and they're coming to you in dire need of help. And there are no backups and you're not even sure what you're necessarily getting into. You're basically going into something sight unseen, and it's your job to fix it. This is going to be the talk for you. Restoring from a backup super easy no problem site maybe got hacked from a bad password restore it from a recent backup Backup Buddy is brilliant for that. But here, let's imagine somebody comes to us. They've got a hacked site, and their web developer is Mia. The first thing we want to do is backup that hacked site. We want to make it preserve the evidence as we have found it basically we want to create a backup if you can get to WP admin, you know, load up Backup Buddy and make sure you backup everything it's going to backup your database. It's going to backup your files backup up to something that's off of the server because we want to get it that entire site away from that compromised server. Because you're gonna have to assume that everything that's going on on that server is a problem, right? You're gonna have to assume that anything that that user that PHP that runs PHP can touch is compromised, because it has malware in it. So you want to get that backup if you can't get to WP admin. There's other alternatives. You can backup the site using FTP. And basically you want to backup everything that is accessible to that PHP user. If you're using a cpanel it's anything under public HTML. For this particular site, this height we're using a test site and Nexus and we have FTP setup here. So it's everything where that website is so under HTML. So basically, all of these files need to get backed up. You can pull them all down using FTP. That's kind of a slow process. If you can get in on the terminal and SSH, you can create a zip file or a tar of that site. And there's some commands in that handout that will show you basically how to do that that just compresses everything into one file. So then the download is a lot faster, and you want to get that off of the server. Once you've done that, then you have to have a strategy. So what's going on? Is the site redirecting to a bad neighborhood? Are people visiting the site and basically clicking on links that end up infecting their computers? Is there a card skimmer in the WooCommerce installation that stealing credit card numbers? Is this site causing harm on the internet? If it is, you want to stop that immediately. So it makes sense to take that site down? You know put up a coming soon page
to have it suspended by the hosting account and some hosting companies will do that if they notice that if they're the indication of compromise that your site's hacked and maybe is sending out spam and they're seeing over resource utilization problems. They might have already shut that down because it's a problem to them. Anyway, you have to make that decision as the person who is in charge of this incident response so if it's causing harm on the internet, take the site down. If your indications of compromised are that there's farmer spam links in all of your posts, you know, that's not necessarily causing major degradation and problems to site visitors you might want to just leave it up and just focus then I'm getting the site cleaned up. But you have to assume everything on that server is compromised. One problem with C panels is that it allows you to do add on domains. So if you have one site that's hacked on your cPanel so you have 10 sites in there and one site you know is completely and totally broken. And there was a problem there. You have to assume every other site is also affected as well. Maybe they're still up and functional, but assume because the user, the server based user, running PHP for that particular site that has the problem is also has access to all of those other sites. Assume that they're all infected and you're going to clean everything. You're going to take everything under public HTML, zip that up and pull that down to your hard drive and you're going to clean that entire space because you have to assume everything is completely infected. So what we're going to do our strategy is we're going to zip that up, take it all off of the server, and we're going to clean it locally. Now a lot of people will use maybe a plugin or a tool or they want to just clean it using the File Manager using cPanel or maybe they want to clean it using FTP. Here's the problem with that, because we know that everything under public HTML, everything under HTML on this particular server is basically open to the hacker it's all compromised. You're basically playing a game of Whack a Mole so if you find a piece of malware and you clean it, and you get that file all cleaned up, the hacker can come back and reinfect it while you're working on something else. You don't want to waste your time and play a game of Whack a Mole. You don't want to try to use a plugin or any other tool in order to clean your site. You know use your plugins to tell you that there's a problem. But take the solution and hold that in your hands away from the hacker. How do you know that your plugin wasn't compromised? I mean, that could happen because you have to assume that everything that's on that server has been touched by the hacker and you want to take control of your server and not leave any stone unturned and basically clean that site and then we're going to load that up backup on the server in a place where the hacker can't get it. unpack that and then swap those files out basically taking away all of the hackers tools all at once, so they can't do any further damage. So that's basically the strategy that we're going to do. You're going to want to clean and secure the site first. Get that done, get the site back up and running and secured then you can do the investigation later to find out what has happened. Do that you know log file review and find out what's gone what's gone wrong. So you can prepare a report for your client later. But first, get that site back up and functional get the malware off of it stop causing harm in the internet. Make sure that WooCommerce is all you know secured and there's no card scammers, whatever malware that you found is gone and that the site is back up functional and secured. That's our focus and we can do the investigation later. Okay, so now what we want to do is we want to build a clean copy of that site. So if we go back to our finder, and we see this particular site, we can take a look at what we have. So we have some general files under wp content. We want to find out what version of WordPress this is. So we go into WP includes and you can open up any file in a text editor, any php file, it could have all of the malware in the world PHP malware in the world in it, and you're going to be okay if you're just opening it up as a text file and you're on your hard drive here. This isn't a problem because the only time it's going to be a problem is if the PHP is you know, running that if you have a PHP engine that's basically interpreting that code and acting upon it, but just opening it up and seeing what's in this code is not a problem. So if you go into the version file under WP includes you can see which WordPress version we're using. So we have 593, which is the most current version, but let's say it's hasn't been updated in a while. We want to build a clean version of the site based upon the version that we're we're dealing with here so I can download WordPress 593 here, but if I wanted to look at all releases, I can go down to all releases and it let's say it is you know a five, five or 556 we can download that zip and we can start building out a clean version of that site.
The next thing we want to do is we want to take a look at at our themes what themes are, are in this particular scroll back out of includes. So what themes do we have here? So we've got Kadence 2020 2021 2022. Now our site is still up and functional and we know that Kadence is the one that's being used here so we know that's the active theme we want to be aware of what's what's active on this particular site on Kadence is active on that site. We want to see what version of Kadence that they're using. So we can go down to the readme here and that will basically tell us what what version so the staff had
to jump in real quick. Yes, I have several questions about the text is really small to view and I know it's gonna be a little difficult to deal with on Yeah, Finder windows especially. Yes, too. Hmm, maybe maybe command plus will zoom in on that for sure.
Okay. Yep. Okay.
And then on your on your finder window, if you click the window and do view. Yes. And then view options, Show View Options toward the bottom. You can change the font size. I'm sorry to interrupt you that we've just had a bunch of questions about that.
Yeah, no problem.
Yeah, bumper. Yeah, let me make it. Okay. That's, that's better. Thank you. Okay.
I can go a little bit larger to that's about as far as it'll let me go. Okay. Anyway, um, yeah, find her. Alright, we're done with that. All right, I'll try to stay out of I have stuff in front of us so I can't find where to close it. Okay, there we go. Okay. Anyway, in the theme files, you want to find the stable tag then you want to go to that particular theme. So we'll find Kadence. And then for the themes, you're going to want to go to the Fub Subversion repository, and then you can find all of the different versions that are available. So you're going to want to download the version of the theme that you're dealing with if it is not the most current theme. Same thing with plugins. So if you go to any plugin, we'll just pick the classic editor. For old times sake, if you go to advanced view, and then go down to the bottom, you can find whichever version of a plugin you want. Now you might be dealing with a vulnerable plugin. Here's the deal. You're gonna want to build that site out exactly as it is even with a vulnerable plugin, because we want to see where there's malware. The other thing is, you don't want to go through it. Let's say they're using WooCommerce like 3.2 or something like ancient, right. There's an upgrade process that you have to go through with some of these larger plugins. So we want to start our clean site out exactly where it is. So get the cleanest the clean copy from the repo, and build out a clean version of your site. Now I don't know if this I can make this larger. I'm really hoping that this is visible, let me know in the chat. Basically what I've done here is I've created I'm using a tool called Ultra compare there's a couple of different ones. This one has a free version that you can use for 30 days. So if you're just dealing with one hack site, and you just want to quickly see what the heck is going on with it. This is a great tool. Yeah, I'm gonna check chat and see if completely not so sorry.
Maybe under your view menu, there's a
yeah, see
there's an increased Font Size command. Equal. Alright. Okay, increase.
Thank you. Yeah, that might not work because I'm using a version of a version of this that I haven't paid for because I'm not doing cleaning of hack sites. I'm going to try to show you some samples of what we're finding and maybe you'll get an idea just of the color colorization here. Basically, I have my clean site on one side, and then I have my hacked site on another and it's going to show you with color where there's problems where things don't match up. So if we look load up these you can see there's extra text here. You don't even need to see what it says you just know that it's garbage because you're seeing you're it's almost impossible to tell what's going on with this file because it's all been obfuscated. So this is basically what what you want to do is you want to build out a clean version versus now it opened up another do I want to There we go. Oh, now it closed. The wrong one. Let me rebuild this with two different
basically, you're you're building out a clean site that matches up with your, your hacked site and this tool will show you exactly what doesn't match. And it's going to throw me a couple of errors and it's going to show you that based on colorization. So anything and it's got a little legend up here somewhere that I don't see right now. There's a legend that tells you what all the colors mean. But basically anytime that you're seeing all blue it's gonna be okay, so I'm gonna close WP admin that matches up perfectly. And I infected the site I basically hit all easter eggs. No, I don't for the Easter eggs here. And WP includes I also did that in fact so I'm going to try to close that too. And we're going to focus on and I'm going to open this up and hopefully in some Can you see this? Okay. Hopefully
it's a little hard to see folks. I'm going to drop a link in the chat. In zoom at the very top when you mouse over the screenshare there'll be a green bar that says your viewing Kathy screen with a little drop down that says View Options and you can change the percentage there and then for yourself.
Yeah, I forget how difficult it is to show code sometimes. Anyway, this will basically show you what doesn't match. Now in wp content. There's always going to be some cache and the clean version doesn't have that. You can typically delete the cache. And honestly, you're gonna want to delete the cache because cached cache for the site could have malware in it. So that's something you're just gonna want to wipe out and rebuild with a known clean version of the site. Then there are oh that's I can get rid of WP includes Okay, so the next thing is that must use plugins. Now next Sass has their little version I went and got a clean version from another site so that I could do matching with that but if you have no paid plugins, if you have paid themes, if you have things that are specific to that particular hosting provider, those are things that you're going to want to go get a clean version from the source, so that you can match that up. Or you can go file by file and look for things some things that you want to look for. Anytime you see PHP like you'll see a start of PHP and then an ending the question mark and then the end bracket and then it starts up again. That is pretty much always going to be malware. They they're basically just, you know, sort of carte blanche just adding backdoors into known good files. So that's something that you can just go ahead and delete. I don't even want to go through all of that. The other thing that this will show you are any file that has been added that doesn't have a match and I know I infected because Matt and I see I want to make this as easy as possible and not go through tons of of code because I know as soon as I started doing this, I'm like okay, we're going to we're going to run out of time. And I probably should have just found Okay, here are some files that have just been added. This doesn't have a match, of course. So it's not showing me that when there's not a match any of these files, if there's not a match, you can just go ahead and delete those. So just delete all of those files. You don't need them. If they don't match the clean version, then there is no need for them. Anyway, this tool is really good for doing that comparison, but there's going to be some files that you can't do a comparison on. So let's go back and let's look at some of those files that we we can't do a comparison on HT access is going to be one of them. And you're going to find that there's a general HT access file. I think I put that in the notes. And then you're going to see things like caching and that your hosting provider is going to add. Here's some malware that I have seen a lot of and this is malware that when you visit the site from a search engine, you get redirected. But if you visit the site just straight away or if you're logged in and you're not, you know having a referrer coming from a search engine, you're fine. And you'll see a rewrite condition you'll see all of these search engines associated and then you'll see where the where that is being redirected to and that can just be wiped out. Obviously, we have a backup. So any I'm always scared me changes to the htaccess file. Bad things can happen there. The other thing that we want to look at is the WP config file. And this particular example of the WP config file here we're seeing right at the top. We're seeing the
addition of PHP code before the rest of this is engaged. This is always going to be malware This is actually a backdoor. So you want to delete, oops, delete that, of course because that is that's just malware. You don't want that. But this is something that you can't compare unless you have a backup. So you want to run these types. of comparisons and look at all of the files. Alternatively, if you don't have to create a report for a customer, let's say for example, you just want to get the site up and running. Just get the known good version of that particular file or that particular plugin and just replace that under the plugins. You download it and just replace it you can just you know if you download WP forms light from the repo, you can delete this and just build out the clean version so that you have that all ready to go let's say we've gone ahead and done that since I'm running, running low on time. We've got a clean site. It's all clean, we know it's clean. We've gone over everything. We've replaced files that we know have been infected because a hacker is basically going to put malware in known good flat good files, they're going to pollute those. They're also going to add additional files. They're not just going to leave a site without putting some backdoors in it so that they can come back later and add new spam links or add a new malicious redirect. They want to basically have control of your site so there's going to be you know, pollution throughout. And that's what we're trying to clean. So you're also going to want to go through your uploads folder and look for PHP files in there. There are some plugins that will put PHP files in there. Like I can't remember I think Gravity Forms does have some PHP in there. I can't remember. Um, but typically, there's no PHP files in the uploads directory. So if you see anything in there, you're going to want to look for it. So things that you're going to want to look for are obfuscated, PHP, it's just going to look like strings. of things that are indecipherable to you. You're going to want to look for any code snippets at the top like I showed you that have basically they look like they were, they came from a different php file, and now all of a sudden they're at the top. You're gonna want to look at any file that has the ampersand error reporting, parenthesis, zero, anything that says that they're trying to hide any kind of errors being thrown, they're trying to hide their tracks. And then you're going to want to see things that say set time limit zero, they're calling that ampersand set time limit zero. That means they're trying to basically make sure that their script isn't, isn't timing out. There's also a couple of other functions. I'm pretty sure that's in the doc to the P right, P Reg, replace and base 64 decode those are used often. Any kind of text that just doesn't make any sense. This is how my eight year old was able to tell malware or not malware. It's anything that doesn't look like you know, clean code. Anything that just looks like strings that is indecipherable is probably malware. There are a few plugins out there that do I've escaped php. I think digital access paths used to do that. I don't know if they still do. So basically that it those are the types of things that you are, you're gonna look at much more closely. When we're ready to restore the site. There's a couple of things you can do. If you have Backup Buddy if your WP admin is working, you can use import buddy to basically pull in the clean copy of the site. And what you're gonna want to do is take, let's say this is your site, you're going to take this html directory and you're going to rename it to something else like HTML hacked. If you're using if you can't get to the WP admin you can't use Backup Buddy. You're going to want to go above that HTML. And then you're going to create another directory like HTML clean. And you're going to want to put the clean site in here. So if you're using
if you're using FTP, just write this all over. If you're using cPanel. And the file manager, you'll just create a public html clean. And basically what we want to do then is we have the HTML and HTML clean and we're just going to swap these. We're going to rename this to HTML hacked. We're going to rename this to HTML, just HTML, and then that those files then become the cleaned site. So once we have that done, we have our clean site up and we just basically go to the site and take a look. Let's see did that fix things? Does it look okay to you? Is everything working properly? Log in. Once you've logged into the site and you are into the WP admin, you're going to want to first of all, well, there's a couple of things you want to do. First of all, one thing I've seen a lot of hackers do they'll change this to anyone can register and then change the default user role to administrator. So you want to go double check that if no one is supposed to register, uncheck that and put this as subscriber make sure you save that. The next thing you're going to want to do is to go look for any user that's an administrator that doesn't look like it should be there. change those to subscribers change all of the passwords for every single person that has any kind of administrative or publishing access. That includes editors. Basically, anyone who can do anything on the site, then you'll want to go into your plugins. If there's anything that needs an update, make sure you're updating that if core needs an update, you're gonna want to update that for the themes, you know, if there's themes, obviously the active theme, you want to make sure that's okay. You know, these themes, the default themes that will show up there, they will get polluted by a hacker they will, you know, they will think, hey, well, this person is going to just change themes and see if that wipes out what I've done so that any hack that they do to the active theme, they'll probably copy it over to the other themes as well. So change all of those passwords, change the password for your hosting account, change your FTP password, and then you're going to want to change your WordPress database password as well as your salts. And that is in your WP config file. And in that handout there's a link where you can just go like auto generate salts, just copy those paste those over what is in your site. That will basically negate any sessions that are available. And you're going to want to install a theme security and activate the settings that will tell you if the site ever gets any kind of intrusion happening again. First of all, well, you're gonna want to do the two factor authentication for all of the administrative users making sure that if there are reused passwords out there, just get everything set up. You're just gonna want to secure the site and every way you can go into a theme site scan and scan for vulnerable plugins themes and WordPress Core versions. Just make sure that everything's okay. And turn on version management. This is going to be your first line of defense if an intrusion ever does happen again. It will be your first line of defense of hearing that there is indeed a problem. Make sure you've got Backup Buddy installed and test your backups. Make sure your backups are being sent off of the server and test them make sure that you can restore from them go open up the backups and make sure that looks like WordPress and that everything is there. Make sure that all of the SQL files for the database are also there and make sure your backups are happening on a schedule. All right last little bit, and we're going to go kind of quickly over this but we want to recover a reputation because sometimes the first thing that happens where you know that your site is actually going to be is actually hacked is Google is letting you know. And so let's see we want to go to search counsel. First of all, if you found any extraneous Sitemaps in your that look kind of funky like they're putting out spam links. You're gonna want to delete those. You probably also will find a Google file in the root of that WordPress directory that gave that particular hacker access to search console. If you go into search console and you go to settings, look and see if there's any extraneous users here. Then you're going to want to look at sitemaps and see if there have been any Sitemaps set up over here as well. If the if the
you may have to set up your own, you know, connection to search console. If the customer that you're dealing with doesn't have that maybe they don't even know Search Console exists. You can do that and then hand that back over to the customer. And then the other thing that you want to take a look at is security issues under Search. Console. If the big red screen of doom and gloom from Google is being shown, you're going to see something here in Search Console under security issues. And this is where you will request a review. Now I have one comment about about Google and AdWords. You might have the cleanest site in the world world and I AdWords might tell you that there's a problem. Just keep trying. Just keep trying with them. Sometimes they're looking at different things than you are but you you know Search Console is going to help you out with Google with the deceptive site warnings. Norton and McAfee can also if people have that installed, sometimes they hear from their customers customers that there is a problem so you might have to clear a blacklist there. And if the site has been sending out spam spam house is the first place to look you're going to need the site's IP address and then you're going to have to go basically clear the reputation of that IP address the spam house and you know, just another note about communication and how important it is when you're dealing with customers. You're going to want to create a report for them. You're gonna want to tell them what you found what you think happened. Sometimes you'll be called into a site and it's been hacked for like six months and the customer didn't even notice until it just fell apart because like the fifth hacker has gotten access to it. You might never find an intrusion factor there. But still, even if you don't make make an educated guess and then start educating your customers as to what those problems. What led to this, this to happen. Use this as an opportunity to not only educate your customers but be of service to them so that they can use this as a learning experience so that they can go forward and be more secure and also have that trickle down effect where you have them educating others about you know, ways to be more more secure. So I apologize for my codes, being so small. I have this giant monitor, they look fine. But hopefully you got the basic gist of how to attack a hacked site the strategy that you should have. And let's let's basically open this up to questions because I'm sure we have a few.
Yes, we have a bunch of questions that have come in and let me invite everybody. If you haven't asked a question, please use the q&a button just below our faces there in your zoom window. And also just go ahead and open that up anyway to look at the questions that had been asked. You'll see them listed under open questions. And if you see a question there that you have or that you want to hear answered, click the little thumbs up icon to upvote that question, and that gets our attention better. So do that really quickly. And I'm going to start with the first question on the list here, which is from Kevin. Kevin asks, how would we know if the database has been compromised or utilized for a nefarious purpose? Okay,
typically, I will not see. We will not see, like backdoors in the database but you may find malicious redirects, spam links, and other things like that in the database. So the places that you're going to find those are the posts, and you'll find those in actions sometimes. Basically, you'll need to open up those I think this is going to be part two is like how to clean database files. And there's there are some, some tips in the handouts of things that you can do. But Backup Buddy will pull down this SQL file and you can start actually looking at it on your computer. I would first of all handle the files get that taken care of because that's where the backdoor is. That's where more damage can happen with the files and then start looking at the database start looking at those tables that might have spam links in them. They might have malicious redirects those types of things, and then clean the database. Second once you have the site secure I have not seen a lot of like backdoors being inserted into posts and and things like that. I'm not to say that it can't happen but I would focus on the worst is like you're you're cleaning a site and like the worst one was like Avada I had an A an Avada theme that was outdated. It had a very easy intrusion factor. I get the site all cleaned up. It was a paid theme. I didn't have a copy of the paid theme to like give back to this person. And as soon as I got the site up, it got hacked again. So try to get that clean. site like as ready to go as possible so that you can do those kinds of updates as soon as you get in there. If you know that that you basically have to understand what's the lay of the land, get the site secured as soon as possible before you start going after. After the database.
Yeah, very good. So you sort of answered this, but let me ask the question specifically. So maybe you can just give us your answer to this one from Joe. How can you tell if the database is clean?
You're gonna have to look at it. You're gonna have to look at the posts. You're gonna have to look you're going to have to look at what's in there. And just basically start looking at the content within those posts. If you see a lot of spam links that shouldn't be there. That's typically what I've seen or malicious redirects. You're just going to have to start looking at those things. If there's JavaScript in your posts. Those are likely malicious redirects that are redirecting to the bad neighborhoods. So those you'll want to take a look at. And basically you'll want to just, you're just going to have to clean up that that SQL file and then upload it same type of thing, your upload, WP posts clean and then swap those. That's the easiest way to do it, unless you want to go edit a repost, but I recommend it takes a lot of time.
So there's been a great amount of information that's been shared in the chat. I just want to remind everybody that the whole log of that chat will be shared as a link on the webinar replay page once we get the video up. So all that information doesn't disappear. It will be available after the webinar is over and a couple of things Matt has given some really good advice in the chat. A couple of things to look for, not specifically WordPress hacks, but if you're in a cpanel environment he mentioned, another couple of things to check would be look at the cron jobs and see if the hacker has been able to set up a cron job. And also and I had never thought of this and this is sneaky hackers are sneaky. Actually going in and adding an email address and cPanel will be able to confirm some things
yes, I have seen that I've seen cron jobs added. Or then the malware is just like re added if they got a hold of your cPanel which happens if you're reusing passwords, they can get a hold of your cPanel and all kinds of nonsense can happen. So like I said every assume that that entire hosting account is completely compromised. If you're cleaning it up for a customer. Just you have to look at everything.
Yeah, for sure. Okay, so here's a question from Jeff. And the question is, do you consider malware that keeps on editing files within WordPress sites as being hacked as well I have malware somewhere on my hosting account, which keeps on changing my WordPress files without this really affecting the site's I guess you can't see anything on the front end. And I'm wondering whether I'll be able to fix this.
Interesting so if you can't find it in your if you can't find it in your actual WordPress account, but something it could be, I would look for stuff like that cron jobs and see if there's anything in your cPanel I've seen that happen that that's a tricky one. So then I would ask your hosting provider for assistance. If it's not within your WordPress site at all it you just have to give them some ideas. They may have log files beyond the log files for the particular, you know, raw HTML access files that they may be able to see what might be happening there. I've seen people have issues where we're like PHP myadmin is public and the database has been somehow exposed. Maybe they made a backup of WP config but they put you know, dot txt at the end and now it's public and then PHP myadmin is accessible and they're able to like get into that particular database and add malware there or, you know, the users are all in the database to they can add a user that way. So if you have PHP myadmin make sure that that is secured as well. Very good.
Okay, here's the next question. And there's been some questions about the chat. Also, we share those chats as a text file. So you'll I don't believe the links are actually clickable, but you can copy and paste out of that very easily. It's just a raw text file that goes up where the chat log question is from anonymous. I have one site that gets about 30 files added to the main directory daily. Doesn't that sound fun? It has five or six random characters with the PHP extension like you know, blah, blah, blah, dot php, or something similar. No other directories are affected and nothing on the site is affected. It's a custom theme, so I can't compare it to anything. What do you do with that?
To look at your theme functions file. That I've seen that where where something's in the functions file that is auto rewriting something because every time your site gets visited, that functions file gets engaged, right? And so if there's something in that functions file, that could be rewriting those files. So I would take a I would just do a code review on that particular file. And if you're if you are Yeah, that's the first place I would look that there's a problem there I would also look at man, I'm getting a strong intuitive. So I would look I would look there and then yeah, I would also look at your WP config file and see I would go all the way page all the way to the bottom and see if there's anything that just looks funky.
Yeah, that's a tough one. And of course, I mean, we're obviously you know, you'd want to check to make sure you don't have any vulnerable plugins that are there something that hasn't been updated in four years or something like that as well. That's a tough one. It is. Okay, Sal would like to know how do we know how long ago a site was hacked?
Good question. I would look at you know, there are some commands Linux commands that you can run to see when like the oldest file date. Basically, you're gonna want to take your log files, and the log files are you know, every hosting account usually has log files for the last 30 days, which is why it's so important for you to like deal with hacks right away. You're going to look at the file, the last file change dates, if anything, like say you upload a you updated a plugin last week, but there's one file in that particular plugin that was updated yesterday. Hmm. Well, I might go to my log files and look and see what happened at that particular time. Maybe there's a zero day something happened. And that's when they got in, but you're gonna want to take timestamps on your files and your log files and kind of match those up. I can tell you though, if you're dealing with someone, if you're dealing with a site owned by somebody who doesn't really pay attention to their site and doesn't know security, the site could have been infected months ago, and you might not have log files for that time. So you're just going to have to make an educated guess as to what happened. Yeah.
All right. And so in all of the webinars where Michael Moore has talked about, I think security here over the years this he's always talking about log files and why you want those log files and I think security I had to go back and look and find it. We did a in depth webinar on looking at those log files and learning some things from them. So while we, while you answer the next question, I'm gonna go see if I can find that webinar. And if I can find it, I'll drop it in the chat. Another question here from Jim, if you have both HTML clean and HTML hacked in your hosting account, at the same time, isn't there a risk that the malicious code also affects your clean HTML?
No, because what we're doing basically is the web server knows that the website is under HTML and anything above that is not accessible publicly. That's the root of your site. So if we swept that the HTML hacked is now out of access for that hacker for anyone. So the the clean site is all that's available to the world and the clean site is what you're dealing with. Once, you know, once you've got the site secured, and everything's locked down, go delete that HTML hacked, nothing. There's no good that can come from that. your hosting provider might do a scan and notice it and shut you down that type of thing. So go ahead and wipe that file out once you know that your site is up and running. Now, plenty of times I had clean hacked sites, and I'd do that swap. And the reason why we do this is because they do that swap and it's like, oh, geez, what happened to the site? Something Something is wrong, something's not right. So you can swap that back and start investigating and find out you know what error messages might be getting thrown that kind of thing. So it gives you something right there that you know, was working so if you change some code locally that caused a problem, you can at least you know, troubleshoot it not have the site down because of you, right.
Yeah, great information. And I did just drop a couple of links in the chat. One is the one from last year from I think security talking and we did deal with logs a little bit there. The second one is I think, from 2018. It's got a little time on it, but the basic information is still there and good about the logging features of I think security Pro. So if anybody has that question, they can go back and take a look. All right. Aundrea has a question. Are you comparing the clean versus hack for each plugin individually or after they're all installed with the clean theme?
i Well, if you're doing an investigation and you want to find all of the pieces of malware I am, I recommend you create that clean site and you compare it against the hack site so that you can see what's malware or what doesn't belong. Find the purple sofas that have been moved into the living room so to speak. You want to find all of those if you're just like, you know, the client doesn't care. Who cares, right? Just get that exact version that they have and just wipe out the bad you know, you know that there's garbage in there. You just put you know, the clean, same version. Don't go try to like install WooCommerce six are in where they're using WooCommerce three or you're gonna break things there's going to there's update processes that need to happen. And it might be you know, that might be a hard thing to where if you're updating from like WooCommerce like a super old version, and you're there you might have to like update to four and then update you know, and do that as a process. So updating things can always be a challenge.
Yeah. And just to clarify on that question, she's wondering so do you download the files for clean site to your computer to compare?
Yes, yes. Don't try to clean on the server. Never tried to clean on the server no matter what. You just assume that everything up there, it's kind of like it's kind of like brushing your teeth and eating Oreos at the same time. It's just gonna work because the hacker can still be there. There have been plenty of times when I've been cleaning a hacked site and the hacker is still active on that site at that exact same time. And you know, it's kind of like, you just have to assume that nothing good is happening on that server until you get that clean site in there. Take it over lock it down and you when
I'm happy I still am shattering about our you know, Oreos and Okay, Clyde has a good question here. I've heard it's best to delete any unused themes like the 20 themes. One less thing being hacked. What do you what do you think about that?
Yes, I that's what I would do to you know, for this particular one, I just kind of left them there. But um, yeah, I would, I would wait, obviously, you're gonna have to look and see what theme is active. And if there's a child theme to that theme, so you might have two themes there that you need to save. But you know, every time you update WordPress, it's like, hey, remember these 20 Something themes, and it's going to upload those and you don't really need to have them there. You might need them there for testing purposes but you can always re add them later. So but for this purpose, any themes or plugins that you aren't actively using, you know, do you really need to spend a lot of time cleaning them if the customer doesn't care? Now, if it's a situation where you have to create a report and tell them you know, some bigwig what's really going on with their site, you want to take an a deeper analysis of what you found.
Yeah, you know, and this is this is a gripe of mine because it's best practice right to not have any unused themes or plugins on your site. I've heard that since I got into WordPress 100 years ago, right? However, the WordPress site health tool dings you if you don't have a default theme at least present, even if it's not active. Isn't that weird?
It is, you just kind of get used to it.
Yeah. Okay, so moving right along. We'll do We're back. We're at times live. We'll do one final question here from CO all preferences and settings would be wiped out once the themes and plugins were replaced or would they be kept in the database?
settings. If you're using the exact same version, everything should be fine. You want to do any updating on the server because again, some processes may may happen. So when you create that clean version of the site that you're going to swap out, use the same exact version.
All right, there we go. So lots of great information today, Kathy, lots great questions for everybody as well. Kathy, any final thoughts? As we're wrapping up?
Don't be scared of hackers, they, it's mostly just dealing with cleaning up the mess in the living room that the kids have left. It is not a scary thing. You can do it.
Very good. All right. So just to remind everybody, we do have a part two of this webinar and we're gonna present a poll question to you really quickly about the subject matter that you would like to see on part two, so please just pick two. I mean, you could check all of them but it would be helpful if you just choose your top two of these four topics, just to give us some guidance on what you'd like to see covered in the next webinar. And while you're doing that, once again, I will drop in the link where you can register for part two, which is coming up in several weeks on June the 21st at one o'clock central time. So it's basically evenly distributed for the most part cleaning the database, it has a slightly I'll leave this up in five more seconds, so you won't vote quickly. Vote now or forever hold your peace. And there are our results for next webinars. So okay, those
maybe we'll just two Yeah, finding the database. And then part three is malware identification, for sure.
All right, so folks, we'll have the replay up in about an hour that will include the live transcript as well as the log of the chat which had grown a lot of great thoughts and resources in it. You'll be able to view that at the link which I'm going to share one final time here in the chat room if you want to save that it's the same link that you use to register for today's webinar. All right, that is it. Kathy, thanks again for your great information. We appreciate all of you being with us. It's well hopefully it was a good investment of your time and you've learned a few things. Again, my name is Nathan Ingram and from everybody here and I hope you have a great rest of the day. We're back tomorrow for members for the fly 2022 course. I'll see you back here then I think is training where we go further together.