Fixing Blackhole & Phoenix Exploit Kit Attacks on WordPress

blackhole-exploit-kitBlackhole Exploit Kit, Blackhole Exploit Kit Detection, Phoenix Exploit Kit, Rogue Scanner and JS Redir attacks are currently the most prevalent of all website  threats globally. These can destroy your website’s online reputation and drive your visitors elsewhere. Malware may be installed onto visitors computers directly from your website, without you being aware of it.

WordPress Site Hacking

Even with the best security, your WordPress website is at risk of infiltration because these Blackhole Exploit applications exploit flaws in the  JavaScript code itself, rather than being a hacking in the conventional sense. They can compromise your website without you even being aware of the problem.

How To Tell if Your Site Has Been Compromised

For some people, the first indication might be a complaint by a site visitor that their PC’s internet security application sounded an alarm. Some search engines – like Yandex – now email the website owner if their web bots discover malware during site indexing visits.

You can be a little more proactive that that. Aside from using a premium internet security suite, and visiting your own site regularly, you should also regularly check your website on the premium internet security sites! The following are those I have found to be accurate;

  • www.sitecheck.sucuri.net/scanner/
  • www.safeweb.norton.com
  • www.avgthreatlabs.com/sitereports/

Of those, Sucuri.net provides the most detail, right down to the infected file and the type of infection. This allows you to go straight to the source of the problem and eliminate it.

Not checking, not being aware for an extended period can result in your site being blacklisted on sites which monitor inappropriate activities such as malware, phishing, virus distribution etc.

Another good site is www.virustotal.com – click the “Scan a URL” option, then enter the website Domain Name to be checked. VirusTotal will check your domain against almost 20 different databases and report on its status.

How To Minimise The Threat

Implement each WordPress upgrade as soon as it appears. This is extremely important and is the best way to prevent exploit attacks in the WordPress core. WordPress developers quickly remedy any newly-discovered issues, so an upgrade is the best defence against known security threats.

Make sure that all Plugins are kept up to date. Upgrades frequently address newly discovered security flaws in PHP and JavaScript code. In the past 2 weeks I’ve seen successful Blackhole Exploit Kit attacks on the following plugins;

  • Contact Form 7
  • Contact Form 7 Calendar
  • ./wp-content/uploads/wpcf7_captcha/

Use a Design Theme that does actually have an upgrade process. Some developers of premium themes provide incremental upgrades and security patches. Those produced by Studiopress are amongst my favourites.

Cheap, nasty, old or free WordPress themes are an invitation to disaster. If your website has any value, add to it with a professionally written design theme…

How to Fix a Hacked WordPress Website

The first issue is accurately identifying the problem. Use the www.sitecheck.sucuri.net/scanner/ to establish which Directory and or File/s are affected.

The second issue is to eliminate the problem immediately!

Elimination of Exploits

In the case of WordPress, the “upgrade” or “reinstall” provides an immediate elimination of compromised core WordPress files.

Plugins that are compromised are overwritten by an upgrade… Where no upgrade is available exists;

  • delete the plugin directory
  • go to WordPress.org/extend and download a fresh copy of the plugin
  • unzip it into your PC’s local drive
  • use FTP to upload the plugin directory to ./wp-content/plugins/

Design Themes that are compromised are also overwritten by an upgrade. Alternatively, use an FTP program to delete the current Theme directory, and then upload a replacement copy.  Note that if you’ve got any custom modifications to the theme files or the style sheet, its a good idea to have a local copy of those edits!

Having cleaned up the offending file/directory, its useful to go through the site looking at date_modified dates…

Some exploits or hacks insert files, these will invariably be dated on the day the exploit or hack occurred. Look  for any dates that stand out as being different to those of the recently uploaded WordPress / plugin files.

If you’d rather not do this yourself, the Securi.net malware removal service is recommended. At $89.95 it also includes  a full year of website monitoring!

Exploit Prevention

After the cleanup is over, and scans on Sucuri.net report the site is now clean, you need to take steps to ensure that security is now as tight as it can be.

Password Changes

Change EVERY password to all areas of the site, including;

  • WordPress Administrator account
  • WordPress Database account (you will need to update wp-config.php)
  • FTP & Admin Control Panel
  • Email accounts

Don’t use recklessly simple passwords! Make sure EVERY password is at least 10 digits, preferably randomly generated with a mix of upper and lower case, numerals and punctuation…Use this site;

www.pctools.com/guides/password/

So what if you can’t remember a difficult password? There are products like  Roboform password manager  that can help you with that!

Directory Permissions

In most cases, directory/file permissions should be no looser than 755. However, hosting companies implement permissions in varied ways, and in some cases the only way to upload files to wp_upload is setting that directory at 777

That’s a serious problem, as its offering free access to anyone with nefarious intent. If your hosting company can’t / won’t help you with sorting out permissions for your WordPress installation, change to another company!

WordPress have detailed information here: http://codex.wordpress.org/Changing_File_Permissions

Remove Extra  FTP Accounts

Some hackers like a way back in if their efforts are undone, so they add a sneaky FTP account access… Some hosting accounts with Add-On Domains automatically create a new FTP account for each add-on domain that is installed…

To reduce the potential for future problems, remove all unused / unidentified FTP accounts.

Installing WP Security Software

For the non-technical site owner, there are plugins designed to ease the burden of security by managing it for you. See a list of WP Security tools here;  wordpress.org/extend/plugins/search.php?q=security

The one I use and recommend is “Better WP Security” because it has an intuitive interface, and locks the site down neatly and easily. Its quite easy for a non-technical user to install and configure this plugin, with few opportunities to kill the site in the process.

Backups

Obviously, when all else fails and your website has turned to mush, there’s a great deal of comfort to be had from a comprehensive backup of your website… Make sure you have one!