The following is a guide to recovering a compromised Wordpress site,
written at the request of a visitor to this blog.
An automated robot using the nym "Yassine Edder" attacked my beloved's Wordpress site last month. I was caught unprepared, in that I was unfamiliar with the security aspects of Wordpress and had not taken the proper precautions. I accepted the blame for that negligence and pulled an all-nighter undoing the damage and locking down the site so that no one will ever be able to compromise it again and installing
countermeasures that will inconvenience spammers and malicious hackers.
The message content of Yassine's graffiti manipulates victims into assuming that Yassine Edder is some sort of harmless attention-seeking teenager inspired by the media. Make no assumptions about the motives of the criminal. All that is known is that Yassine Edder is a criminal running an automated script.
Yassine's modus operandi is quite simple
*. First of all, understand that Yassine is not a human being, but an automatic robot running via script. The attack is completed within two minutes. The robot attempts to read wp-config.php, and if your file permission permits this, then it can extract the password to your database. Many people, myself and my partner included, neglected to set the file permission of wp-config.php to 400 or 440, the secure setting. In order to do this, you will need to FTP into your site with a program such as FileZilla, right-click on wp-config.php, and alter the permission. This is the very first thing you must do, because until you do it, your site can be compromised again and again. There is no point in performing a clean-up until you secure wp-config.php. Clean-up is not as important as establishing security. You must change the password to your database, because it has been compromised. Change it immediately in wp-config.php, lock down wp-config.php by setting the file permission, and then go into CPANEL and change the database password on your host. This will partially close the door to Yassine Edder. However, Yassine has established an admin account, and this must be deleted from the database as well in order to slam the door in his ugly face.
The next step is to delete the admin account and also remove the graffiti Yassine left behind. I call this the clean-up stage. Bear in mind that Yassine was not permitted more than a few hours of access to my partner's site, and the damage was undone quickly. I am not sure what the consequences are for people whose site has been compromised for several days or weeks. It may be that other robots or human beings return to cause more damage. If that is the case, then there may be backdoors installed in your site. You will need to scrutinize everything carefully. The best prognosis might even be obtained by recovering from backup. I did not have to do that, but again I nipped the problem in the bud early. You should examine your logs to see what has been happening. If you are not in the habit of examining your web host logs in their raw format, now would be a good time to start. By doing so, I was able to learn which IP address or addresses conducted the attack, how long it took, and how many files were accessed. That was helpful information that I later used to
ban the very same IP addresses. The Yassine robot can never access our site content from the same IP address used before. All he will get will be a stern warning with links to spam-killer and harvester-killer sites.
Now I will discuss precisely how Yassine turns your site into his personal graffiti wall. There is not much to it really. The good news for me was that the damage was not severe or widespread, at least in my case, although that may not be true for all. I can only speak from my own limited perspective.
After obtaining the password to your MySQL database, Yassine then inserted records establishing a username and password, permitting a human criminal to visit later at his leisure. Go to your web host's Cpanel, go into MySql and modify the database records that Yassine has inserted or altered. If you do not know how to deal with MySQL, you must learn, as I did. Do not be intimidated. It is not really difficult. Obviously you will want to remove the record with Yassine's username and password. You will also want to remove the record that is causing your site to greet all visitors with Yassine's stupid graffiti. Take your time examining the database, because the malicious damage will be there. To my recollection there was one record with Yassine's username and password, and one record with the graffiti. However, there may be more. It should not be assumed that every site has the same experience.
After undoing the database damage, you should be home-free, or at least I was. My partner's site at this point was fully recovered with no damage and no backdoors. So I got a great big hug and a thank-you and a cup of hot cocoa.
Take this opportunity to pursue the other security recommendations I have suggested elsewhere. Wp-config.php is not the only Wordpress vulnerability. There are others that should be eliminated as well. Also, the whole fiasco is a wake-up call to start making regular back-ups of your entire site, not just the files but the database as well.
There is also the possibility your FTP password could one day become compromised due to a local virus on your PC or a man-in-the-middle attack. I suggest using SFTP at all times, which is encrypted FTP. Securing your local network against viruses is important. Any compromised computer on a local network can monitor network traffic, so don't be complacent about your spouse's, roommates' or children's computers. All computers must be clean.
Footnotes:
[*] - This post and others makes an assumption that wp-config.php was the focal point of Yassine's attack. That assumption appears shakier the more I think about it. One thing I've learned in computers is that one should never be too sure about something. There are two problems that bother me about the wp-config.php hypothesis.
In the first place, I was under the impression that .php files were executed server-side and could not be read by the client. However, maybe there is a way to read the source code of an unprotected .php file. I don't know. I'm no .php expert, although I have coded .php programs of simple to moderate complexity.
Even more disturbing was the behavior of my partner's web host,
the accursed Namecheap, which I have panned elsewhere for unrelated reasons. Following Yassine's attack, the entire host went down for several hours "for security-related issues", which suggests a server, or all servers were hacked. If that was indeed the case, then the host, Namecheap, was negligent in some unknown way. It may be that every Wordpress blog on certain compromised servers was attacked. I am not willing to rule out this possibility, but I don't have the resources or motivation to determine the facts of the matter.
As a general aside, I think it is interesting that I'm currently unemployed and can't get a job because employers assume I know nothing about the web. They discount the skills I obtained through self-learning. They think I know nothing. Well, skills are skills. It does not matter so much whether they are obtained on a 9-to-5 job. However, this seems to be outside the understanding of today's employers, who discard my cover letter and resume because I lack recent web-related work experience in an actual paid job. I have encountered an iron wall in the job market locking me out of any kind of technology job. However, whether I ever get a job or not, I will always be keen on computers. I'm ready, able, and willing, but the job market, the economy, is not. My potential is going untapped or diverted into recreational avenues like this blog, online chess and Scrabble. Oh well. I suppose I've got my health to be thankful for, among other things.