How WordPress Malware Works and How to Clean an Infected Site

A talk about keeping WordPress secure, how sites get infected and how to clean them when they do.


MARK WILKINSON: Come in, find yourself a seat. Afternoon. Got your water, had some of that delicious cake, the Victoria sponge was rather nice, plenty of seats.
Just a few announcements, just to tell you the dinner tonight will be slightly later, at 7.30, if you are sharing something on social media, please hashtag it with WCLDN and don’t forget to collect your event T-shirt if you have not done so.

So, our next talk is from open, on WordPress malware. So, open has built his career, on the understand and dissect organisational challenges, he’s been WordPress since version 2, which I think was in 2005 so really experienced and he’s a certified ethical hacker, over to you open on WordPress malware.
OWEN CUTAJAR: There goes my introduction, my first slide would be an introduction, that’s done.

Hello everyone, I hope you enjoy what I prepared for you today, I decided to talk about malware in WordPress, because it’s a problem that effects a lot of people, I’m sure some of you may have come across some problems, we’ll talk about those in a bit. The first time I had a website that was affected by malware, you end up being in this black hole where you don’t know what’s going on, you don’t know what to do, you don’t know who to call, it’s especially true five or six years ago, where these things were emerging, these day they are an everyday occurrence.

What we will be seeing in these slides is how malware works, what to lookout for and what to do to avoid it the reality is that it’s not rocket science, malware at the end of the day is just code, code in the same type of code that WordPress is, if you understand what it does and how it does it then there are steps you can take to avoid it.
So, just a quick show of hands round the table, does anyone remember the joy of the first WordPress site and how great it looked? This was, this was one that we created recently, looked fantastic, client was really happy, everybody was raving, woke up one day and the site looked like this. Has anyone had an experience like this, can I have a show of hands? Okay.

Has anyone not had that experience? Okay, that’s good that there are some hands in the room.

Now according to the FBI, there are two types of companies, those who have been hacked and those who will be. Some people actually made this a bit more scary, saying those companies that have been hacked and those that don’t know they have been hacked yet. The reality is there is an element of scaremongering over there, the community has been very good at getting people aware of the problems of the internet, the realities that there are out there, the bad people out there, they live around us in the way we do, there are things that we do that make us more susceptible to be attacked, if I walk down a dodgy alley way at 4am, carrying a big bag of gold, your kind of expect that something bad will happen to you.

So, why are the WordPress sites affected, why do people do it? The first reason that people do it is for profit or propaganda, there is some really money to be made for attacking websites, teams, companies and bad guys that do this for financial gain, so, let’s say for example, I run an e gaming website, the e-gaming website makes thousands of dollars per hour, if somebody can take my site off-line they can then hold me to ransom and ask me for actual cash for actual money to get my website back.
If somebody has got some sort of propaganda agenda, you know, there is some sort of pressure group, they can deface my website if I have a popular website and their message is being spread; so, there is some real reasons why people do these things.

When WordPress, why WordPress though, WordPress is an attractive target for a couple of reasons: the main one, specifically — whoops… the main reason why WordPress is so attractive is because there are literally millions of WordPress websites out there, if somebody finds a way to break in too WordPress site they can apply the same methods to another site, to another site, to another say and literally affect half the web if they wanted to.

There is also a problem with WordPress, if you have an old version of WordPress, if a site was built for you and you never maintained it, your version of WordPress tends to get outdated, as people find vulnerabilities and problems with it, your site becomes more susceptible to being attacked.

Because of the way WordPress works, there are a number of, large number of plugins and themes that live on WordPress, it becomes a large surface of attack, there are literally thousands of themes, if I don’t find a bug in WordPress, I can find one in a particular theme that will give me access to somebody’s website.
So, I’m going to talk a bit about the types of attack that you tend to find on WordPress sites and these are a bit more general, talking about attacking sites in general, so WordPress is just a small class of those.

You get targeted attacks, the example I mentioned before of an e-gaming website or a bank where hackers go out and naturally target a specific site, it tends to be a very sophisticated attack. Most of us have WordPress sites that kind of don’t fall in to that category, but I just wanted to mention, it’s one class of attack you can find with targeted attacks, hackers and attackers try to find out more information about the site, more information about the person that runs it, more information about the person who uses it, to try and get access into that, there are different types of attacks like social engineering, monitoring people, we’re not going to talk too much about those today.
Another type of attack are password cracking, so one problem that WordPress used to have in the past that the default user name used to be, “Admin”, you still find a lot of installs that use the word admin as a user name, if I use the admin user name then I’m halfway there in taking control of that site, all I have to do next is guess the password you can actually download programmes that have dictionaries of common passwords, normal dictionary words that can hit your sites a hundred times per second to try all the different user names and passwords, they are called brute force attacks.

Another kind of attack, is DDOS attacks, DDOS are attacks, they are distributed denial of service attack, it’s a type of attack that is used, uses a number of different computers or people around the world hitting the same website, as you know a website runs on a web server that uses resources to serve pages. If you have one, two, three people hitting a website at the same time it will take one to three seconds to load if a thousand people hit at the same time, the web server will slow down and eventually slow to a crawl, it is, DDOS attack you have thousands of attacks at the same time, basically killing the website with the amount of load on it. With DDOS attack there is pretty much we can do from a WordPress site to prevent that but there is measures that we can do to prevent that, I’ll mention that in a second.
What we will talk about today malware, it’s specifically types of programmes designed to take over a site, to use your site for some other reasons, there is difference classes of malware, some you might have viruses and worms that run on your computer, on your desktop, but we are specifically going to talk about the ones that run on the WordPress.
So, just to go into a bit of terminology over there, viruses and worms are types of programmes that attack different systems, they typically have two types, they have a spreading mechanism and they have what’s called the pay load, i.e. what does it do, what does it actually attack, the computer.
A trojan horse is something that we need to talk about also, trojan horses are programmes that masquerade as one thing and then do something completely different, the reason I mention them there is a bit of a problem where people decide, ooh, here is a plug-in a premium version, don’t want to pay for the premium version, I’ll go to a dodgy website and download it for a free, it’s a very popular attack vector that people use, they can embed code in the pirated version of that software, if you are using gravity forms for example, what this has done is set up a back door on your site for the people to access.

The last two terms we are going to, that I want to define as Botnet and Malnet, a Botnet is number of different computers under the control of one hacker, so when you are launched a distributed denial of service attack you don’t just have one machine attacking you have thousands of machines they’re called the Botnet. Botnets look at a central point, the command control centre, it’s that central point that tells them what to do. A Malnet is something, similar to that, but rather than taking down a site, what Malnet do is try to distribute malware’s, I’ve come to those and how they work in a little bit.

So, there is different types of attacks, you might find, on WordPress sites, so the attack you saw before is called a day facing, and that’s where content is changed on a particular site, you wake up one morning and your website looks completely different. Is the is a good type of de facing, soon as you look at the site you know there is something wrong with it, but if someone is more subtle and actually goes in and changes some of the word on a site, they can actually cause real problems for companies that haven’t noticed that their site has been taken down, so for example if I change some of the terms and conditions on the site, if I put up illegal information on that site, could cause really problems for a company who doesn’t know that their site has been de-phased. Another attack is spam attack, they load content on a to a site that effectively redirects people to spam. It was a particular attack that happened a couple of years ago and what you can see over there, is that those searches are coming off number of different WordPress sites and what has happened was that a set of, a Malnet had attacked WordPress and had injected all this content all over the web. So, if you Google for, “Pharmaceuticals’, you end up with all the WordPress sites pointing at the particular dodgy website that sold pharmaceuticals.

There is another attack where the computer downloads software that harms your computer, nowadays, browsers are very good at identifying it, you get a warning rather than a download, if you don’t have the latest version of windows with the latest updates on it, you are still susceptible to this style of tack.
Back doors, are another interesting attack, with back doors a malware, a piece of malware will drop a piece of code on to your website that then let’s somebody else come along and take control and two things on that website, whether it’s loading pieces of code that don’t interest you, or loading actual dangerous things for other people to download.
Another type of attack, which is actually quite sneaky, is where redirects and embeds are actually added to your site, so the problem with this, most of the time you don’t notice that there is something wrong with your site, so on the top example over there, there is actually an i frame in the web content over there, it’s loading content from another site, that iframe is hidden so anybody hitting the website will not notice that there is a piece of code over there and pages being loaded. However, that could be dangerous code that could try and download something on your machine or could actually be making the person who put it over there, some sort of money in terms of advertising revenue from showing that content on your set.

The second one over he is a bit more sneaky, what it does, if somebody types the name of your website in Google and end up on your website, it actually redirects them off to other websites that will try and download you porn or sell you a subscription to something on your computer. If you try and type in the name of your website on your computer and go straight to it, it shows you the site normally. So, what it’s doing over here, there is a condition that says, “If the referrer is Google or Yahoo, redirect off the other site”, but if you just navigate around you wouldn’t notice there is something wrong, a pretty sneaky way of doing things.

So, how does this malware end up on your WordPress site? The first entry point is exploits and vulnerabilities. Over time people have discovered problems with WordPress code, plugin code with theme code. These, these vulnerabilities are called [Inaudible] those remain, holes for people to add code to the website, to load malware on to your website., so there was a really interesting one recently where there was a problem with WordPress and it got disseminated by a hacker group before WordPress themselves had a chance of patching the code and the number of sites got de faced before an update was put out.
Soon as a patch comes out, soon as the maker of a plug-in for example finds a vulnerability in his plugin he will release an update to it, if the update isn’t applied straight away it’s vulnerable to attack if you managing your site and you are running updates often, that’s not a problem, but what tends to happen in the world, is that a client comes along, you build a website for them, they go off into the sun… into the distance and go off on to the horizon and you never hear from them again, three years later they call up and go, “My site has been hacked”, and you realise they have never updated their software, they’re running a version of WordPress that is three years’ old with plugins that would turn your hair white.

So patching your software is extremely important. Secure credentials, does anyone in here have a password that is ‘password’? Those are the sort of things you find on these brute force attack things. A lot of you laughed when I asked if you had a password called password, but I am going to ask you another question do you have a user name and password that you use on more than one website, most people will say yes to that there are so many websites out there, unless you are using a password management package, you will have to use the same user name and password otherwise you will never remember what to do. This is one place that can be extremely dangerous specially if you are building websites for other people that could provide a key into that place. We keep hearing of companies who have got hacked and their user password database has been leaked, that’s a problem in itself. It’s a bigger problem if you use those user name and passwords on other places, because there’s botnets out there that are trying actively trying to use that to login names and passwords on different sites round the web.

The big problem on WordPress sites, especially if you are running on shared hosting is a compromised host. So, if you are running on a supplier on oven door who is hosting you who doesn’t have proper controls in place who’s put you in the same place as you whole bunch of other people if one of those sites gets compromised malware will try and spread on to other websites on the same machine, and you can find that you are following all best practices, you are keeping your software up-to-date but your sites still gets compromised. This is a big problem, especially for people who choose hosts based on price usually because the reason a host can be quite cheap is because they can put hundreds of websites on to the same container, shall we call it. The problem is that those can all see each other and malware can spread from one to the other.

So, I have got some code samples of what man we are actually looks like. Now if you don’t code in PHP this will be a bit over your head but I will explain what it is as I go along.

So, here is what a typical piece of infected code looks like. Looks like gobbledegook doesn’t it, what we have at the top there is an instruction to PHP, to execute a piece of code. The second instruction over there base 64 decode it’s what converts this gobbledegook into code. So, if we take that gobbledegook and stick it into this website over here, so I have got gobbledegook in that window over there, and this website will decode from base 64. If I click decode, what I end up with the bottom over there is a chunk of PHP code. That’s really tiny, don’t try to read it, what I have done is actually stuck it in here and added some comments. So, what that code does, is if you don’t know PHP just look at the comments at the top over here. The first thing is does I try to make itself read write by anyone, that means that somebody can come along later and override that file with some other code. But then what it does is something really clever. It hooks into WordPress, so I can be the WordPress database, it looks at what query string it has and then search the WordPress database for that user name. If it finds a user with that user name, it writes a cookie on the person’s machine, saying this user name is logged in then redirects to the admin page, of that website.

So, if somebody manages to get that code on your server if somebody knows a user name of your website, what’s that done? It’s let that user log in without knowing the password of that user. So, this is code actually taken off a compromised website, just to show how this stuff works. It’s not magic it’s smart, but it’s not magic. You know what it’s doing, it’s fine.

Just going to show you some other bits of code if I can minimise this … ok here’s another chunk I have got my gobbledegook at the bottom it’s decoding it and compressing it. This has a lot more code though. So, we’re not going to walk through it but you can imagine what kind of damage that can do.

Ok. Just showing you another one. Does anyone recognise this type of file? It’s a WordPress config file. But what’s interesting about it, is that at the top, someone has injected a whole chunk of code in there. Ok so as that has been added to the w config file does anyone know when the w config file is loaded? It’s loaded every page request. So that means every time somebody calls one of you pages, that chunk of code is executed.

So, I think I will stop there. on these. So, let’s jump back into here … so I have cot some samples over there, what I will do is put these up so if anyone wants to download the slides you can get those codes also. I have linked off to two websites that can help you decode and execute PHP.

Now, was it dangerous my looking at the code on my machine? My machine is not running WordPress, that is fine there is not the stuff that I needed for that code to run, but you have to use these things responsibly, you have to know and be aware of the damage they could cause. The nice thing about snippets I showed you is that they are old exploits, old worm and malware, any proper detection software will pick them up. The big problem I had, I had to turn off my anti-virus otherwise that wouldn’t have shown.

So how do we clean an infected website? There’s two ways. There’s manual way of going in and finding all the bits of code that have infected your site and removing them and that’s what we used to do in the old days. Nowadays there’s a number of security plugins that can do that for you and what I wanted to do is to demo one of these. The one I like using is one called Wordfence, I don’t work for them but they have saved my backside a number of times. So, showing you I have had a website running for the last few months without being updated just so I could use it for this. So, this is an example of Wordfence running on an infected site. Ok, so Wordfence will do a number of different things. That’s going to be too small to see, but I am just going to read some of the things it’s done.

One of the main things that Wordfence does which is really, really, really useful is it looks at all the PHP files on your server, then compares them against the WordPress repository, if it notices there been any change on any of them it goes oh you have got a problem over here. That is very, very useful, there’s no chance of something hitting your server and you’re not noticing it. It’s also scans for any files that shouldn’t be there. So, if there’s a file over there called ABC.PHP it’s not part of the WordPress core it will raise attention about that. There’s some interesting things that checks your .htaccess file, it also checks I don’t know if you have ever opened Chrome up on to an infected site you get a big red window saying this site is flagged as being infected. It also checks that list to make sure that other people don’t have any warning signs on your site. And all this can be done automatically you can schedule this to run every night and email you if there’s any problem, that’s why I like Wordfence. What it’s found over here it’s found a couple of problems. My WordPress version is out of date, it’s found a malicious file called index3. php, and it’s found something dodgy in my WordPress config file. Now ok, again the nice thing about word fence it gives you a one click so I have here got a file that’s malicious let’s have a look at this file.

So, looking at this file, into that again, so this is that second piece of malware I showed you before. Get content blah blah blah. So being an extra file I don’t really need that, so I am just going to delete this file. Wordfence cleans that up for you. I have got my wp config file again has some malicious code in there. Now in this case I don’t want to delete my file because if I delete wp config it will delete my server I need to believe that manually. It also warns me if there are other things that need up-grades. The nice thing about Wordfence it’s all the checks it does so sorry just to run top window … so over here there’s a list of the all the checks it does. So, it scans file contents for infection and vulnerabilities, that’s where it found something. But it also scans URL and Google safe list’s scans for weak passwords, and scans for another thing over there. So, it you’re not quite sure what you are doing but you are sensitive to fact your site could be hacked then just running one of these security plugins is a good idea, because it tells you if you need help or if you don’t need help.

So, this is the free version of Wordfence and is available to download off the WordPress plugin store. Ok. Switching back …

So, what do we need to do to protect our sites? There are some simple things we can do to make sure we don’t get caught out. Automatic updates in my mind are a necessity. Unless you are checking your sites every day, every week, every month to make sure you’re not running old versions of plugins if you can automate that and since WordPress 4.7 or 3.7, in WordPress nowadays you can automatically schedule updates. This could create a problem for you from a testing point of view because technically you should always test your site after you upload any updates so doing it automatically may cause changes you’re not aware of but which is the bigger risk? Security plugins I mentioned wordfence before, I don’t have any website without Wordfence on it just to get alerted if something is there. External scanning is always useful. So, there’s a few websites out there where you can give the URL of your site it just scans to see if there’s anything wrong with it. There’s a number of free options around out there, there’s no reason not to do it.

User education is paramount so why should users have strong passwords? It’s annoying because you have to stay remembering them, but the downside of not having a good proper password and a password changing system can be bad for the site. You can even implement what’s called two-factor authentication, which means that you need some sort of device like a phone that gives you a code log in, there’s plugins that help you do that. Backups are really important, so if you site gets compromised a backup is the best way to bring it back. Another thing you can implement is SSL on the log in page so information you’re in a public WiFi spot for example, and you are typing in a password there no chance of anyone eavesdrop on that.

So, these are some basic things that shouldn’t be too hard to implement but I hope you guys take as a some advice moving forward. To close off, here are some references that you might find useful. There’s a vulnerability database that currently lists 6600 vulnerabilities for WordPress, there’s a link to Wordfence the plugin I mentioned before. Securi is one of these external scanning solution, CloudFlare as a free offering to let you put SSL on your site if you want to a here’s my contact details if anyone has any questions. But I think we have got some time for questions? (applause).

MARK WILKINSON: We have got a few minutes for some questions I’m sure you have got lots of things to ask we have got a couple of mic runners if you could raise your hand if you have a question a can I mic close to your mouth. Any questions?

FROM THE FLOOR: Hi there, you recommended automated updates, how would that compare to say, disabling the ability to edit the files, like a file system level.
OWEN CUTAJAR: There is different options around things, disabling the files umm… certain parts of the website are going to need access, if you look at your wp uploads for example, you are going to need to be able to write into that, so if one of your plugins can write into that area then there is still an option for somebody to execute that, especially if there is a way around the execution. What you really want is defence and depth, not just one way of preventing somebody attacking but the more things you can layer on, the better. With automatic updates you can also config it so it only updates minor versions for you, so you don’t have the big changes when WordPress jumps from one version to another, in my mind security patches should always be applied, there is no yes or no on that.

FROM THE FLOOR: Okay, thank you.

MARK WILKINSON: One that front here.

FROM THE FLOOR: Just wondering have there been any incidents on, random ware. Where the entire thing gets encrypted.
OWEN CUTAJAR: So, there are I’m not aware of any on WordPress sites, I do know that banks, e-gaming companies and Fox, I think there has been number of places that have been held under ransom from various attacks, one thing I mentioned was cloudflare a DDOS providers, if you set up the site behind cloudflare, when you turn on the services it’s always programmed to do that, there are companies like cloudflare that are designed to mitigate against those DDOS affects, there is a group, anonymous, six months a year ago, doing a big thing about DDOS, saying big names, essentially.

MARK WILKINSON: We’ll just go over there and then come back to you.

FROM THE FLOOR: Out of curiosity, what’s the biggest source of those snippets injections? PHP snippets… plugins?

OWEN CUTAJAR: You need somebody to write the code so you kind of need somebody to come up with the idea how does this happen, you kind of get hacking groups that actually compete against each other, the next thing is how does that serve end up on your server, those exploits or compromised code I mentioned before, if you look at WordPress vulnerabilities for example, I’m just going to take you out to the vulnerability database, there is number of vulnerabilities over here, some of which will allow writing on to a server, for example. There was a big one around two years ago, a plug-in called in the thumb, an image, there was a plug-in that used that to resize images, all those plugins were vulnerable for people up loading random fails to people’s web servers, because of the flaw in tin thumb, the funny thing was it had been used for years before that, but someone discovered a vulnerability. Someone might say, the problem with using WordPress is everybody is looking for vulnerabilities for it, let me use this other software that no one has had of, it’s better to use something that everybody else is using and then soon as a vulnerability is found it’s patched, then to use something on the assumption that no one is using this, it won’t be attacked, it’s the whole Open Source ethos that it can be tested and patched and released for everyone to use.
FROM THE FLOOR: I have a question actually. You mentioned about the Wordfence checking against WordPress as to when something is injected into the config file, our setup uses version control we slightly enter the config file, it’s not the default, would that always flag up in Wordfence as a problem, is there a way to say don’t check that file.
OWEN CUTAJAR: There is number of configuration settings that set to what to do or not to do, if you’re running an older version of something you need to make sure that all the security patches have been applied on that.


FROM THE FLOOR: Hi, I’m Yanis, not as much WordPress but a bit more generic, something that I noticed recently is Google Analytics spamming, I don’t know why they do it, but it really excuses Google Analytics, do you have any idea about that, do you know anything about it.
OWEN CUTAJAR: People are chucking, loads of it, Google spam, analytics spam, whoever is looking at that can click on those links and go and look at something, I can imagine they’re very effective, but I don’t know what your attitude towards WordPress comments and the spam that lives around that whole echo system is, I’m still getting even though I use a kiss met I’m still getting lots and lots of spam, I’m sure no one is clicking on those links they must be, 0.01 of effectiveness, other ways they wouldn’t do it anymore.
The problem width on-line security there is lots of people out there, launching these attacks, because they have got time on their hands, because they can get something out of them, it’s a very in balanced thing, when you are defending a site you are defending against a whole host of different things, a big imbalance between the effort to attack and the effort to defend, that’s why this whole sphere is taking off. The great thing nowadays that plugins like bullet-proof, like Wordfence make it easier for people who don’t need to understand what is going on to defend themselves. In the past it was much, much harder.
MARK WILKINSON: We have time for one over there.

FROM THE FLOOR: Hi, I am Eva, I’m from Poland and I seen on WordCamp Poland list here a presentation where a guy showed it’s really easy to hack the WordPress plugin because it’s not very, because it seemed like the alphas of the plugin didn’t know how to correctly use WordPress hooks so it’s really easy to cheat this plugin so that you feel you are very safe but it’s not very, not, it is not really the truth. So, what I would recommend is to be very careful because no plugin can make you feel or be actually safe if it comes to any attacks, so it’s always better that they can be, to think that they only your help, not to be very — not to rely on them. So…
OWEN CUTAJAR: So yeah, the risk is not for everyone in the same way I can walk out of here and be run over by a car. If you are going to be on-line you are going to be a target. But if you follow good practice, you are reducing the risk of everything you do reduces the risk of anything bad happening. If you do things like taking back-ups, making sure passwords are secure, running on the latest version of software, it doesn’t mean you are never going to be hacked but it reduces it considerably. A lot of people were surprised by the most recent exploits in WordPress where people could go in deface websites, it spreads so quick that people were looking at the post revisions and seeing one group defacing, another group defacing and this was before WordPress has a chance to release a fix for the exploits. But the security in numbers, the fact that you were all using the same platform, the fact that there are tools to sort out these problems helps reduce the risk of what we are doing.
MARK WILKINSON: Last question up here.

FROM THE FLOOR: Apologies if you have covered this, but can this nasty stuff get in your database, if it does is there a different strategy to fix it?

OWEN CUTAJAR: When you say database, do you mean WordPress database?


OWEN CUTAJAR: Yes, I have had one case, this was a couple of years ago, pre-this, where a piece of malware, instead of just changing the team file and defacing the site, actually wrote the spam pharmaceutical links straight into the content of the database, which meant that the only way to eradicate it was to run Search & Replace against the database or know in and change the posts one at a time, it was a nightmare to fix, so prevention is always better than cure.
THE CHAIR: Thank you, let’s have a round of applause. [Applause]. So, we have got a short break, next in here is a panel discussion about building customer theme it should be really interesting. Grab yourself a coffee. Just to remind you dinner is slightly later at 7.30.