Someone on the Manchester WordPress User Group mailing list recently asked about checking their WordPress site for malware, and as I’ve spent some time decontaminating a WordPress site which was fairly riddled with malware recently, I thought I’d write up some quick pointers which might help you (or me in the future). I’ve broken them down into detection and prevention, and noted which are paid and which are free.
Free, detection: Use a Sucuri free scan to give your website the once over for malware; this will check a sampling of pages on your site, including JS files, for malware, and check a few blacklist services for your web address.
Paid, detection: Sucuri run a paid for service which regularly scans your site and emails you when something nasty is found. I believe they also offer help remove any malware found, though I’ve never used that aspect of their service. Update: Sucuri now have a WordPress security plugin, which allows them to scan the PHP source files inside your WordPress site.
Paid, detection: Automattic run a service called VaultPress, which at minimum backs up all your source code (plugins and themes), uploaded files and database. VaultPress higher priced subscriptions also scan your backed up files for compromised code.
Free, detection: Install the Exploit Scanner plugin which allows you to run one off scans for common malware. Once found, however, it’s up to you to remove it… your local WordPress User Group (Google for “[your town] wordpress user group”) or the WordPress Support Forums may be able to help with that.
Free, preventative: Install the Limit Logins plugin, this plugin will stop somebody (or some automated script) from sitting on your login page trying each and every username/password combination they can think of/calculate. It does this by only allowing you so many (number configurable) login failures before locking you out for twenty minutes.
Free, preventative: Downgrade all unnecessary administrator level users to editors. This is particularly relevant if your WordPress instance can write files (e.g. if the theme and plugin editor work, or if you can upgrade plugins without entering FTP details) as in this situation a malicious hacker with access to an admin account can effectively write code (backdoors, malware, general PITA code) into your plugins and theme. The fewer administrators you have, the fewer accounts the bad guys can hack. Most people don’t really need to be administrators, being editors will suit them just fine once their egos settle down. ;)
Free, detection: Install the Admin IP Watcher plugin, this will email each user every time someone logs into their account from a new email. Initially there will be a flurry of emails, while the system gets to know everyone’s home and work IP, but things will settle down. You will need to make your users aware that this is installed, to expect the emails, and your users will need to know forward the mails to you if someone logs into their account who isn’t them. (You also need to be aware that this emails when a user of any level logs in, so if you have Subscribers who just log in to comment then they will get the login emails as well.)
Free, preventative: Make sure you use a strong password. Remember, kids, the best password is so complex you can’t remember it (seriously).
Some tips on looking for compromised code, most of which require some HTML/PHP knowledge unfortunately, but there’s not much getting round that!
- Load your web page up in Safari or Firefox with Firebug [6] installed. Search the source code for “iframe” and check each iframe: do they all look legit, do they have a src attribute that you don’t recognise, if you paste the src attribute does the page redirect once or several times?
- Look at the Javascript being loaded by your page, skim through the code. Is it all pretty clear to read and understand? If it nicely indented? In my experience, when malicious code is injected into the middle of nice code it looks quite foreign: bad indenting, huge blocks of incomprehensible characters, unclear function names, etc (this goes for PHP as well as Javascript). It’s more difficult to spot in compressed JS code, but even then you will often see two distinct code blocks. Also check the Javascript blocks embedded in the HTML source code for the same signs. If something seems suspicious, compare it to a clean copy of the plugin that you’ve downloaded from the WordPress plugin repository, and if it still seems suspicious after that then ask on the WP forums or on this list.
- It takes a while, but it’s also worth skimming through all your plugin and theme code. I know, I know, there’s so much of it, but if you’re sure you’re infected then you need to root out the problem or it will get worse. The things I mention above about searching for nasty injected JS code also applies here to PHP.
- One last resort will be overwriting your plugins with known good code freshly downloaded from WordPress.org. Beware of overwriting plugin and theme files which you’ve customised if you do this (however you ideally shouldn’t be editing core plugin files).
Warning: No scanning service will be 100.00000% accurate in identifying malware issues. I’ve found several patches of malware which the above services didn’t detect; but they were all super responsive and helpful in accepting reports of anything they missed, and the more people send them reports, the better they get for everybody.
Update: Check out the Hardening WordPress article on the WordPress.org codex.
Update: You can lock down the theme and plugin editors so they can’t be used to inject malicious code (note that someone would need to have gained access to your admin area by cracking a user’s username and password for this to happen), found in the Appearance and Plugins sections of your admin area respectively, which has appeared to stop a repetitive attack I experienced one time. If you don’t know PHP and don’t want to edit your theme or plugins, this is a no brainer.
I’m by no means an expert in these things, but the above points and services have helped me out. If anyone has any useful suggestions or corrections, I’d be happy to hear them… so please, comment away.
If you’re running WordPress for a company, tie logins into your LDAP/AD directory using WPMU LDAP.
Few more for you:
Keep WordPress up to date.
Keep your plugins up to date.
Ensure you have all security keys in place in wp-config.php.
Ensure WP_DEBUG is set to false.
Ensure user registration is disabled if you’re not using it (prevents privilege escalation vulnerabilities).
WordPress File Monitor is also a good plugin for monitoring changes to your files, although obviously prevention in the first place is better than a cure.
There are some other things you should do too which aren’t specific to WordPress, such as ensuring file permissions are correct (755 on directories, 644 on files) and ensuring your database and FTP passwords are strong.
If you have sufficient access to your server you should also look into disabling dangerous PHP functions and only allowing RSA key based authentication to the server, but this is sysadmin territory and probably beyond the scope of your blog post :)
John
Thanks for sharing these tips! It’s always good to hear about what other people are doing to protect their blogs.