by Monte Persinger | Web Site Virus and Malicious Code Removal |

WordPress Security Image

Last week one of our client’s WordPress web site was hacked. We couldn’t pull the site up, it immediately forwarded to a link farm. Also our anti virus software went off as soon as you would try to pull up the website. This was a scary situation with a hacked WordPress site because we were locked out of WordPress. We were not able to login to the WordPress admin to see what was going on because it would immediately redirect you to a link farm or your anti virus software would not load the site. Skip to the bottom if you are just looking for the solution.

As part of our managed WordPress web hosting package it includes at no additional charge disaster recovery and malware removal service. So we were tasked with figuring out how to fix this website and get it running again. I opened up a malware ticket with Sucuri to inspect the code and clean the site but they were too slow to respond. Apparently they were overrun with malware support tickets because of this WordPress hack. We were on our own to figure this out.

I inspected the code to look for malicious code injection. I looked for files that had been edited recently. Most of the time you can look at the file date time stamps and figure out what files have been edited. Normally the theme files get infected. I examined the header.php and footer.php theme files to look for code injection and there was none. I also checked the wp-config.php file and .HTACCESS file. All were clean. So I was locked out of the WordPress admin, plus all the files were clean and Sucuri Malware support was unresponsive. Stress level going up!

We decided to restore a copy of the website from backup from 7 days ago. WordPress updates had been applied to the site a week ago and we had tested the site as part of our managed WordPress hosting package while installing updates. The backup was restored and it did not fix the website.

Easy WP SMTP Plugin Causes Hacked WordPress DATABASE

The plugin allowed the hacker to hack the database. I should have known this immediately because if you can’t login to the WordPress admin then it has to be something wrong in the database. WordPress database hacks happen very rarely, 90% of the time it is malicious code injection in the theme files. At least on our managed WordPress sites we rarely see a WordPress database hack. The last time it did happen it was also because of a plugin. The solution was to restore the database from backup. Once the backup was restored the website worked normally.

How to keep Hacked WordPress Sites from Getting Hacked Again?

At this point the web site is fixed and happy again. Unfortunately, unless you figure out how they got in it will easily be hacked again. We went thru all of the normal WordPress security and hardening steps. Passwords were all reset, the Sucuri plugin was configured and files hardened, on this site there was an admin user in use so that was deleted and replaced. The plugins on this web site were pretty vanilla. We use the same set of plugins on almost every WordPress website that we build. The Easy WP SMTP plugin is not one we normally use. We deleted this plugin and replaced it with our standard SMTP Mailer plugin. We got lucky, I didn’t know for sure that the Easy SMTP plugin was the culprit until I saw this blog article from Sucuri:

https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html

Easy WP SMTP Plugin Causes Hacked WordPress Sites was last modified: March 25th, 2019 by Monte Persinger
Share This: