- This topic has 5 replies, 2 voices, and was last updated 4 years, 8 months ago by
.
-
Posts
-
-
Hey guys! I know this is probably not Piklist-specific, but it happened within my Piklist plugin so I figured I’d put this out there…
My client’s site recently got hacked – in a way I’m getting all too used to seeing: an extra file was injected into the site which had nefarious code in it. In this case, it was causing all posts to acquire an extra metabox with a “password” box in it… it removed the editor toolbar… and no doubt far worse things were going on too.
The wrinkle this time was that it was a Piklist file that got duplicated, and which contained the hack code! It was inside the Piklist plugin I created for the site; “tickets-where-to-buy.php” got duplicated to “tickets-wheie-to-buy.php” and was stuffed full of malicious code.
Is there some best practice I can follow (or should have) to prevent this sort of thing? Or is it no different than other similar hacks but just happened to occur inside the Piklist folder?
-
Hi @cosmocanuck!
Ah yes, hacking. Sorry you got hacked. 🙁
Unfortunately it’s very difficult to say if Piklist was somehow involved. While we’re always looking for vulnerabilities, it’s tough to say what affect a vulnerability could have until we’re aware of it. Keep in mind that there’s typically two forms of hacking: One is a hacker intentionally went after your site, which is unusual and hard to defend against. Second, and far more likely, is bots programmed to test a multitude of sites for typical vulnerabilities to exploit. This is probably what happened to your site.
With that, you have a few things to consider:
– Are your users using good, strong password?
– Are your file permissions consistent and secure?
– Do you have any major plugins (e.g. WooCommerce) that are outdated?
– If your theme was purchased, is it up-to-date?Unfortunately, where a file is doesn’t necessarily tell you much. It’s possible the bot checked for a piklist directory, but it’s just as likely that it simply traversed the plugins directory and picked a directory that was vulnerable (due to file permissions), or it checked the active_plugins to find a directory.
The best thing to do in this moment is reset the user passwords, re-download core to make sure it wasn’t affected, consider doing the same with the plugins/themes, and apply secure file permissions over all of WordPress.
Hope this helps! 🙂
-
Thanks Jason!
I suspected as much in terms of what likely happened, i.e. a non-specific attack that lucked out and found a vulnerable way in. I’ll certainly follow up on your suggestions. I have just a couple of questions:File permissions: I don’t normally touch them, how do I know if there’s anything I should change?
Also, I see there are lots of security-oriented WP plugins out there that seem to do a lot of good things to maintain security – do you have any particular recommendations or have one you use regularly?
Again, thanks for your reply and the helpful suggestions!
Adam
-
The most common method for causing file permissions issues that I’m aware of is loading files via FTP. It’s up to the server to apply the right permissions, but it’s not good to assume this. So when files are added via FTP, there’s a good chance the permissions aren’t what they ought to be.
I personally use WP Engine for hosting in my business, and their security is solid. They have a partnership with Sucuri, which gives us access to them when resolving hacks. Otherwise, I’ve heard good things about Wordfence.
-
-
-
- You must be logged in to reply to this topic.