Our clients have found the functionality for the wordpress framework to be quite good at putting power to control content and information on their site. We also find the wordpress framework to be flexible and powerful to use as developers.That said all this functionality does come with a price. Security and file access permissions are important to set-up properly. Instructions on what to do are also vague/hard to follow.
Recently one of our clients who maintains her own site was hacked. Now you hear a lot about hacking, but most folks don’t know what that actually means. Here is a picture of the hack that was added to plugins on her wordpress site.
That looks like a lot of gibberish but what it is is encrypted code using a base64 encoding which a lot of software uses for non-malicious means. If we translate it we get this:
Ok more code gibberish for the non-coders, but to give a quick translation this = referring sites like facebook, google, myspace etc are re-directed from your site to another site of their choosing. This makes it hard for you to know you have been infected unless you regularly check your site from outside locations (not typing in the URL directly and instead looking at search results).
So what do you do? First off don’t panic. And really don’t panic if you have good backups. (Ok official shout-out to our friends at rackspace managed backup. We backup entire file structure for all our servers daily. Combine that with the awesome customer service we get from our Managed Backup Team, and you know why our team sleeps well at night).
First Step-Clean up the Mess
Finding whats been infected is an important first step (You need to know what needs to be cleaned.) Start with a couple of key directories:
2) /wp-content/plugins/All Plugins
Take a look at these directories and in particular to the last time edited time stamp. Infections will likely have been done all at one, so you will be able to discover the date you were infected. Move these directories to a safe place for now.
3) copy your wp-content/uploads directory to a safe location. This usually has files/images that aren’t as open to infections, and you’ll want to save them in the long run.
4) Your theme’s directory is important. If it has been infected cleaning it by hand can be a laborious process. This is where backups come in extremely handy. Once you know the date of infection, restore a version of your themes directory from your backups. If you do not have backups you are left with 2 options:
a) Manually disinfect removing all malicious code. This is hard…in one file on her site she literally had 1000 different encodings which make automation difficult. You also have to be aware of restoring the file to its previous state.
b) Download a fresh theme and re-deploy your customizations. This is also hard, but you should be able to at least see your customizations in your infected theme directory to give you guidance.
5) The final step is to download and install a fresh version of the wordpress framework. Move your uploads directory and themes directory to the new fresh version, and finally re-download and install your fresh plugins.
All together if you have good back-ups the process can be done in under 20 minutes. Without backups the time to back up goes upwards of 10-20 hours.
Second Step-Security and Permissions: Or how to make this never happen again.
This is where online guides tend to get pretty vague. We at Blazing Systems are not a fan of vagueness so with two clients permissions we set-up a bit of a permissions test to find out what worked best. What we did was change permissions on two sites at different times to see what exposed the site, and what didn’t expose the site to intrusion. Here is the permissions set-up that seemed to provide the most security while keeping most of the framework functionality intact.
1) General Permissions: We want to have the framework and the majority of files outside control of apache/users. So start with changing ownership of all files in the wordpress directory to ownership of the FTP user that accesses the site:
Example: chown -R site_owner:site_owner_group /wordpress_install_directory
Next we want to change access permissions: 655 or 755 seems to be good permissions to keep these files protected.
Example: chmod -R 755 /wordpress_install_directory.
2) Specific Permissions: You still want to be able to upload files and complete upgrades. Also a lot of the functionality in wordpress will give permission errors with the above settings. So we want to open permissions on 2 directories inside wp-content
chown -R apache:apache /wp-content/uploads and chown -R apache:apache /wp-content/upgrade
chmod -R 755 /wp-content/uploads and chown -R apache:apache /wp-content/upgrade
3) Open and Close Permissions: Some themes have very cool functionality making it easy to change the look and feel of the site on the fly. These files are in your theme directory, but opening them up = exposure, plus all the troubles above. We recommend only opening and closing permissions on this directory while actively working on it, then immediately re-securing when your completed.