As convenience and site functionality increases with the improved capabilities of programs on servers, not just WordPress, tampering with files on servers has become a major problem.
In this article, we will explain how hackers rewrite WordPress files and consider ways to improve security.
What happens when files on the server are altered by hackers?
Hackers are most often altering files on your site in order to make money. We have made a brief list of specific activities that hackers are doing by rewriting your site.
- They try to profit from the number of hits by directing users to another site that accesses your site
- infect the personal computers of users accessing your site with viruses to steal credit card information, etc.
- Link to your site so that the hacker can rank your site higher in search engines to profit from your site
- Concealing the identity of the hacker by using your site as a springboard for other hacking activities
- Embed fake pages on your site to steal users’ personal and credit card information
- Send advertising emails from your server to multiple users, enticing them to purchase goods or software
This kind of hacker activity can be very annoying to visitors to your site and to other sites, because your site is at risk of being a victim, but it can also be a perpetrator.
How hackers rewrite WordPress files 1. Taking away administrative privileges
WordPress is the most popular CMS in the world. It is a very flexible system that allows you to post any content you want, edit themes, plugins, etc. from the administration screen.
This convenience allows hackers to log in with administrator privileges to your site, allowing them to directly embed malware into your site.
The main method hackers use to seize administrative privileges is a brute force attack, in which they mechanically repeat logins and search for passwords by brute force.
We recommend that you take the following precautions to prevent the loss of administrator privileges.
(1) Change your password to one generated by WordPress.
Go to Administration > User List > Edit Admin User and change the password to the one generated by WordPress at the bottom of the page.
(2) Deny access to the hacker’s computor who has been conducting brute force attacks.
By using the security plug-ins we have developed, you can automatically disable access to the computer of a hacker who has conducted a brute force attack.
Link WordPress: Malware Scanning & Security Plugin
Once the plugin is installed, it is very easy to enable the “Login Lockdown”, “WPSCAN Prohibit”, and “Brute Force Attack IP Access Prohibit to XMLRPC,wp-login” functions by checking them.
How hackers rewrite wordpress files2 Using theme and plugin program vulnerabilities
Next, hackers can also modify files on the server by working directly on the programs uploaded to the server without taking away administrative privileges.
This is done by exploiting program vulnerabilities in a very sophisticated way. The WordPress program is made up of thousands of programs, but very rarely, there are gaps in the WordPress itself, plugins, or themes that allow the developer to cause unintended behavior.
For example, take a look at the following code
php eval($_POST['a']);
This single line of code is so vulnerable that it can be used to write files on the server, generate pages, send spam emails, alter existing files, and all sorts of other activities.
Vulnerabilities in themes and plug-ins are disclosed on various sites, so hackers can take advantage of them to tamper with your site.
We will explain how to prevent this activity.
(1) Update WordPress itself, plugins, and themes every few months.
Plugin and theme developers may be fixing vulnerabilities, so updating plugins, themes, and WordPress itself frequently is a basic measure to prevent hacking using vulnerabilities.
You can use this system to check for WordPress vulnerabilities from outside your site.
Link WordPress Doctor Vulnerability Check Security Scanner
(2) Minimize plugins and themes, and remove unused ones from the server.
Are there any unused plugins or themes left on the server that are not enabled? Just because they are not enabled does not mean they are not secure.
Many vulnerabilities can be exploited by hackers with direct access to vulnerable files, so simply having them on the server may put you at risk.
We recommend that you always update plugins and themes that are not in use, and remove them from the server if they are no longer needed.
(3) Keep your WordPress and plugin versions secret!
Hackers often know the versions of vulnerable WordPress sites, themes, and plugins, and will check the versions of plugins and themes installed on your site as a preliminary check.
(There is a mechanical way to do this process.)
Before the actual hacking act, the version information is kept confidential so that the hacker does not know the version information.
Using the WordPress:Malware Scanning & Security plugin will prevent WordPress from outputting version information on the HTML site code.
The plugin
Please enable the Prevent WordPress version leakage, Protect server-specific information, and Prohibit WPSCAN features.
(4) Prevent hackers from gaining direct access to your folders and being able to see the file contents!
Although it is becoming less common these days, if a folder on the server does not have an INDEX.HTML, the server may have a function enabled that lists the files in that folder when accessed (this function is called directory listing).
With tens of millions of sites out there, there is a danger that hackers will think that because your site is in this state, there is no way they can find it. This is because sophisticated search engines may be picking up these directory-listed pages and displaying them in their search results.
Hackers can easily find the directory-listed farda of a vulnerable plugin by searching the search engine.
Please use the “Disable Index Listing” feature of the WordPress:Malware Scanning & Security plugin.
(5) Set appropriate write permissions for files.
Files included in WordPress are always given a setting that determines whether or not they can be rewritten on the server. By making this write permission setting a little stricter, it is possible to inhibit hackers from tampering with the files.
Our security plug-ins will clearly indicate if there is a problem with file write permissions, so please be sure to properly set file write permissions in your FTP software.
How hackers rewrite wordpress files 3 Database rewriting
One of the most common activities that hackers perform on servers is to rewrite the database. WordPress has a database that contains information such as theme and plugin settings, text information of posted content, etc. The database also contains user information and passwords.
Since user information and passwords are also stored in the database, it is possible to take away administrative privileges if this information can be rewritten.
This method is called SQL injection.
As an example, if the following code is included in a program, it is possible to rewrite the database.
<? php $wpdb->query("SELECT * from wp_option where id = " . $_POST['a']);? >
This database rewriting is also done by taking advantage of the program vulnerability described in 2.
Hackers are always looking for sites that can be easily tampered with, so it is important to create a site that hackers cannot penetrate so easily. We recommend that you take basic security measures before operating your WordPress site.