We would like to explain the most common characteristics of the sites we have repaired at WordPress Doctor that have suffered malware damage due to hacker infiltration.
If you take the following security measures, you will be able to reduce hacker infiltration to a great extent.
User passwords are simple English words or regular strings of characters.
Logging in at the WordPress login screen can be done manually, but it is also easy for hackers to programmatically repeat login enforcement 24 hours a day without a break.
Since it is easy to obtain the ID of a WordPress user, which is output by some themes, it is possible to log in as an administrator as long as the password is known, and if the administrator privileges are taken away, the user can freely read and write files on the server. If the administrator privileges are taken away, the user can freely read and write files on the server.
Hackers often use a list of hundreds of thousands of passwords to automatically and repeatedly enforce logins to gain administrator privileges.
The latest versions of WordPress automatically generate hard-to-guess passwords, which makes it very difficult for a hacker to gain administrative privileges.
The versions of WordPress and plugins with the greatest vulnerabilities are.
Some versions of WordPress itself and some versions of plugins (vulnerabilities in large and popular plugins are easy targets) have vulnerabilities that can give you complete control over your site.
The following is a risk classification of vulnerabilities called CSVV.
| Severity | CVSS Basic Value | Possible threats to the vulnerability |
|---|---|---|
| Level III (Danger) |
7.0 to 10.0 | Threats that could result in complete remote control of the system Threats that could result in the alteration of most data For example, OS command injection, SQL injection, arbitrary instruction execution by buffer overflow, etc. |
| Level II (Warning) |
4.0 to 6.9 | Threats that could lead to the leakage of critical information Threats that may lead to service outages For example, bypassing access control, or denial-of-service (DoS) threats that cause all systems to shut down. Other threats that fall under Level III but have low reproducibility |
| Level I (Caution) |
0.0 to 3.9 | Threats that cause damage to a part of the system. Threats that require complex conditions to attack. For example, cross-site scripting, partial information leakage by directory traversal, and denial-of-service (DoS) threats that cause partial system shutdown. Other threats that fall under Level II but have low reproducibility |
You can use the vulnerability scanner of WordPress Doctor to check if you are using a vulnerable WordPress or plug-ins.
WordPress Vulnerability Assessment Security Scanner
File permissions are not set correctly.
You can set write permissions on server files so that they cannot be inadvertently written to from the outside. It is recommended that the following write permissions be maintained at a minimum to ensure security.
Root directory 0755 wp-includes/ 0755 .htaccess 0644 wp-admin/index.php 0555 wp-admin/js/ 755 wp-content/themes/ 0755 wp-content/plugins/ 0755 wp-admin/ 0755 wp-content/ 0755 wp-config.php 0644
If the write permissions for WordPress files and folders are set to 777 (writable with all permissions), security is greatly reduced.
If you want to give your site stronger security, you can make all files other than the wp-content/upload folder write-enabled so that the main body from the admin panel, plugin updates, installations, etc. are completely writable, but for hackers it is the same and they will be able to take over your admin rights and The same is true for hackers, who can hijack the admin rights and still not be able to do anything.
The unique key for authentication in wp-config.php is the same string or is not set.
Be careful if the unique key for authentication in wp-config.php, an important file in which WordPress database and other settings are written, is a simple string like the one below and all the keys are the same.
/**#@
* Unique key for authentication
*
* Change each of them to a different unique string.
* You can also generate them automatically with {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org's private key service}.
* You can always change it later to disable all existing cookies. This will force all users to re-login.
*
* @since 2.6.0
*/usr/local/auth_key/define('AUTH_KEY')
define('AUTH_KEY', 'aaa');
define('SECURE_AUTH_KEY', 'aaa');
define('LOGGED_IN_KEY', 'aaa');
define('NONCE_KEY', 'aaa'); define('AUTH_SALES_KEY', 'aaa')
define('AUTH_SALT', 'aaa'); define('SECURE_SALT', 'aaa'); define('SECURE_SALT', 'aaa')
define('SECURE_AUTH_SALT', 'aaa');
define('LOGGED_IN_SALT', 'aaa'); define('NONCE_SALT', 'aaa'); define('NONCE_SALT', 'aaa')
define('NONCE_SALT', 'aaa');
This string plays an important security role, for example, to make sure that WordPress posts and posts are made by legitimate logged-in users. It can also be generated automatically by {{Private Key Service}}.” If you have the above problem, we recommend that you fix it.
Security plug-ins are not installed or incompletely configured.
If you have not installed WordPress security plug-ins, we recommend that you do so, understand their functionality, and enable as many settings as possible.
At WordPress Doctor, we recommend that our clients install the following plugins, which are versatile and include many useful features.
All In One WP Security & Firewall
Login Lockdown and the Importance of Login Capture
To prevent brute force attacks, which are a method of seizing administrative privileges through repeated login attempts, it is effective to add a login lockdown (a function that disables login attempts for a certain period of time after several failed attempts) and login capture (a function that displays a simple quiz at login to prevent anyone but a human from performing login attempts) to WordPress. (a simple quiz is displayed when logging in to prevent non-human users from logging in).
This functionality is provided by the above plug-ins and various other security-related plug-ins, and we recommend that you install these plug-ins in your WordPress system.
Backdoors left unattended.
Once your site has been hacked and the malware removed, there may still be a hacker entry point called a backdoor.
Even if you have updated WordPress, updated plugins, and installed security plugins, if this backdoor remains on your site, hackers can easily place malicious files on your WordPress site in the future.
In the case of malware damage, please note that in addition to removing redirect hacks, SEO hacks, and spam email delivery files, the backdoor must also be eliminated, or else you will be in a situation where malicious files will continue to be placed on your WordPress site again like weasel words.
Reference articles
WordPress tampering cases, eliminating and restoring multimedia form backdoors
If you suspect malware damage, please use WordPress Doctor’s Malware Scanner!
WordPress Doctor also offers malware removal and security measures on your behalf.
Free WordPress Doctor: Malware Scanning Plugin
