One of the rare questions we receive when WordPress Doctor recovers from malware or tampering on behalf of our clients is that they want to know the cause and date of the problem.
Here is an explanation of how we can find out.
How can wordpress be hacked and tampered with?
First, we will briefly explain how WordPress can be hacked and malware embedded or tampered with.
1 Vulnerability of old plugins
The most common method is to exploit a vulnerability in an old plugin and send malicious code to be stored on the server.
In this case, the hacker has accessed the server and sent the malicious code remotely in some way.
In other words, if the server logs the date and time of the remote access and the contents of the data sent at that time, the date and time of the hack can be determined if the data contains malware or tampering code.
2 Brute Force Attacks
The second most common hacking method is the brute force attack, in which the administrator’s password is determined by repeatedly logging in with a commonly used password several thousand times.
In this case, if there is a log of the date and time of a successful login after repeated login enforcement, it will show that the administrator privileges were broken on that date and time.
3 Embedding malware via another site on the server
The third most common case is the embedding of malware across folders and multiple sites by a file called a backdoor, which is embedded in another site on the server and serves as an entry point for hackers to attack.
In this case, the edit history of the WordPress file and a log of its contents would reveal the date and time of the hack.
It is difficult to determine the cause and date of the hack because such logs do not exist for most servers
To determine the date, time, and IP of the above hack, you can use the aforementioned
The date and time of the remote access, and the contents of the data sent at that time.
The date and time of the successful login after repeated login attempts
The history of WordPress file edits and their contents
The logs should include the following information, but we think it is fair to say that most servers do not have such logs. The fact of the matter is that most servers, especially general rental servers, only keep access logs.
In addition, in order to find out if the above attack was successful, it is necessary to try the same attack on the actual site and see if it is possible to penetrate the site. It is also difficult to identify successful attacks.
This means that it is very difficult to determine the cause, date, and time of the WordPress hack, as well as the hacker’s IP.
Therefore, instead of trying to solve the cause of the hack, we need to focus on removing malware and backdoors, updating WordPress and plugins, and taking security measures to prevent future hacks as much as possible.
[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].