Introduction
The best way to prevent & respond to hacked sites is to maintain the site via updates to the application core, plugins, and themes, as well as finding and removing any evidence of persistence deployed to the install. These will be covered below:
Outdated Application(s)
The primary attack vector for anything on the public internet is outdated applications. Software updates to applications usually contain important features like security updates and vulnerability patches, meaning that when a install is left un-updated it is trivial for an attacker to scan for that specific version and exploit the site to gain to a foothold, usually this process is completely automated as well.
Audit Plugins / Themes
It is very common for a site to be infected via a compromised plugin or theme, both legitimate and fraudulent. As they are easy to install and usually not noticed by the end-user, they serve as a great attack vector on the sites that support them. During the response to a hack/compromise, one of the first things you check should be the users current plugins & themes.
For the best results, it is advised to remove all unused plugins and themes and make sure any plugins/themes currently in use are updated to the most recent version as specified by the plugin creator.
Check Accounts
Once an attacker has gained access to a site, they will try to establish some form of persistence- either through malware, or through creating administrator accounts on the sites (or sometimes both). Because of this, it is important to audit all user accounts on the hacked site and reset passwords for all users. Any suspicious account should have their permissions lowered to none, or removed outright.
General Clean-up
While the three items above are the main areas you should check when responding to a hacked user site, there are few other tips/tricks that are much less common but still important to note:
- DNS Hijack
- Database Hijack
- Illicit/Illegal Materials
If you run into one of these, please let us know at support@reclaimhosting.com immediately.