This week we were contacted by one of our partner companies, they were in the process of doing a site survey of a client’s WordPress website as part of the redevelopment process.
On the surface, it looks like just your typical WordPress website, with a few pages, and no blog section. There were several plugins that needed to be updated, some theme updates and a new version of WordPress waiting to be installed nothing stood out as being out of the ordinary.
This is until the “Posts” tab was clicked in the Dashboard and then the website stopped responding in the browser, a closer look revealed that there were almost 62,000 blog posts on this website.
When queried with the site owner if they had ever lost access to the site it turns out that they had indeed had issues with accessing the site twice in the last year, and managed to gain access back but had never run a check on the site to ensure that it had not been compromised, as a result, it had been providing hosting for SPAM email links which was not only taking up resources with the hosting package but also potentially putting their domain reputation at risk.
Now we have understood how the site was compromised (the site username was “admin” and the password included the site name) we could start the mitigation process, before the compromised material was removed from the site we needed to block the access to the site from the people writing the blog posts.
This was not just as simple as changing the password for the account as WordPress keeps the users logged in once a password is changed for a certain amount of time, we also have to regenerate “WordPress Salts” this forces all logged-in users to reauthenticate with the site.
Now the site is secure we were able to start the cleanup, first of all, checking to see who the site administrator email was set to, this was not the client, we updated the site admin email address to ensure that we were getting site notifications again.
Once this was completed we took a backup of the site in case we accidentally removed something or for further investigation, once the backup was downloaded off the server we performed the following actions:
1. Update All Plugins; Themes; Translations etc
2. Remove all unused / abandoned plugins (a good security package will warn you of abandoned plugins)
3. Remove all unused themes apart from TwentyTwentyTwo (used for troubleshooting)
4. Apply 2FA to all admin accounts
5. Setup of WordFence Web Application Firewall (WAF) to protect the site from malicious scans, malware, brute-force login attempts etc.
Once we completed these steps we had to deal with the fact that the client was using the username “admin” on this site. There are various options to deal with this from changing the name in the database, and plugins to the nuclear option of removing the account completely.
In this case, we decided was the quickest option as we only had 7 pages but 62,000 blog posts assigned to this user. We transferred the ownership of the pages over to another newly created admin account and then removed the account from the site and deleted all associated items with it.
The final step once the user and posts had been removed from the database was to go in and clean the freed space from the database up, prior to the clean up the site database was over 400Mb in size once we had removed the posts we were able to claim back over 300Mb in space-saving resources on the Webhosting server.
Since we secured the website on Thursday 16/06 PM by the time of writing at 10:56 on Monday 20/06 we have had over 480 login attempts to the site, all of them unsuccessful.
If you are reading this and you are worried about the integrity of your WordPress website please do not hesitate to reach out to us for an audit of your site. Click Here to book a free call to see if you could benefit from a website Audit!