Reclaim Hosting put on its very first 2-day Workshop for Domain of One’s Own admins on November 2 & 3. The following post is a summary of the first session from morning 2 of Workshop of One’s Own.
3 STAGES:
Identifying a Compromise
Cleaning a Hacked Site + Scanning Tools
Preventing a Hacked Site
Identifying a Compromise
-Checking Apache Status in WHM- the request column
-Visit the site. Worth noting that a site can load perfectly fine even if it’s hacked.
-Connect to the site via FTP, look for files that have random names
-Process Manager in WHM & kill processes
-Email Queue (Mail Queue Manager + ConfigServer Mail Queues)- check if the account is throwing out spam; delete the entire queue. Won’t stop spamming, but clears the slate.
-Are there any strange additional users in the database?
Cleaning a Hacked Site
-Clean up tools that don’t care about the application in question
-Completely delete wp-admin & wp-includes, and every other generic WordPress file besides wp-config or .htaccess
-Remove any injected code if needed for wp-config or .htaccess
-Reupload fresh copies of all plugins & themes installed; have a conversation with the user about what they need, premium plugins/themes
-Check wp-content>uploads for .php files. You should never see any .php files there!
-Grab a clean copy of WordPress, skipping over wp-content
-After you’ve done what you can, take a back up of it.
-Restoring a backup is always an option if the user hasn’t made any changes
-Recycle account passwords
Scanning Tools
-The first line of defense: Linux Malware Detect; can be installed on the server and managed through terminal. This is free, open-source software that quarantines hacked files. You can set a cron job that runs daily. Historically, this doesn’t detect everything but is a great start & preventative measure.
–ConfigServer Exploit Scanner– commands in WHM to run scans; great search features; tons of options for different scans
Preventative Measures + Good Practice
-WordPress plugin: Wordfence; free and premium version
-CXS Watch in WHM; checks for any changes across any account, could have false positives so that’s something to be aware of
–WPS Hide Login WordPress Plugin
–BitNinja; distributed firewall on all of Reclaim’s servers
-Keeping WordPress plugins & themes up to date
