What if you notice some mysterious registration sign ups in your WordPress website? It may be a sign of hacker activity…
Recently, WordPress users reported new registrations signing up for their sites even when the option was not made available in the first place. It has been done by switching on the ‘Anyone can register’ option under ‘Settings’ > ‘General’ section in the WordPress admin area. There were clear signs of complete website takeover with very limited control left to the original owners, along with external links that led to suspicious code and sites.
Those behind the hacking attempt clearly understood the importance of targeting the admin aspect of WordPress, crucial as it is to the functioning of the site combined with access to sensitive data of trusted customers as well.
Other visible changes included:
- Admin users that you aren’t aware of – or brought to notice by other stakeholders – are now present on the dashboard with extensive control. Or, there is the presence of a lot of spam WordPress admin users with no reason – this is a more obvious sign of a hacking attempt.
- Instead of the designed mobile version, the site showed a cache version of it. There’s a difference in the loaded User Interface (UI), possibly showing a blank page instead of the usual content, or a coloured grey screen that contains a list of the files named on the server.
- Tried to open the wp-admin file, but it wasn’t opening up.
- Page is redirecting to sites with suspicious code and unknown content.
- The WordPress site generally loads slow. Some of your plugins may also be automatically disabled even when you actively try to use their services. Other plugins could be deleted without your knowledge.
- Users have also reported the presence of unknown files with confusing names that make them seem valid, such as adminer.php.
- Google may point out – and raise an alert – regarding the presence of spam pages on your site. It could also be phishing attacks or malicious external links that redirect the user to harmful websites.
- There is addition of new web pages that show text in a foreign language – if this is Japanese, then this could be the presence of Japanese SEO spam.
- Checking the FTP, none of the files seemed to be facing any issues.
- Most scanning tools are not showing anything out of the ordinary and most preliminary steps to harden WordPress security provide no result.
The issue turned out to be an existent backdoor in WordPress that allowed for the creation of new users as admin, and hackers had used this possibility while shifting the option for creating new registrations as ‘on’. Some hackers had changed the site URLs via the database tables as well.
Some solutions stated to this particular hack include:
- Checking the index.php file to see if it is affected by the wp-admin hack by rechecking the code. Also check the uploads directory to delete any PHP files that may be present in the server, uploaded there by hackers who wish to place backdoors for further entry points and by exploiting existing WordPress security vulnerabilities.
- There could be the presence of files created by this malware in your wp-admin folder – for this, create a backup and delete these files.
- There could be spammy keywords, maybe even Japanese Keyword Hack.
- Note down unknown admins added and delete their WordPress accounts as well as the identified backdoor code that allowed them to initiate the admin role
- Stepping to a previous backup taken for your site, login with your credentials and download the latest updates to all plugins, themes, and extensions.
Beyond these immediate measures, it doesn’t hurt to visit your WordPress site’s security barriers for permanent protection against such surprise attacks among other predictable issues.
- Rechecking your hosting environment to see if they are holding their end of the responsibility for maintaining security through updated and stable versions with options for recovery.
- Recheck your website applications.
- Restrict your security themes to limited access to certain personnel, a plan for containment of damage in case the site is compromised, regular backups and being aware of the state of WordPress installation, etc.
- Update your WordPress version as soon as possible.
- Finally, a fully comprehensive malware scan should be run on all files of the website. There’ll be automatic options available on the original control panel or you can employ the services of a professional service like Astra security.
It’s never easy to deal with attacks on your site and potentially leave your WordPress site in the hands of hackers. You can follow this complete guide on WordPress Hack & Malware Removal that will help you with more detailed steps in fixing malicious scripts & backdoor in WordPress. So, make sure to keep an eye out for suspicious quirks that indicate a problem and resolve as quickly as possible!