Few days ago I received email from Google Search Console Team with title “Social engineering content detected”. On one of the sites that I was working some small fixes, was detected site phishing. Someone used site’s domain and added link to phishing page with plenty download’s links. URL looked like this:
http://www.sitename[.]com/~smarketi/apple/app/account/id45554485_54/key_hgyggggfft5485fe/
As security was never my part of the job I was thinking that installing free version of Wordfance plugin would be good enough. Though I received notice that some files are being changed I ignored because site owner was working with some plugin developers so I though that must be it and beside that site was working fine.
Clean up infected site
So I consult experienced developer Ryan Paul and here is what we did to clean up site:
- Change the salt keys in the wp-config.php (you can use iThemes Security plugin)
- Change database user (cPanel)
- Change database prefix (you can do it trough phpMyAdmin or you can use iThemes Security plugin which is much faster)
- Erase all users except the main administrator and then change the admin username and password through phpMyAdmin
- Delete everything except wp-content folder and wp-config.php file and then reupload WordPress files from scratch
- Deactivate all plugins and replace it with fresh installations (you can upload in folder “newPlugins” into wp-content folder and then just to delete plugins folder and to rename current one or you can use Force Plugin Updates)
- Lastly Ryan HIGHLY recommend Bulletproof Pro plugin (it checks your site very often but still doesn’t slow it down)
Issue creating user trough phpMyAdmin after changing db prefix
While I was working on this I had problem creating new user trough phpMyAdmin after changing database prefix. I was going to copy existing user, to do some changes and to delete original one. But when I tried to login into WordPress dashboard it didn’t work. Me panic! Then I did some search and find perfect solution. Just be careful to replace all “wp” prefixes in the code with your new prefix.
INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`)
VALUES ('newadmin', MD5('pass123'), 'firstname lastname', 'email@example.com', '0');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_user_level', '10');
Security plugin important notices
Ryan did plugin setup so I don’t have to worry about anything until I get notification. The only thing that I need to take care for is to turn off ARQ Cron when I change site files. So when you open BPS Pro/AutoRestore you should make everything looks like on this image and once you finish editing delete the wp-content backup files, back them up again and turn ARQ Cron back on.
Then I reported problematic URL to Google. As site was blacklisted on Google and all other important places, after all this done I checked site again. Google Safe Status Check reported that site is clean and on some other places where I checked everything was ok but Securi site checker still detected that site is on one blacklist. It was Norton black list which detected SWBPL threat. I couldn’t find what SWBPL threat is but solution for this Norton issue is to submit site for review on Norton’s security central.
So what we WordPress security beginners learned?
- Your site can work just fine and still to be infected!
- Backup. Always backup. And do some more backup.
- Use Pro version of security plugin.
- Update. Update WordPress, plugins and theme. Always keep files update.
- React fast and keep your passwords safe.
If you have some good advice, please share and if you want to know more about email phishing check Pixelprivacy and BroadbandSearch.