How to Secure Your WordPress Website Against Russian Hackers

Categories: Coding, security

I woke up on Tuesday to a strange email from my WordPress website:

That’s weird, I don’t remember signing up a new user onto my site. Turns out, as is tradition, WordPress had some kind of vulnerability which allowed my site to get pwned. I needed to investigate further.

When I first went to my site it was redirecting to some insecure 3rd party website (in my haste to fix it I lost the actual url, but it was something like getfreetraffic.com ). But since I couldn’t actually access the backend of WP I had no more information. I continued on to the access logs.

Around the time the emails were sent I saw some really strange log entries:

185.212.131.46 - - [19/Mar/2019:08:07:36 -0700] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 3233 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
185.212.131.46 - - [19/Mar/2019:08:07:38 -0700] "POST /wp-admin/admin-post.php HTTP/1.1" 302 3460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
185.212.131.46 - - [19/Mar/2019:08:07:40 -0700] "GET /wp-admin/options-general.php?page=swpsmtp_settings HTTP/1.1" 302 3503 "https://trevorelwell.me/wp-admin/admin-post.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
185.212.131.46 - - [19/Mar/2019:08:07:41 -0700] "GET /wp-login.php?redirect_to=https%3A%2F%2Ftrevorelwell.me%2Fwp-admin%2Foptions-general.php%3Fpage%3Dswpsmtp_settings&reauth=1 HTTP/1.1" 206 10367 "https://trevorelwell.me/wp-admin/options-general.php?page=swpsmtp_settings" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
192.0.116.49 - - [19/Mar/2019:08:07:44 -0700] "POST /xmlrpc.php?for=jetpack&token=%23me%28h3mgvu%24qdSdpIqzJdM%26n7M5P%25%287g%3A1%3A1&timestamp=1553008064&nonce=QuzoJDqnu4&body-hash=dyeU7%2FNsaVaPg0O8xjHI5AKMGJQ%3D&signature=RtOE74H6o8%2Fam9jyM8UzJnaZXJA%3D HTTP/1.1" 200 5324 "https://trevorelwell.me/xmlrpc.php?for=jetpack&token=%23me%28h3mgvu%24qdSdpIqzJdM%26n7M5P%25%287g%3A1%3A1&timestamp=1553008064&nonce=QuzoJDqnu4&body-hash=dyeU7%2FNsaVaPg0O8xjHI5AKMGJQ%3D&signature=RtOE74H6o8%2Fam9jyM8UzJnaZXJA%3D" "Jetpack by WordPress.com"
185.212.131.46 - - [19/Mar/2019:08:07:42 -0700] "POST /wp-login.php?action=register HTTP/1.1" 302 3487 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
185.212.131.46 - - [19/Mar/2019:08:07:48 -0700] "GET /wp-login.php?checkemail=registered HTTP/1.1" 206 8442 "https://trevorelwell.me/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

The 185 IP address is from the netherlands and the 192 IP appears to be from LA. It looks like someone was trying to take advantage of xmlrpc and perhaps the jetpack plugin to pwn my site.

Also worth of note was that almost immediately after this happened I saw a TON of GET requests from an ahrefs.com robot for very pornographic search terms. Most of which were hilarious but I probably shouldn’t post on my site regardless. If I had to guess, the attacker took over my site to forwarded all traffic to a site they control and serve ads. They then sent a bunch of traffic there via ahrefs to try and get my site to show up for long tail pornographic keywords. They then hoped that people would click through my site which would redirect them to the site they controlled and give them ad revenue. Very convoluted but hey, maybe it would work!

Now that I have a theory as to what happened, I was still not any closer to actually fixing the problem.

After having spent many years working on WordPress websites, I had a good idea of where to look for malicious redirections first. So I looked through all of the theme files in wp-content to see if anything looked odd. This proved unsuccessful. I grep‘d the entire directory for terms like traffic and redirect and free to no avail. For the moment it seemed like the problem wasn’t in the site files.

Next was the database. I looked in wp_options and almost immediately saw the problem: the attacker changed my site_url and home values to this getfreetraffic site. Bingo! Once I changed this back to my website things started to work again and I could access the backend of my website once again.

Hardening My Site

I’ve been meaning to secure my website for a long time now, and this was the perfect excuse to actually do so. So after spending some time to make sure that the attackers didn’t leave any further backdoors, I went off securing my site.

The first thing I did was to not make WordPress accessible to the world anymore. Unfortunately WordPress is not secure and there’s nothing I can do about it, I’ve now restricted it to a few IP addresses with a username/password. Using the simply static plugin, I made it so my public facing site is now static and needs to be rebuilt whenever I update the site. This required a lot of apache2 server config but now that it’s setup it’s dead simple to use. Just hit generate site whenever I post and we’re done. Now the only IPs that have access to WordPress are me, which should make it a lot harder to exploit any WP vulnerabilities in the future.

Oh, I also deleted the jetpack plugin and disabled xmlrpc site wide. A little overkill since the IPs are so restricted but I don’t trust these mechanisms anymore so it just felt right to do.

So, wat?

TL;DR it looks like someone named Devid in Russia was running an automated script looking for sites running a vulnerable version of WordPress and/or the Jetpack plugin. They found my site and redirected its (pretty much nonexistent) to get ad monies. I hardened my site so they can’t do this anymore. Hopefully, in the near future, I will stop seeing so many pornographic terms being searched for on my site. Sorry WordPress, you are not to be trusted.

«
»