I just spent the better half of my morning going through all of my websites to clean out malware entries. Luckily this particular hack wasn’t nearly as destructive as it could have been had I not discovered it sooner.
This one is known as MROBH (
eval(base64_decode...) and this post will outline what I learned, how to remove it, and how to protect your WordPress site from malware vulnerabilities.
The scary part is, many times you can be infected without even knowing it. Although a great number of my sites were hacked, only one of them showed any visual signs and it was a site that I use for testing purposes so I rarely log on. How did I know I was hacked? My WordPress admin panel was completely un-styled; it was failing to call any of the CSS.
Fixing the WordPress “MROBH eval(base64_decode” Hack
This hack can alter anywhere from 1 file to all files in your WordPress install as well as other websites using PHP that are hosted on the same server account. In my case, every
.php file was affected. You can check to see if you’ve been hacked by openeing your FTP program and checking a few files. If the files have malicious code inserted you will see this at the top:
Luckily, there is a way to easily target all of this code and delete it. The people at Sucuri have put together some code which you can download, upload to your affected site, and it will remove the malware. I’ve taken the code and added a bit to it.
Here’s what you do:
- Download the
- Rename it to
wordpress-fix.phpand upload it to the root of your affected domain (it doesn’t even have to be a WordPress site).
- Navigate to http://yoursite.com/wordpress-fix.php
- Wait for the magic.
Download: WordPress Hack Fix
What To Do Next
Now that your site is clean we have to make sure the hacker can’t get back in. To be completely sure, you might even want to do this step before AND after cleaning the malicious code. It’s always better to be overzealous when dealing with security.
Reset Your Passwords
- Make sure all FTP and SFTP users reset their passwords.
- Administrative blog users should reset and to be safe, Editors and Contributors.
- All MySQL users. And don’t forget to then change the database password in your
Change Your Secret Keys
Even if the offender somehow got access to your password and you change it, they still may be able to access your admin panel due to cookies. Reseting your secret keys will invalidate all users and make them have to log in again.
You can generate unique keys here: https://api.wordpress.org/secret-key/1.1/salt/
I had about 90% of this stuff done but I guess the 10% is what left a hole for attack. Don’t neglect these; they’re easy to set up.
This is what allows edits on files and folders (directories) in your site structure. Make sure you have these settings:
- Folders (directories):
You can change file permissions in your FTP program or by using SSH commands.
Change the WordPress Table Prefix
In your WordPress
wp-config.php file you will find a line of code that looks like this:
$table_prefix = 'wp_';
Make sure you change the default to something unique like:
$table_prefix = 'wp786$&9#@_';
This is something that should be done before running the WordPress installer as doing it later will cause problems. If you need to change the prefix after you have installed, check out this post for help.
Install the 3G Blacklist
“Using pattern recognition, access immunization, and multiple layers of protection, the 3G Blacklist serves as an extremely effective security strategy for preventing a vast majority of common exploits.” - Jeff Starr
Head over and check out: The Perishable Press 3G Blacklist.
Just copy these rules into your
.htaccess file and then test your website to make sure all pages and functions are working. If something throws a
403 Forbidden error:
“Don’t panic! Simply check the blocked URL, locate the matching blacklist string, and disable the directive by placing a pound sign (
#) at the beginning of the associated line. Once the correct line is commented out, the blocked URL should load normally.”- Jeff Starr
WordPress Security Plugins
- VaultPress — this is mostly a backup solution from the same guys that started WordPress but it also has a few security measures as well.
- Secure WordPress — removes error information on login page, adds index.html to plugin directory, removes the wp-version except in admin area, etc.
- WP Security Scan — scans your WordPress installation for security vulnerabilities and suggests corrective actions.
General Security Best Practices
Aside from the very specific things you can do with WordPress here are a few things to take into consideration when dealing with website and blog security.
Choose Strong Passwords
This is a given. Long over are the days when “1234” or “jason” was an acceptable password. There are thousands of idiots scheming for your information and you need to protect it with something more than a few numbers or your name. Use numbers, uppercase letters, lowercase letters, and punctuation.
Use SFTP Instead of FTP
Secure File Transfer Protocol (SFTP) is exactly that, secure. Stop using regular FTP.
Update Your Software
Keep all software and plugins up-to-date. Download and install them as soon as you can. Most software is updated because of bugs and security vulnerabilities, not to release new features, so it would behove you to update.
Scan Your Computer
Sometimes the culprit is your shameful web surfing practices that have caused your poor computer to become infested with malware like keyloggers. I would suggest doing a scan with the free and open source ClamAV (Windows) or ClamXav (Mac).
Well, that was certainly exhausting. I spent almost as much time writing this post as I did fixing my hacked sites. I do hope it helps someone. Have you been hacked? How did you deal with it?