[ad_1]
Got an email from my hosting that my site was defaced. After running wordfence it did find some backdoor files which are since deleted. Installed 2FA and some other extra security measures. Now Wordfence is telling me that the site is clean. But how do I find out how this happened? Because if a plugin is infected I could be running into the same issue in a week or so. When googling the plugins, some have had a vulnerability a few years ago, but not recently. I did not update the site for about 1.5 months, could that have been enough for a vulnerability to sneak in?
What’s your guys process on this usually?
[ad_2]
Usually not installing more plugins, and making the solutions myself. Unless you can vet all the plugins yourself, as as the theme, the server and the setup you’re likely open for attacks, and even if you did you’ve still likely missed something.
Some ideas if I were you
– Creation time of backdoor file(s) would have been helpful
– Webserver access/error logs
– Googling snippets of the backdoor to see if it’s linked to any common attack vector or CVE etc
– Update WP and all plugins
– Full site rebuild. Fresh WP + plugins, bring over database. When bringing over uploads, be sure each file looks okay
– On the point above, you might be able to leverage Git to find other written files which basically shouldn’t be there. Will be noisy though with cache files etc
– Uploads should generally not have execute permission. Something is wrong with your host environment
Staying updated is crucial on sites. Remember, many times an update happens because someone (plugin author, WordPress itself, etc) found a vulnerability that needs to be fixed.
I’d also encourage you to set up some sort of backup system if you don’t have one already. Vaultpress is what I use: [https://vaultpress.com/])
I’m happy to pay for the peace of mind that comes from knowing it’s all being taken care of without my having to remember to do anything. I know myself and know that I won’t stay on top of backups. But you don’t actually need to use a paid solution if you are the kind of person who can set a backup schedule and do it.