WordPress attacks & Cloud Armor protection on GCP— True story.

It is well known how prevalent WordPress is on the interweb. Owing to it’s popularity, it is also unfortunately one of the most attacked applications too. Just go to Shodan.io, and search for wordpress org:”Google LLC". Yup, they are all available for “examination” for an enterprising attacker.

We recently faced a similar scenario, one of the WordPress sites underwent an attack. This post is our experiences finding, troubleshooting, recovering and implementing preventive measures. Read on.

The Incident

1. During one of our migrations, our monitoring systems picked up unusual activity on one of the WordPress sites which went live recently. We noticed that the count of files suddenly spiked in ~/public_html/ folder. Some of the files had weird and innovative names like dud.php 🙄. It was not really a dud, as it turned out.
2. Looking at the code in dud.php, we quickly realized that it was backdoor code that is being used for Google bot to non-index all the pages. This turns out to be an SEO attack which is an unethical practiceto sabotage a competitor’s rankings in search engines. Or some script kid’s plain mischief!
3. We were not able to change anything in the .htaccess file as it was getting re-written automatically.
4. When we searched for the attacked website on Google, we saw some Japanese keywords with hyperlinks
5. After sometime, things worsened and Wp-admin portal was not loading with all the themes and plugins.
6. Also, we have seen the file owner permissions for cd ~/public_html/ which we generally assign to apache/nginx[www-data] as per most of the wordpress setup guideline, which is very open and easy for hackers to upload any contents.
7. We did a preliminary scan using Sucuri (Thank you, Sucuri — for such a useful tool) and realized we were affected by what is popularly known as Japanese Keyword Hack. Google Developers site has a very good article on how to fix it. Also, read more about this on Sucuri’s blog

7. If it’s not fixed, it can lead you to get blacklisted by Google, and your SEO will go down.It basically injects your website with spam keywords and pages in order to boost the rankings of other websites.

The Recovery

We checked all the plugins installed on the server, fortunately there were no changes. We also found out that the site we migrated from on-premise did not have any security plugins installed to safeguard the website from such attacks.

1. We started our initial search to find the effect of the ​​malware. We have started tracking the files that got recently changed and confirmed with our customer the time of last new post post our handover to them.

find . -mtime -10 -print

2. Check your wp-content/uploads directory for files like .php, .js and .ico. If you find such files, check the content for characters like base64_decode, rot13, eval, strrev, gzinflate. These can potentially be be malicious. In our case we have seen base64_decode.

3. We were using CloudSQL and we quickly scanned the database for any vulnerabilities — whether any new users were created, permissions altered, triggers created etc. We found one new user got created!!

SELECT * FROM information_schema.user_privileges;

4. We also found that the existing passwords were not so strong and can be predicted or cracked using a dictionary attack. Some of them were most common password

5. We have used rkhunter as well, but since our plugins and content is on an NFS mount, rkhunter will not be able to scan these by default.

Backups to the Rescue

There are some wordpress plugins which will help recover from situations like these, but unfortunately our wp-admin panel was not loading properly, so we took made use of our backups

1. When we handed over the site to the customer, we made sure that all backup schedules, monitoring and alerting is in place. We had a recent backup of Cloud Filestore, CloudSQL
2. Using backups, we went back to the day before our not so dud.php file got added
3. We were back online in notime, but the real problem was not addressed yet. There was still a chance of getting attacked again.

Hardening Wordpress

File/Folder Permissions Hardening

• Root public folder — Owner will be Root unless, you have any specific requirement from Plugins to change the permissions
• Wp-admin — This will be Root
• Wp-content — This will be shared with web-hosting, so this can be www-data:www-data
• Wp-includes — Root will be the owner.

chown -R www-data:www-data <directory-name>

The permissions should look like this

The file/folder permissions

Allow initially to www-data to read and connect to the database from wp-config.php, after that change owner to Root. Never give 777 permission to any of the folders/files.

These permissions may need to be changed during the upload of new content to WordPress, depending on the plugins being used. This is also a good reminder to review carefully what kind of plugins you use

Disable file editing in WordPress admin

Add this at the bottom of your wp-config. php file :

define(‘DISALLOW_FILE_EDIT’, true);

Change all the SALT Security Keys

Use this generator and update all the tokens in the wp-config.php file. This will ask to re-login all your users.

Update database passwords in wp-config.php

Change all the admin passwords as well the connection details in wp-config.php with new passwords. Use a password generator for strong passwords.

Implement WAF (Cloud Armor on GCP)

You should implement a WAF to protect your wordpress website. Our customer was hosted on Google Cloud, so it made sense for us to use Cloud Armour — the WAF and DDoS mitigation service from GCP.

CloudArmor comes with pre-configured rules against each of the vulnerabilities which can be tuned according to your use case — https://cloud.google.com/armor/docs/rule-tuning

Our policy snapshot

Here are some live attack protection logs

Finally, update all the Wordpress plugins.

Enable security plugins

We have also enabled security plugins like wordfence, sucuri to protect the websites against the dynamic threat and vulnerabilities.

Some of the tools you can use to scan are — Virus Total, Aw-snap.info, Sucuri Site Check, Quttera

Finally, here is our highly available, scalable, secure and happy Wordpress site 😃

Hope this helped! I hope you never run into situations like these. Happy Vigilance :D