In this first article of the series WordPress application hacked (and how to recover!), I help you understand what needs to be done immediately after you notice your wordpress application is hacked.
Introduction
I recently had to recover a WordPress based application platform for one of my customers. This was not about a simple WordPress website but a full blown WordPress based application platform with software tailored specifically to the customer’s needs.
The customer in question is of course not named for obvious security reasons. However, I thought it might be good to share the aspects I ran in to should you ever come across something like this. Based on how this was handled, this article series points out all the steps of the way towards a full recovery. The last post will also give advice on how to avoid this in the future.
Damage control
Ok, so your platform was breached. There are some immediate actions to take that I’ll describe in this section. After this you need to start prepping for the road to recovery. Focussing on the case at hand but applicable for any similar disaster, the steps below should be on the top of your list. Both lists can be initiated simultaneously.
Non platform related
- Depending a bit on platform and company scale, appoint people that are equipped to handle this. If that’s not available, attract outside help. It should have priority until noted otherwise.
- Prepare communication for an announcement where needed (internal, direct customers, the public and possibly governmental institutions and third parties). Being transparent gives the best options for people helping out and shows you have nothing to hide. Break-ins are a fact of life, it can be explained and you show it’s being handled.
Platform related
- Disable the service or at least make it inaccessible from the outside world until you know the extent of the damage
- Stop or kill all running processes (I’ll explain the reason for this later).
- Check the scope of the impact. Are you running on a shared server? E.g: is just the platform software hacked or the full server? If the server is compromised could neighboring systems be affected?
- Reset credentials on external services your platform connects with. Since these could have been stolen from your hacked platform. As an example: If your platform holds credentials or API keys to access third party services, the hackers can abuse those external services as well.
- Put a maintenance page up so visitors and or user don’t see malicious content. This also shows things are being managed.
Next steps
A thorough damage assessment of the breach is necessary to be able to address what needs to be done as soon as possible. Distinct between what is mandatory and what is nice to have at a later date on the road to recovery.
Plan ahead
- The plan of attack should at least cover a review of the platform itself, but also external services it’s connected to.
- Scope the extent of the damage. Was it the platform, the (shared) server or more? Plan what needs to be done to bring everything back to good health.
- You need to send out some form of communication about the steps and how this impacts all parties involved. This must be done company internal, so personnel know what to say (and not), but also to customers and possibly to the public depending on the scale and the company’s role.
- You need to consider if and what privacy sensitive information was leaked. Based on the respective legislation in your country, decide if possible legal steps must be taken. In the Netherlands a data breach could result in registration with the ‘Autoriteit Persoonsgegevens’.
- The main goal is to get back to a minimum viable service as soon as possible. Since the platform outage also affects processes of the customer’s customers, consider how to quickly resolve this, so services can be restored.
In this case the platform provided certain digital content where customers of the affected party had their own environment where they could manage that content. If it’s a workable solution, a securely isolated sub par system managed only by the affected party could provide the digital content on a per customer request basis. This could be sufficient as a temporary solution. If it gets the job done and the affected party’s customers can resume business, you can, in parallel, plan for a full recovery.
Discussing with the affected party what urgent steps should be taken and what the best road to a minimal recovery should look like is of the utmost importance. Assuming the service needs to (eventually) be fully restored a plan of attack needs to be produced. This can only be done once the full extent of the damage is clear. The most important thing is to inventory what is needed and decide whether a temporary solution is useful. Do you have backups available for instance. Mind you there are implications with this I’ll describe later.
Possible causes
There can be a thousand and one ways on how hackers gained access. Depending on the impact or severity the affected party might want a more thorough forensic report. This usually depends on the size (of the company as well as the platform), the impact and the sensitivity of the data that has been breached.
The two most likely suspects in this case are:
Code hacked
In this case there was a substantial amount of (possibly dated) code in place, and exploiting a weakness is not that hard. Most common weaknesses are published by security companies and or can even be googled for.
Account hacked
It could be as simple as a hacked account, often followed by a so called privilege escalation. Meaning, acquiring access to a low level account and see if you can boost it to admin level. Often in combination with the aforementioned code hack to gain full access.
Note: This is important. If you cannot find the exact cause because there are multiple candidate weaknesses, don’t keep looking for the exact hack that caused all this, but merely make sure that the malicious code and weaknesses are eliminated. In most cases the endless search for that last crooked byte probably costs more than putting effort into restoring to full service. Considering the outage, the affected party wants to regain business more than anything else.
This article is part of the series WordPress application hacked (and how to recover!).