A New Wave of Hacker Attacks on WP and Magento Websites: Causes and Mitigation Measures
Recently, we’ve been receiving a number of requests from our clients whose WordPress (WP) and Magento websites have been hacked and who asked us for assistance. A thorough investigation into the issue by our developers helped us identify the most probable cause of these attacks, and we can now suggest the key steps you should take to avoid or mitigate the problems.
THE MAIN CULPRIT — ADMINER
Our WP and IT department professionals have every reason to believe that hackers got access to compromised sites through a very popular MySQL management plugin called Adminer. It is not a default WP or Magento tool. Developers and site administrators install and use it to perform the basic database maintenance tasks more efficiently.
However, the trouble begins when they forget to UPDATE this tool and leave Adminer scripts in locations that the public at large can easily access.
While more recent versions of Adminer are secure enough, the previous releases — version 4.6.3 and earlier — have a security breach through which hackers are able to lay hands on the sever’s file system. To do that, they need to find files with the .php extension and the word “adminer” in the name (e.g., adminer-4.2.5.php).
All that’s left for cybercriminals to do is to connect to their own database in place of the site’s database. Now, they can get the contents of the files on the server where Adminer is installed. Worst of all, they can get hold of the wp-config.php (WP) or local.xml (Magento) file with logins/passwords and other settings. That allows them to get connected to the website’s database and manipulate its data.
HOW TO AVOID TROUBLE OR MITIGATE THE DAMAGE TO YOUR WEBSITE
Here are the essential steps you should take to keep hackers at bay or deal with the aftermath of hackers’ exploits.
- When using the Adminer tool to perform the database maintenance tasks on your website database, make sure you HAVE ITS LATEST VERSION installed.
- Already suffered a hacker’s attack? Then do the following (in this order):
- Delete the Adminer script in the root directory or in another publicly accessible folder.
- Delete the old password to your database and create a new one. Keeping the old password makes no sense and is dangerous since cybercriminals already know it.
- Remove the fraudulent Super Socialat WP plugin that hackers may have installed on your website.
- Review the list of all admin users and delete those you find suspicious or know nothing about.
- Create a new password for WordPress or Magento.
- Scan all the .html, .php, and .js files for the code hackers have added and get rid of it.
- Repeat the previous step for the database. You can clean your database with the… Adminer tool. However, don’t use an outdated version. Only the latest version is acceptable.
One thing to note is that WP and Magento sites were not the only targets of the recent hackers’ attacks. Joomla! sites suffered too. However, as we said before, there’s every reason to conclude that the attackers exploited the Adminer’s outdated version weaknesses in all those cases.
We hope the steps we outlined above will help you restore the normal operation of your website. As usual, the PSD2HTML team is always ready to provide help with any problem you may face.