wordpress 黑客_如何在被黑客入侵的WordPress网站中找到后门并进行修复

wordpress 黑客

Time and time again, we have helped users fix their hacked WordPress sites. Most of the time when they reach out to us, they have already cleaned up the site, and the hacker was able to get back in. This happens if you did not clean it up properly, or you did not know what you were looking for. In most cases that we found, there was a backdoor created by the hacker which allowed them to bypass normal authentication. In this article, we will show you how to find a backdoor in a hacked WordPress site and fix it.

我们一次又一次地帮助用户修复被黑的WordPress网站。 在大多数情况下，当他们与我们联系时，他们已经清理了该站点，并且黑客能够重新进入该站点。如果您没有正确清理它，或者您不知道所要查找的内容，则会发生这种情况。 。 在我们发现的大多数情况下，黑客创建了一个后门，使他们可以绕过常规身份验证。 在本文中，我们将向您展示如何在被黑的WordPress网站中找到后门并进行修复。

什么是后门？ (What is a Backdoor?)

Backdoor is referred to a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected. Most smart hackers always upload the backdoor as the first thing. This allows them to regain access even after you find and remove the exploited plugin. Backdoors often survive the upgrades, so your site is vulnerable until you clean this mess up.

后门是指一种绕过常规身份验证并获得在未被检测到的情况下远程访问服务器的能力的方法。 大多数聪明的黑客总是将后门上传为第一件事。 即使您找到并删除了被利用的插件，这也使他们能够重新获得访问权限。 后门通常会在升级后幸免于难，因此您的站点很容易受到攻击，直到您将其清除。

Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.

一些后门程序仅允许用户创建隐藏的管理员用户名。 而更复杂的后门程序可以使黑客执行从浏览器发送的任何PHP代码。 其他人则拥有完整的用户界面，使他们能够在服务器上发送电子邮件，执行SQL查询以及其他他们想做的事情。

该代码隐藏在哪里？ (Where is this Code Hidden?)

Backdoors on a WordPress install are most commonly stored in the following locations:

WordPress安装中的后门程序通常存储在以下位置：

1. Themes – Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. So if you have the old Kubrick theme sitting in your themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.主题 –最有可能不是您正在使用的当前主题。 黑客希望代码能够在核心更新中生存。 因此，如果您的主题目录中有旧的Kubrick主题，或者另一个非活动主题，则代码可能位于其中。 这就是为什么我们建议删除所有不活动的主题的原因。
2. Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.插件 –插件是黑客隐藏代码的好地方，原因有三点。 一是因为人们并不真正看他们。 二是因为人们不喜欢升级他们的插件，所以他们在升级中幸免于难(人们不断更新它们)。 第三，有一些编码不完善的插件，可能一开始就有自己的漏洞。
3. Uploads Directory – As a blogger, you never ever check your uploads directory. Why would you? You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.上传目录 –作为博客作者，您永远不会检查自己的上传目录。 你怎么会 您只需上传图片，然后在帖子中使用它即可。 您可能在上载文件夹中按年和月划分了数千张图像。 对于黑客来说，将后门上传到上载文件夹非常容易，因为它会隐藏在数千个媒体文件中。 另外，您不定期检查它。 大多数人没有像Sucuri这样的监视插件。 最后，uploads目录是可写的，因此它可以按预期的方式工作。 这使其成为一个很好的目标。 我们发现了很多后门。
4. wp-config.php – This is also one of the highly targeted files by the hackers. It is also one of the first places most folks are told to look.wp-config.php –这也是黑客的高度针对性文件之一。 这也是大多数人被告知首先去的地方之一。
5. Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.Includes文件夹 – / wp-includes /文件夹是我们找到后门的另一个地方。 一些黑客总是会留下多个后门文件。 一旦上传，他们将添加另一个备份以确保其访问权限。 Includes文件夹是大多数人都不会去找的另一个文件夹。

In all the cases we found, the backdoor was disguised to look like a WordPress file.

在我们发现的所有情况下，后门都伪装成看起来像WordPress文件。

For example: in one site we cleaned up, the backdoor was in wp-includes folder, and it was called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. In another instance, we found a php file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. But why the heck is in the uploads folder? D’oh.

例如：在一个我们清理的站点中，后门位于wp-includes文件夹中，它的名称为wp-user.php(在正常安装中不存在)。 没有user.php，但/ wp-includes /文件夹中没有wp-user.php。 在另一个实例中，我们在上载文件夹中找到了一个名为hello.php的php文件。 它被伪装成Hello Dolly插件。 但是，为什么该文件位于上载文件夹中？ 天啊

It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).

它还可以使用wp-content.old.tmp，data.php，php5.php之类的名称。 它不必以PHP结尾，因为它包含PHP代码。 它也可以是.zip文件。 在大多数情况下，这些文件使用base64代码编码，这些代码通常执行所有排序操作(即添加垃圾邮件链接，添加其他页面，将主站点重定向到垃圾页面等)。

Now you are probably thinking that WordPress is insecure because it allows for backdoors. You are DEAD WRONG. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor. Hint: the TimThumb hack. It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider. See our recommended list of web hosting.

现在您可能会认为WordPress不安全，因为它允许使用后门。 你死定了。 当前版本的WordPress没有已知漏洞。 后门不是黑客的第一步。 通常是第二步。 黑客通常会在第三方插件或脚本中发现漏洞，然后利用这些漏洞来上传后门。 提示：TimThumb hack。 虽然这可能是各种各样的事情。 例如，编码不正确的插件可能会允许用户特权升级。 如果您的站点有开放注册，则黑客可以免费注册。 利用一项功能来获得更多特权(然后允许他们上载文件)。 在其他情况下，很可能是您的凭据已被泄露。 也可能是您使用了不良的托管服务提供商。 请参阅我们推荐的虚拟主机列表。

如何查找和清理后门？ (How to Find and Clean the Backdoor?)

Now that you know what a backdoor is, and where it can be found. You need to start looking for it. Cleaning it up is as easy as deleting the file or code. However, the difficult part is finding it. You can start with one of the following malware scanner WordPress plugins. Out of those, we recommend Sucuri (yes it is paid).

现在，您知道什么是后门，以及在哪里可以找到它。 您需要开始寻找它。 清理它就像删除文件或代码一样容易。 但是，困难的部分是找到它。 您可以从以下恶意软件扫描程序WordPress插件之一开始 。 在这些当中，我们建议使用Sucuri(是的，要付费)。

You can also use the Exploit Scanner, but remember that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code. The best thing you can do is delete your plugins directory, and reinstall your plugins from scratch. Yup, this is the only way you can be sure unless you have a lot of time to spend.

您还可以使用Exploit Scanner ，但是请记住，插件中还使用了base64和eval代码。 因此有时它会返回很多误报。 如果您不是插件的开发人员，那么您真的很难知道在数千行代码中哪个代码不在其位置。 最好的办法是删除plugins目录 ，然后从头开始重新安装插件。 是的，除非您有很多时间花，否则这是您可以确定的唯一方法。

Search the Uploads Directory

搜索上传目录

One of the scanner plugins will find a rogue file in the uploads folder. But if you are familiar with SSH, then you just need to write the following command:

其中一个扫描仪插件会在上载文件夹中找到恶意文件。 但是，如果您熟悉SSH，则只需编写以下命令：

find uploads -name "*.php" -print

There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, it needs to go.

没有充分的理由将.php文件放在您的上载文件夹中。 在大多数情况下，该文件夹是为媒体文件设计的。 如果其中有一个.php文件，则需要删除该文件。

Delete Inactive Themes

删除不活动的主题

As we mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, I didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.

正如我们上面提到的，经常将非活动主题作为目标。 最好的办法是删除它们(是的，包括默认主题和经典主题)。 但是，等等，我没有检查后门是否在那里。 如果是这样，那么现在不复存在了。 您只是节省了看时间，而且消除了额外的攻击点。

.htaccess File

.htaccess文件

Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.

有时重定向代码被添加到那里。 只需删除文件，它就会重新创建自己。 如果不是，请转到WordPress管理面板。 设置»永久链接。 单击那里的保存按钮。 它将重新创建.htaccess文件。

wp-config.php file

wp-config.php文件

Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.

将此文件与默认的wp-config-sample.php文件进行比较。 如果发现不适当的地方，请摆脱它。

Database Scan for Exploits and SPAM

数据库扫描漏洞和垃圾邮件

A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.

聪明的黑客永远不会只有一个安全的地方。 他们创造了无数。 针对充满数据的数据库是一个很简单的技巧。 他们可以将其不良PHP函数，新的管理帐户，SPAM链接等存储在数据库中。 是的，有时您不会在用户页面上看到admin用户。 您将看到有3个用户，而您只能看到2个用户。

If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both takes care of that.

如果您不知道使用SQL做什么，那么您可能想让这些扫描仪之一为您完成工作。 Exploit Scanner插件或Sucuri (付费版本)都可以解决此问题。

Think you have cleaned it? Think again!

认为您已经清洁了吗？ 再想一想！

Alright so the hack is gone. Phew. Hold on, don’t just relax yet. Open your browser in an incognito mode to see if the hack comes back. Sometimes, these hackers are smart. They will not show the hack to logged in users. Only logged out users see it. Or better yet, try to change your browser’s useragent as Google. Sometimes, the hackers only want to target the search engines. If all looks great, then you are good to go.

好了，骇客消失了。 ew 等一下，不要只是放松一下。 以隐身模式打开浏览器，查看黑客是否再次回来。 有时，这些黑客很聪明。 他们不会向登录用户显示该黑客。 只有注销的用户才能看到它。 或者更好的办法是，尝试将浏览器的用户代理更改为Google。 有时，黑客只想针对搜索引擎。 如果一切看起来不错，那么您就很好了。

Just FYI: if you want to be 100% sure that there is no hack, then delete your site. And restore it to the point where you know that the hack wasn’t there. This may not be an option for everyone, so you have to live on the edge.

仅供参考：如果您想100％确保没有黑客入侵，请删除您的网站。 并将其还原到您不知道该骇客的位置。 这可能不是每个人的选择，所以您必须生活在边缘。

未来如何防止黑客入侵？ (How to Prevent Hacks in the Future?)

Our #1 advice would be to keep strong backups (VaultPress or BackupBuddy) and start using a monitoring service. Like we said earlier, you cannot possibly monitor everything that goes on your site when you are doing tons of other things. This is why we use Sucuri. It might sound like that we are promoting them. But we are NOT. Yes, we do get an affiliate commission from everyone who sign up for Sucuri, but that is not the reason why we are recommending it. We only recommend products that we use and are quality. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are also recommending these guys. It is because they are good at what they do.

我们的第一建议是保持强大的备份( VaultPress或BackupBuddy )并开始使用监视服务。 就像我们之前说的，当您做大量其他事情时，您可能无法监视站点上的所有内容。 这就是为什么我们使用Sucuri。 听起来我们正在推广它们。 但是我们不是。 是的，我们确实会从每个注册Sucuri的人那里得到一个会员佣金，但这不是我们推荐它的原因。 我们只推荐我​​们使用的优质产品。 诸如CNN，今日美国，PC World，TechCrunch，TheNextWeb等主要出版物也推荐这些人。 这是因为他们擅长于自己的工作。

Read our article on 5 Reasons Why We Use Sucuri to Improve our WordPress Security

阅读我们关于使用Sucuri改善WordPress安全性的5个原因的文章

Few other things you can do:

您可以做的其他几件事：

1. Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.使用强密码 –在用户上强密码。 开始使用密码管理实用程序，如1Password。
2. 2-Step Authentication – If your password got compromised, the user would still need to have the verification code from your phone.两步验证 –如果您的密码被盗，用户仍然需要从您的手机获得验证码。
3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.限制登录尝试 –通过此插件，您可以在X次失败的登录尝试后将用户锁定。
4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.禁用主题和插件编辑器 –这可以防止用户升级问题。 即使升级了用户的权限，他们也无法使用WP-Admin修改您的主题或插件。
5. Password Protect WP-Admin – You can password protect the entire directory. You can also 密码保护WP-Admin –您可以用密码保护整个目录。 您还limit access by IP.可以通过IP限制访问 。
6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.在某些WordPress目录中禁用PHP执行–这将在您选择的上载目录和其他目录中禁用PHP执行。 基本上，即使有人能够将文件上传到您的上载文件夹中，他们也将无法执行。
7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.保持更新 –运行最新版本的WordPress，并升级您的插件。

Lastly, don’t be cheap when it comes to security. We always say that the best security measure is great backups. Please please please keep good regular backups of your site. Most hosting companies DO NOT do this for you. Starting using a reliable solution like BackupBuddy or VaultPress. This way if you ever get hacked, you always have a restore point. Also if you can, just get Sucuri and save yourself all the trouble. They will monitor your site, and clean it up if you ever get hacked. It comes out to be like $3 per month per site if you get the 5 site plan.

最后，在安全性方面不要便宜。 我们总是说最好的安全措施是备份。 请保持您网站的良好定期备份。 大多数托管公司不为您这样做。 开始使用可靠的解决方案，如BackupBuddy或VaultPress 。 这样一来，如果您遭到黑客入侵，便始终拥有一个还原点。 另外，如果可以的话，只需获得Sucuri并省去所有麻烦。 他们将监视您的网站，并在您遭到黑客入侵时对其进行清理。 如果您获得5个网站计划，则每个网站每个月的费用为$ 3。

We hope that this article helped you. Feel free to leave a comment below if you have something to add

希望本文对您有所帮助。 如果您要添加任何内容，请随时在下面发表评论

翻译自: https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/

wordpress 黑客