Re-infections are one of the most frustrating encounters site owners experience. Like a game of whack-a-mole, when you think you’ve found and removed everything malicious, more malicious content pops up. There are some factors to consider that are likely the culprit for this. We will consider these, and some preventative/post-hack measures that can fix your hacked website.
1 – Out-of-date CMS Versions, Themes, and Plugins
It’s no secret that outdated third-party software is the leading cause of website vulnerabilities. Since most modern-day websites utilize a mix of third-party extensions like plugins and themes, it’s important to consider that each of these installations could be a potential point of intrusion. In some cases, developers do not account for the threats their code may introduce. (e.g., utilizing unsafe APIs, no standard validation, logging, error handling, etc.) If you’re fortunate, a patch may be released before a potential exploit is released.
It’s important to keep tabs on any updates that are released, or if an update potentially breaks something, you have firewall protection in place that can block malicious traffic attempting to exploit vulnerable software.
2 – Weak Passwords
Using weak and default passwords have increasingly become a reinfection factor across the web. As more and more database leaks are released, it becomes easier to use password recovery tools to predict the correct ones. Successful brute force attacks on a website can lead to a hacker having full control of a site. Once in control, they can and even remove access from the actual website owners. If an infection occurs through methods of access control and passwords are not updated afterward, you can easily find yourself back at square one again.
3 – Cross-Site Contamination
When it comes to hosting sites, most utilize a shared hosting environment, where clients share the same server where hundreds of websites reside. This can save a site owner a lot of time and money, but like most things, convenience also comes with its fair share of risks. Cross-site contamination is an infection that spreads from one site to other sites under the same shared environment. In some cases, if a site or server that has been infected wasn’t cleaned up thoroughly enough, there may be remnants of an infection that can regrow and spread to other files.
It’s recommended when cross contaminations are found to quarantine the sites from each other and to delete any old websites no longer used. Also, make sure to keep files, themes, and plugins to a minimum for the site to function properly. Different websites should not have write access to one another (for example, addon domains in cPanel environments, or WHM environments with symlink protection disabled).
4 – Too Many Privileges
A best practice to follow is the Principle of Least Privilege. When too many users have far too much access, this can lead to larger risks in terms of security. If you find any unfamiliar users, it’s best to remove them. Hackers could be using these accounts to gain access. Every role provided to an account that is not evaluated increases the odds of something going awry.
Every so often a “privilege escalation” vulnerability will be discovered within a software component. This can lead to an innocuous low-level account gaining admin access, so employing multi-factor authentication for admin panels is a must. If your website doesn’t require it, you should also disable account creation altogether.
Pro Tip: We recommend only having one admin user, and setting all other user roles to the least privileges needed.
5 – Unfound Backdoors
When CMS (Content Management System) environments become compromised, this can lead to things such as file upload vulnerabilities. This type of vulnerability can grant remote code execution capabilities to the hacker. The goal of the attacker is to remain undetected for as long as possible while obtaining more sensitive credentials and escalating privileges. Backdoors can be tricky to find for the average site owner, and sometimes additional detection tools may be needed. It’s also important to mention CC swipers have the highest rate of reinfection. Since they’re the most “targeted” type of attack, attackers stand to gain the most money from it.
The best method to trace back to where a backdoor originated is by a thorough examination of plugins and themes for recently detected vulnerabilities or file modifications. Also, investigate any recently modified files and pay attention to the user associated with the modifications. An attacker could have gained access through a specific user account. Tools such as WPScan can also be helpful in this case.
Please note that any backups made while an infection is still present can cause the infection to show up again if the site is restored to that specific version. Once an infection is thoroughly cleaned up, a fresh backup should be saved.
These are just some of the most common cases for reinfections to a website, but the list goes on. Site owners should always consider these main factors for their site being repeatedly hacked, and once each of these are addressed the recurrence should eventually subside. Malware infections can be the most dreadful occurrence for an online business, so remaining proactive and vigilant is a must.