if you’re trying to recover from a “Hacked Site Penalty” with WordPress.
Here are some of the things you need to be looking for, when analyzing your site’s server logs to diagnose a hacked or compromised WordPress installation:
Unusual User Agent Strings
Look for user agent strings that are uncommon or resemble those used by malicious bots. (https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/_generator_lists/bad-user-agents.list)
Analyze patterns of any user agents found that don’t correspond to legitimate browsers or web crawlers, to find out what’s happening and to identify problem URLs/directories.
Multiple Failed Login Attempts
Even after all these years, WordPress does not yet ship with inbuilt brute-force protection. Therefore, identifying multiple failed login attempts in a short time period will indicate a brute force attack, which may ultimately have succeeded.
Unusual or Suspicious IP Addresses
Investigate connections from unfamiliar or suspicious IP addresses and cross-check any IPs flagged against known blacklists or geolocation services. (https://dnschecker.org/ip-blacklist-checker.php)
Access to Sensitive Directories
Check for access attempts to sensitive directories, such as wp-admin, wp-config.php, or .git.
Unauthorized access to these directories will usually be indicative of an attack.
Unusual HTTP Methods
Monitor for HTTP methods that are rarely used, such as TRACE or TRACK These methods can be exploited for certain types of attacks.
Unusual or Large File Downloads
Identify unexpected or unusually large file downloads, as these may indicate an attempt to download sensitive information or exploit vulnerabilities.
Accessing Hidden or Deprecated Pages
Check for access attempts to pages or directories that are hidden or deprecated, as these can indicate an attacker probing for vulnerabilities.
404 Errors with Suspicious URLs
Analyze 404 errors for unusual URLs or patterns, since attackers may attempt to exploit non-existent pages or paths. Also note the timings of these 404 errors; the faster they occur, one after another, the greater the likelihood it’s an attack.
Changes in User Agent Behavior
Watch for sudden changes in user agent behavior. For example, a sudden increase in requests from a single user agent may be suspicious.
Unusual Traffic Patterns
Identify unusual traffic patterns, such as a sudden spike in requests from a specific location or IP range. Unexplained traffic anomalies can point to a DDoS attack or scanning activity.
Repeated Access to a Single File
Look for repeated or rapid access to a specific file or resource. Like the 404s above, these can indicate an attempt to exploit a vulnerability in that file.
Suspicious Referrers
Investigate referrers, especially those from known malicious or spammy domains. Suspicious referrers can sometimes reveal the source of malicious traffic. (https://github.com/stamparm/blackbook)
Abnormal Bandwidth Usage
Monitor for unexpected spikes in bandwidth usage. Sudden increases can be clear signs of a successful exploitation or data exfiltration.
Access to Configuration Files
Check for attempts to access sensitive configuration files like .htaccess or wp-config.php. Unauthorized access to these files is usually a clear sign that your WordPRess installation has been compromised.
Unexpected Server Errors
Investigate unexpected server errors or warnings, since such errors can indicate attempts to exploit vulnerabilities or misconfigurations.
Back to the Hacked Site Recovery Guide
