WordPress Forensics Guide?

  • rg4w

    (@rg4w)


    4 days, 3 hours ago

    I recently inherited a site which had a security incident. I’ve copied the files and DB to a quarantine, restored and updated, the live site is currently fine.

    Now I’d like to find how the incident occurred.

    The good news is that an ecosystem as big as WordPress’ has many options available for learning forensics practice with WP.

    The bad news is someone new to the ecosystem like myself has a lot of wade through to learn the best current forensics tools and tips.

    Is there a single guide that stands out as the definitive starting point for analyzing a hacked site to determine the entry point?

    Or if one doesn’t stand out, do you have a personal favorite?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator threadi

    (@threadi)

    4 days, 2 hours ago

    As far as I know, the security industry operates completely independently of WordPress and follows the principle of “first investigate how it happened, then clean it up” (at least depending on the specific case). Unfortunately, you’ve already cleaned up the site, which makes it difficult – if not impossible – to trace the path of the hack. As a result, you’ve essentially covered all tracks.

    Time is also an important factor. All access attempts can be traced (again, independently of WordPress) in the hosting provider’s log files. If too much time has passed since the hack, the log files containing the relevant data may no longer be available.

    WordPress itself does not provide any methods for checking what you’re looking for. As with any other software, you do this by examining what you have and identifying where things might have been manipulated, which then leads you to the point of entry.

    I would therefore recommend that you stop investing energy in this type of investigation and instead focus on securing the project at it currently status. See also: https://developer.wordpress.org/advanced-administration/security/hardening/

    Thread Starter rg4w

    (@rg4w)

    2 days, 23 hours ago

    Thank you for your quick reply and the link. We have backups, and hardening is well documented and straightforward.

    Once restored, I’d like to *know* the entry point. I can update the site and hope for the best, but until we know what happened we’re just guessing.

    Most WP exploits come from Core or plugins not being updated, and I’d guess that’s what we have here. I can go through all the relevant CVEs, but that seems like the sort of thing that can be assisted with automation, so knowing about any WP-specific tools for forensics beyond the reporting in things like WordFence would be especially helpful.

    So far one of the better resources I’ve found on WP forensics is:
    https://wpsecurityninja.com/wordpress-vulnerabilities-database/#4_Vulnerability_Assessment_Management

    I’ll continue seeking until I either know the entry point or know with confidence that I’ve exhausted all reasonable options to find it. I’ll report back any other useful info I come across to this thread.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.