Just recently one of the most popular WordPress plugins for e-mail delivery – Post SMTP had a serious security vulnerability which led to thousands of WordPress websites hacked in matter of few days. Luckily the hackers got into a few of my low-importance websites too through this plugin, so I had a chance to inspect how this is happens in a real-world scenario.
What to do if your website is hacked via Post SMTP plugin?
Backup everything and deny access from the outside world
First of all make a backup copy and deny public access to your website by adding a .htaccess based password protection to it or configuring an IP address based protection via the .htaccess file.
If possible to restore from a backup – restore a working website copy from an older backup
If your website content hasn’t changed recently, you can try restoring it from an older backup, at a point where the website was not hacked yet.
If not possible to restore from a backup – restore the WordPress core files to the original state, delete anything suspicious and install the WordFence Security plugin.
Once again – make sure that your website is not publicly accessible. Edit the /wp-includes/version.php file and note down the WordPress version you’re using. You’ll see it in the first lines of code:
$wp_version = '4.4.4';
Delete /wp-admin and /wp-includes directories, along with all the WordPress core files from your public website directory – index.php file and anything that starts with “wp-” prefix. Do NOT delete /wp-content directory!
Next thing, you should check /wp-content/, /wp-content/mu-plugins/, /wp-content/plugins/, /wp-content/themes/ directories to see if there are any suspicious files or unknown plugins you do not know anything about.
Pay a special attention to the PHP files located directly under each of these directories:
- Delete any file which ends with “-cache.php” from the /wp-content/ directory. You will have to reconfigure your page and object cache later, but that’s not a big deal. These files are auto loaded and could contain malware. Also manually inspect and if necessary – delete any other .php files you see under this directory. index.php file for example should contain nothing else than “Silence is golden” PHP comment. If it contains some extra code which you do not recognize, better delete all of this file contents and replace it from a fresh copy of WordPress core files.
- Manually inspect the /wp-content/mu-plugins/ directory – if it contains any plugins you do not recognize – delete them. If you use “Must-Use plugins” (you have files in this directory which are certainly yours) – you should also check the contents of each file to see if they’ve not been tampered.
- Manually inspect the /wp-content/themes/ directory and delete any theme you do not use on your site (e.g. WordPress default themes like: twentytwentyone, twentytwentytwo) – unused themes are not worth of having in your website files, since there is a possiblity that they could been tampered.
- Manually inspect the /wp-content/plugins/ directory and delete any plugin you do not recognize. Also check for any suspicious .php files directly under this directory.
Do not worry too much about what malicious files could remain in the unchecked plugin, uploads or other directories, since the rest will be cleaned up by WordFence Security plugin. The main idea for manual inspection is to delete everything that could “Auto load” itself when accessing the website.
Restore the WordPress core files to the original state
Check what WordPress version you had for the hacked website by taking a look on a version number you noted down earlier and download a fresh copy of files from the WordPress release archive.
Then extract the files and re-add /wp-admin/, /wp-includes/ directories along with the core files in the website root directory which you deleted earlier. Re-add them from this archive.
Check if you can access the WordPress login page and change the password
Check if you can access the WordPress login page now and reset your admin password by using these instructions. The password you used before could no longer work, since the Post SMTP exploit requires it to be changed.
Once you’re in, install WordFence Security plugin!
Once you’ve regained access to your account – install WordFence security plugin (free license is enough) and Scan your website for malicious files – it should find the rest of the files hidden under /wp-content/ or other directories. Locate and delete all of the files the scanner has found and update all of your WordPress plugins to the latest version.
Replace your Post SMTP plugin with a better alternative – Fluent SMTP
Because of this security vulnerability and couple of other issues related to this plugin in the past I decided to not recommend it anymore. Deactivate and delete Post SMTP plugin. Replace it with more reliable and resource-effective solution – Fluent SMTP. You will of course have to reconfigure it.
Change the password for your MySQL database and SMTP account. Change the WordPress security keys.
Install and configure the WPS Hide Login plugin
Check the WordPress users – delete any Administrator accounts you do not recognize / change the password for legit Admin accounts.
Disable the password reset option. Forbid the access to XMLRPC file.
In most cases password reset feature for administrator accounts is not necessary so it is better to disable it for these accounts. No password reset means no recovery e-mail so no option to exploit this feature again.
Also you should deny access to the xmlrpc.php file since this is also not necessary for most websites (it is used for remote management of WordPress websites via some third party publishing applications)