{"id":2830,"date":"2020-08-04T07:04:56","date_gmt":"2020-08-03T22:04:56","guid":{"rendered":"https:\/\/hanami-web.tokyo.jp\/blog\/?p=2830"},"modified":"2020-08-05T09:11:33","modified_gmt":"2020-08-05T00:11:33","slug":"wordpress-falsification","status":"publish","type":"post","link":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/","title":{"rendered":"[Thinking about WordPress security] Actual case of tampering \u2460"},"content":{"rendered":"<p>wordperss is an easy target!<\/p>\n\n\n\n<p>Have you ever heard of a story like this? Here is an actual case of WordPress tampering.<\/p>\n\n\n\n<p>Learn about these cases and take appropriate security measures!<br>The following article provides detailed information on how to protect your WordPress site from security threats.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-hanami-web-wordpress-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"akrYCK6Q6D\"><a href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/seo\/security2\/\">5 security measures that a WordPress teacher seriously considered<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"\u201c5 security measures seriously considered by a WordPress teacher\u201d \u2014 How to create a homepage using WordPress\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/seo\/security2\/embed\/#?secret=ZgGNlskOJg#?secret=akrYCK6Q6D\" data-secret=\"akrYCK6Q6D\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">table of contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #000000;color:#000000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #000000;color:#000000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e3%82%b5%e3%82%a4%e3%83%88%e3%81%8c%e6%80%a5%e3%81%ab%e8%b5%a4%e8%89%b2%e3%81%ab%e3%81%aa%e3%81%a3%e3%81%a6%e3%80%90%e5%81%bd%e3%81%ae%e3%82%b5%e3%82%a4%e3%83%88%e3%81%ab%e3%82%a2%e3%82%af%e3%82%bb%e3%82%b9%e3%81%97%e3%82%88%e3%81%86%e3%81%a8%e3%81%97%e3%81%a6%e3%81%84%e3%81%be%e3%81%99%e3%80%91\" >The site suddenly turned red and said &quot;You are about to access a fake site.&quot;<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#search_console%e3%81%ab%e3%80%901%e4%bb%b6%e3%81%ae%e5%95%8f%e9%a1%8c%e3%82%92%e6%a4%9c%e5%87%ba%e3%81%97%e3%81%be%e3%81%97%e3%81%9f%e3%80%91%e3%81%a8%e8%ad%a6%e5%91%8a%e3%82%82\" >The Search Console also warns that &quot;1 problem was detected.&quot;<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#wordpress%e3%81%8c%e3%83%8f%e3%83%83%e3%82%ab%e3%83%bc%e3%81%ab%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%a6%e8%a1%8c%e3%81%a3%e3%81%9f%e4%ba%8b\" >WordPress was attacked by a hacker<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e5%a2%97%e6%ae%96%e3%81%97%e3%81%9f%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%82%92%e5%85%a8%e3%81%a6%e5%89%8a%e9%99%a4\" >Delete all the files that have been created<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e5%89%8a%e9%99%a4%e3%81%97%e3%81%a6%e3%82%82%e5%a2%97%e3%81%88%e3%82%8b\" >It keeps increasing even if you delete it<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#indexphp%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%81%8c%e6%94%b9%e3%81%96%e3%82%93%e3%81%95%e3%82%8c%e3%81%a6%e3%81%84%e3%81%9f\" >The index.php file was tampered with<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#htaccess%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%82%82%e6%94%b9%e3%81%96%e3%82%93%e3%81%95%e3%82%8c%e3%81%a6%e3%81%84%e3%81%9f\" >The .htaccess file was also tampered with.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%9f%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%80%81%e3%82%b3%e3%83%bc%e3%83%89%e3%82%92%e5%85%a8%e3%81%a6%e5%89%8a%e9%99%a4\" >Delete all the attacked files and codes<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e5%90%8c%e3%81%98%e3%82%b5%e3%83%bc%e3%83%90%e3%83%bc%e5%86%85%e3%81%aewordpress%e3%81%ab%e3%82%82%e8%a2%ab%e5%ae%b3%e3%81%8c\" >WordPress on the same server was also affected.<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%a6%e8%bf%bd%e5%8a%a0%e3%81%95%e3%82%8c%e3%81%9f%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%82%92%e3%81%99%e3%81%b9%e3%81%a6%e5%89%8a%e9%99%a4\" >Delete all files added during the attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#htaccess%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%81%8c%e6%94%b9%e3%81%96%e3%82%93%e3%81%95%e3%82%8c%e3%81%a6%e3%81%84%e3%81%9f\" >The .htaccess file was tampered with.<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#3%e6%97%a5%e5%be%8c%e3%81%absearch_console%e3%81%8b%e3%82%89%e5%af%a9%e6%9f%bb%e3%81%8c%e5%95%8f%e9%a1%8c%e3%81%aa%e3%81%8f%e5%ae%8c%e4%ba%86%e3%81%97%e3%81%be%e3%81%97%e3%81%9f%e3%81%a8%e9%80%a3%e7%b5%a1\" >Three days later, the search console notified me that the review had been completed without any problems.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#top%e3%83%9a%e3%83%bc%e3%82%b8%e3%81%8c%e8%a1%a8%e7%a4%ba%e3%81%95%e3%82%8c%e3%81%aa%e3%81%84\" >The top page is not displayed<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#%e7%ae%a1%e7%90%86%e7%94%bb%e9%9d%a2%e3%81%ab%e3%83%aa%e3%83%80%e3%82%a4%e3%83%ac%e3%82%af%e3%83%88%e8%a8%ad%e5%ae%9a%e3%81%8c%e5%9f%8b%e3%82%81%e8%be%bc%e3%81%be%e3%82%8c%e3%81%a6%e3%81%84%e3%82%8b\" >Redirect settings are embedded in the admin panel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#wordpress%e3%81%8c%e3%83%8f%e3%83%83%e3%82%ab%e3%83%bc%e3%81%ab%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%9f%e5%a0%b4%e5%90%88\" >What to do if WordPress is attacked by a hacker<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-running\/security-case\/wordpress-falsification\/#hanami-web%e3%81%8c%e3%81%8a%e6%89%8b%e4%bc%9d%e3%81%84%e3%81%a7%e3%81%8d%e3%82%8b%e4%ba%8b\" >What hanami-web can help you with<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e3%82%b5%e3%82%a4%e3%83%88%e3%81%8c%e6%80%a5%e3%81%ab%e8%b5%a4%e8%89%b2%e3%81%ab%e3%81%aa%e3%81%a3%e3%81%a6%e3%80%90%e5%81%bd%e3%81%ae%e3%82%b5%e3%82%a4%e3%83%88%e3%81%ab%e3%82%a2%e3%82%af%e3%82%bb%e3%82%b9%e3%81%97%e3%82%88%e3%81%86%e3%81%a8%e3%81%97%e3%81%a6%e3%81%84%e3%81%be%e3%81%99%e3%80%91\"><\/span>The site suddenly turned red and said &quot;You are about to access a fake site.&quot;<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Suddenly, the site turned red and displayed the message &quot;You are about to access a fake site,&quot; and the actual site could no longer be displayed.<\/p>\n\n\n\n<p>Additionally, clicking back on a secure page redirects you to another site.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"867\" height=\"597\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8b\" class=\"wp-image-2831\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png 867w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-300x207.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-768x529.png 768w\" sizes=\"(max-width: 867px) 100vw, 867px\" \/><\/figure><\/div>\n\n\n\n<p>At this stage, I finally realized that I was being attacked by hackers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"search_console%e3%81%ab%e3%80%901%e4%bb%b6%e3%81%ae%e5%95%8f%e9%a1%8c%e3%82%92%e6%a4%9c%e5%87%ba%e3%81%97%e3%81%be%e3%81%97%e3%81%9f%e3%80%91%e3%81%a8%e8%ad%a6%e5%91%8a%e3%82%82\"><\/span>The Search Console also warns that &quot;1 problem was detected.&quot;<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>I received a notification from the Seaech console. When I accessed it,<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"111\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-1024x111.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8bsearch console\u306b\u8b66\u544a\" class=\"wp-image-2832\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-1024x111.png 1024w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-300x33.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-768x83.png 768w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2.png 1133w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>When you open the report<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"652\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-1024x652.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8bsearch console\u306b\u8b66\u544a\" class=\"wp-image-2833\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-1024x652.png 1024w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-300x191.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-768x489.png 768w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3.png 1053w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"wordpress%e3%81%8c%e3%83%8f%e3%83%83%e3%82%ab%e3%83%bc%e3%81%ab%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%a6%e8%a1%8c%e3%81%a3%e3%81%9f%e4%ba%8b\"><\/span>WordPress was attacked by a hacker<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>I couldn&#039;t access it from the website, so I accessed the file via FTP. (You can also use the file manager provided by the server.)<\/p>\n\n\n\n<div class=\"wp-block-cocoon-blocks-icon-box alert-box common-icon-box block-box\">\n<p>There were a lot of files I didn&#039;t recognize.<\/p>\n<\/div>\n\n\n\n<p>A large number of files and folders other than the standard files provided by WordPress had been accumulated.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e5%a2%97%e6%ae%96%e3%81%97%e3%81%9f%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%82%92%e5%85%a8%e3%81%a6%e5%89%8a%e9%99%a4\"><\/span>Delete all the files that have been created<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>I removed all files that are not related to wordpress.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e5%89%8a%e9%99%a4%e3%81%97%e3%81%a6%e3%82%82%e5%a2%97%e3%81%88%e3%82%8b\"><\/span>It keeps increasing even if you delete it<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Even after deleting it, the number of copies increased when I reconnected via FTP. At this point, I predicted that an automatic propagation program was embedded in the php file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"indexphp%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%81%8c%e6%94%b9%e3%81%96%e3%82%93%e3%81%95%e3%82%8c%e3%81%a6%e3%81%84%e3%81%9f\"><\/span>The index.php file was tampered with<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>When I accessed the site again, the index.php file had not been deleted from the list of files that had been added, so I thought this was suspicious and opened the file, where I found that a large amount of malicious code had been added.<\/p>\n\n\n\n<p>I removed all the unnecessary code in index.php.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"htaccess%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%82%82%e6%94%b9%e3%81%96%e3%82%93%e3%81%95%e3%82%8c%e3%81%a6%e3%81%84%e3%81%9f\"><\/span>The .htaccess file was also tampered with.<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>When I clicked on the button to go to a protected site, I was redirected to a site I didn&#039;t recognize, so I assumed that the redirect had been set up in the .htaccess file. When I checked the .htaccess file, I found that the redirect had been added.<\/p>\n\n\n\n<p>I have also removed this code.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%9f%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%80%81%e3%82%b3%e3%83%bc%e3%83%89%e3%82%92%e5%85%a8%e3%81%a6%e5%89%8a%e9%99%a4\"><\/span>Delete all the attacked files and codes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Even after correcting all the files and codes I could think of, the message &quot;You are about to access a fake site&quot; still appears on the top page.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"867\" height=\"597\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8b\" class=\"wp-image-2831\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png 867w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-300x207.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-768x529.png 768w\" sizes=\"(max-width: 867px) 100vw, 867px\" \/><\/figure><\/div>\n\n\n\n<p>This is displayed by Google, so I applied for it in the Search Console.<\/p>\n\n\n\n<p>[Request a review] Click this button and wait for your application to be reviewed.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"652\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-1024x652.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8bsearch console\u306b\u8b66\u544a\" class=\"wp-image-2833\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-1024x652.png 1024w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-300x191.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3-768x489.png 768w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution3.png 1053w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e5%90%8c%e3%81%98%e3%82%b5%e3%83%bc%e3%83%90%e3%83%bc%e5%86%85%e3%81%aewordpress%e3%81%ab%e3%82%82%e8%a2%ab%e5%ae%b3%e3%81%8c\"><\/span>WordPress on the same server was also affected.<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There is no red &quot;You are about to access a fake site&quot; message on the top page<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"867\" height=\"597\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8b\" class=\"wp-image-2831\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png 867w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-300x207.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-768x529.png 768w\" sizes=\"(max-width: 867px) 100vw, 867px\" \/><\/figure><\/div>\n\n\n\n<p>The following notification has not been received in the search console<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"111\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-1024x111.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8bsearch console\u306b\u8b66\u544a\" class=\"wp-image-2832\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-1024x111.png 1024w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-300x33.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2-768x83.png 768w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution2.png 1133w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p>However, when I checked the contents of the files with FTP, I found that files I did not recognize had proliferated. I thought, &quot;I should change my password!&quot; and tried to access the management screen, but the login screen did not appear because I did not have the necessary access permissions. The files had been tampered with so that they could not be accessed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%a6%e8%bf%bd%e5%8a%a0%e3%81%95%e3%82%8c%e3%81%9f%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%82%92%e3%81%99%e3%81%b9%e3%81%a6%e5%89%8a%e9%99%a4\"><\/span>Delete all files added during the attack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>As before, I deleted all the files I didn&#039;t recognize, but I still couldn&#039;t access the admin page, and checking the file permissions didn&#039;t fix it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"htaccess%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab%e3%81%8c%e6%94%b9%e3%81%96%e3%82%93%e3%81%95%e3%82%8c%e3%81%a6%e3%81%84%e3%81%9f\"><\/span>The .htaccess file was tampered with.<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The following code was added to the .htaccess file. After deleting this code, I was able to successfully access the login screen.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"535\" height=\"95\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/htaccess-rewrite1.png\" alt=\"wordpress\u6539\u3056\u3093\u4e8b\u4f8bsearch console\u306b\u8b66\u544a\" class=\"wp-image-2834\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/htaccess-rewrite1.png 535w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/htaccess-rewrite1-300x53.png 300w\" sizes=\"(max-width: 535px) 100vw, 535px\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3%e6%97%a5%e5%be%8c%e3%81%absearch_console%e3%81%8b%e3%82%89%e5%af%a9%e6%9f%bb%e3%81%8c%e5%95%8f%e9%a1%8c%e3%81%aa%e3%81%8f%e5%ae%8c%e4%ba%86%e3%81%97%e3%81%be%e3%81%97%e3%81%9f%e3%81%a8%e9%80%a3%e7%b5%a1\"><\/span>Three days later, the search console notified me that the review had been completed without any problems.<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The review went through successfully and the red warning was removed from the site.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"793\" height=\"665\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/ok.png\" alt=\"\u5be9\u67fb\u304c\u554f\u984c\u306a\u304f\u5b8c\u4e86\u3057\u307e\u3057\u305f\" class=\"wp-image-2839\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/ok.png 793w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/ok-300x252.png 300w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/ok-768x644.png 768w\" sizes=\"(max-width: 793px) 100vw, 793px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"top%e3%83%9a%e3%83%bc%e3%82%b8%e3%81%8c%e8%a1%a8%e7%a4%ba%e3%81%95%e3%82%8c%e3%81%aa%e3%81%84\"><\/span>The top page is not displayed<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Since the malicious files were simply deleted from the FTP server, it was difficult to grasp that the files had been tampered with, and in addition to visibly deleting the malicious files, files were also being rewritten.<\/p>\n\n\n\n<p>Since it was a 500 error, the .htaccess file is the suspect.<\/p>\n\n\n\n<p>I looked at the contents but couldn&#039;t find any strange statements, so I re-uploaded the .htaccess file which was working fine on other sites and the problem was solved!<\/p>\n\n\n\n<p>However, there is still more unseen tampering...<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%e7%ae%a1%e7%90%86%e7%94%bb%e9%9d%a2%e3%81%ab%e3%83%aa%e3%83%80%e3%82%a4%e3%83%ac%e3%82%af%e3%83%88%e8%a8%ad%e5%ae%9a%e3%81%8c%e5%9f%8b%e3%82%81%e8%be%bc%e3%81%be%e3%82%8c%e3%81%a6%e3%81%84%e3%82%8b\"><\/span>Redirect settings are embedded in the admin panel<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The admin bar is displayed, so I thought, &quot;Isn&#039;t it strange that I&#039;m still logged in after a while?&quot; and tried to switch to the dashboard.<\/p>\n\n\n\n<p>I was redirected to an unfamiliar login screen. I didn&#039;t enter any information here.<\/p>\n\n\n\n<p>Redirect = .htaccess<\/p>\n\n\n\n<p>I suspected that this was the case, but since I had just replaced the .htaccess file, I suspected that it was functioning somewhere other than .htaccess.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Delete the wp-admin file that is behaving strangely<\/li><li>Download the wordpress file from the official wordpress website<\/li><li>Upload wp-admin file<\/li><\/ol>\n\n\n\n<p>Now it&#039;s back to normal!<\/p>\n\n\n\n<p>The code was embedded in an invisible place, and when you tried to enter the admin screen, you were redirected.<\/p>\n\n\n\n<p>This solves everything.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"611\" height=\"651\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-wp-adming-redirect.png\" alt=\"\u898b\u77e5\u3089\u306c\u7ba1\u7406\u753b\u9762\u3078\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\" class=\"wp-image-2840\" srcset=\"https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-wp-adming-redirect.png 611w, https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-wp-adming-redirect-282x300.png 282w\" sizes=\"(max-width: 611px) 100vw, 611px\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"wordpress%e3%81%8c%e3%83%8f%e3%83%83%e3%82%ab%e3%83%bc%e3%81%ab%e6%94%bb%e6%92%83%e3%81%95%e3%82%8c%e3%81%9f%e5%a0%b4%e5%90%88\"><\/span>What to do if WordPress is attacked by a hacker<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>It may be difficult to solve the problem by yourself. First, strengthen the security of WordPress.<\/p>\n\n\n\n<p>Below are some of the security measures that can be implemented using plugins:<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-hanami-web-wordpress-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"akrYCK6Q6D\"><a href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/seo\/security2\/\">5 security measures that a WordPress teacher seriously considered<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"\u201c5 security measures seriously considered by a WordPress teacher\u201d \u2014 How to create a homepage using WordPress\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/seo\/security2\/embed\/#?secret=ZgGNlskOJg#?secret=akrYCK6Q6D\" data-secret=\"akrYCK6Q6D\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>The following explains how to enhance security by adding to the .htaccess file.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-hanami-web-wordpress-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"oikWeUaq5Q\"><a href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/seo\/security\/\">I thought about security measures for WordPress<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"\u201cI thought about security measures for WordPress\u201d \u2014 How to create a homepage using WordPress\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/seo\/security\/embed\/#?secret=5XxKcG3vrK#?secret=oikWeUaq5Q\" data-secret=\"oikWeUaq5Q\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>This explanation will be given using xserver, but security can also be strengthened from the server&#039;s administration panel.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-hanami-web-wordpress-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"VQffxvanB8\"><a href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/website-first\/xserver-security\/\">WordPress\/website security measures taken with xserver<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"\u201cwordpress\/website security measures taken with xserver\u201d \u2014 How to create a homepage using WordPress\" src=\"https:\/\/hanami-web.tokyo.jp\/blog\/website-first\/xserver-security\/embed\/#?secret=zE8N1BQIJy#?secret=VQffxvanB8\" data-secret=\"VQffxvanB8\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"hanami-web%e3%81%8c%e3%81%8a%e6%89%8b%e4%bc%9d%e3%81%84%e3%81%a7%e3%81%8d%e3%82%8b%e4%ba%8b\"><\/span>What hanami-web can help you with<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We will solve the problem on a contingency fee basis. Since we cannot guarantee a solution, we will work on a contingency fee basis.<\/p>\n\n\n\n<p>We also hope to be of help to you in terms of security measures and solutions by collecting many case studies and posting them on our blog.<\/p>\n\n\n\n<p>This article is available only to those who have read it and agree to us introducing it as a case study.<\/p>\n\n\n\n<p class=\"has-text-color has-medium-font-size has-red-color\"><strong>From 55,000 yen<\/strong><\/p>\n\n\n\n<p>In the case we introduced here, the cost is 55,000 yen.<\/p>\n\n\n\n<p>Feel free to<a href=\"https:\/\/hanami-web.tokyo.jp\/blog\/en\/contact\/\">Please contact us<\/a>.<\/p>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>wordperss\u306f\u72d9\u308f\u308c\u3084\u3059\u3044\uff01 \u3053\u3093\u306a\u8a71\u3092\u805e\u3044\u305f\u4e8b\u306f\u3042\u308a\u307e\u305b\u3093\u304b\uff1fwordpress\u3067\u5b9f\u969b\u306b\u3042\u3063\u305f\u6539\u3056\u3093\u4e8b\u4f8b\u3092\u3054\u7d39\u4ecb\u3057\u307e\u3059\u3002 \u4e8b\u4f8b\u3092\u77e5\u308a\u3001\u6b63\u3057\u3044\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u3092\u884c\u3044\u307e\u3057\u3087\u3046\uff01wordpress\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u65b9\u6cd5\u306f [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2831,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_uag_custom_page_level_css":"","footnotes":""},"categories":[1447],"tags":[1275,1449,1448],"class_list":["post-2830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-case","tag-1275","tag-1449","tag-1448"],"blocksy_meta":[],"aioseo_notices":[],"uagb_featured_image_src":{"full":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png",867,597,false],"thumbnail":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-150x150.png",150,150,true],"medium":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-300x207.png",300,207,true],"medium_large":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1-768x529.png",768,529,true],"large":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png",867,597,false],"1536x1536":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png",867,597,false],"2048x2048":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png",867,597,false],"trp-custom-language-flag":["https:\/\/hanami-web.tokyo.jp\/blog\/wp-content\/uploads\/2020\/08\/attack-discution1.png",18,12,false]},"uagb_author_info":{"display_name":"\u682a\u5f0f\u4f1a\u793eHanamiWEB \u4ee3\u8868\u53d6\u7de0\u5f79 \u677e\u6d66\u307f\u3055","author_link":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/author\/hanami\/"},"uagb_comment_info":0,"uagb_excerpt":"wordperss\u306f\u72d9\u308f\u308c\u3084\u3059\u3044\uff01 \u3053\u3093\u306a\u8a71\u3092\u805e\u3044\u305f\u4e8b\u306f\u3042\u308a\u307e\u305b\u3093\u304b\uff1fwordpress\u3067\u5b9f\u969b\u306b\u3042\u3063\u305f\u6539\u3056\u3093\u4e8b&hellip;","brizy_media":[],"_links":{"self":[{"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/posts\/2830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/comments?post=2830"}],"version-history":[{"count":0,"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/posts\/2830\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/media\/2831"}],"wp:attachment":[{"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/media?parent=2830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/categories?post=2830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hanami-web.tokyo.jp\/blog\/en\/wp-json\/wp\/v2\/tags?post=2830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}