Potential Hack January 2017

Google has been displaying a "This site might be hacked" message next to the search result URL of the main ArtSciLab website.

According to the information Google provides via the search console for the site, they believe the following pages were created or altered via URL injection:

This creates three tasks:

1. Examine the site to see if a hack has indeed taken place, and if so, how it happened and what was changed
2. Resolve the issue and have Google remove the message from our search result, so that users aren't afraid to visit the website
3. Take measures to prevent against future attacks, such as installing WordPress security plugins and altering some of the default WordPress code the site uses

Measures have been taken to complete these tasks, and I've documented these measures below for posterity.

1. To examine the site for altered or injected content, I've examined each of the pages both by visually scanning the HTML source file and by using Chrome's developer tools. I have not found any unknown scripts or resources in the source files, and have not encountered any unknown sources in the network reports or resources of the site when using dev tools. This does not mean that a hack has not taken place, but I haven't found any content on these pages that is not meant to be there.

2. I also ran the pages through Google's Search Console "Fetch as Google' tool to see if any content was being cloaked (i.e., if Googlebot's crawling algorithm was seeing content on the page that we or our users are not seeing). The pages that Google rendered came back identical to the ones that we see, meaning that it is unlikely there is any hidden content on the page. After conducting these tests on all the pages Google thought might be hacked and finding no unknown content, I requested for Google to re-index these pages, so that Googlebot is aware of their existence and does not register them as spam. After doing this, I also sent a request to Google conveying these findings and asking for them to remove the "This site may have been hacked" message from our site. It will probably take a few days for them to get back to us.

3. Finally, we examined several WordPress security plugins to help prevent against future attacks. After installing and running a security test with Security Ninja, several measures were taken to increase the general security of the site:

• hid WordPress Version number in the meta tags of the site
• changed server response to hide the PHP Version number
• created 'php.ini' file that changes 'expose_php=on' to 'expose_php=off' to also hide the PHP Version number
• deleted 'install.php' because it's useless once WordPress is already installed, and it's a common file in WordPress sites that hackers can search for
• deleted 'readme.html' for the same reason
• renamed 'upgrade.php' to 'upgrade-8260sb.php' to make it harder for a potential hacker to find (but we don't want to delete this file because we may still need it in the future)
• changed the login failure page to display "Wrong username or password" instead of displaying which field specifically was entered incorrectly (i.e., "The username for this account was entered incorrectly" or "The password for this username was entered incorrectly). This makes it more difficult for a potential hacker to bruteforce access to the site
• edited '.htaccess' to disable the ability for browsers to view the 'uploads' folder

We can also make the following changes as well, but I was unsure how often these features get used and didn't want to disable them without consultation:

• can disable the file/plugin editor because it also contains the PHP Version
• can remove Windows Live Writer feature

I also installed the Google (XML) Sitemaps Generator for WordPress, which creates an xml sitemap for the site. This is used to communicate the existence and location of all the pages on the website, which makes it less likely that Google will label any of our pages as spam.

It might also be worth investigating if we can get an SSL certificate for the site.