How do I run a security check on my WordPress server?

Question

I have a cloud-based server running with CentOS 6.0 and CSF installed. Today I got a message from my host that one of my WordPress installations is hacked and used for phishing.

But I don't know how this has happened. I do not know where it is happening. What the best practice here? How can I check what has happened and stop it?

EDIT: My host said now that he wasn't sure it was wordpress, but was suspecting it. Do I really need to delete everything and reinstall. This is over 10 sites, and it will be a lot of work.

Answer 1

Here are some guides:

General WordPress hardening: http://codex.wordpress.org/Hardening_WordPress

More in depth including some server stuff: http://wpsecure.net/secure-wordpress/

If your server itself is secure, most problems are user related, meaning your plugin or theme has malware.

You can run a malware checker: http://wordpress.org/extend/plugins/wordfence/

It's very advisable that you remove plugins, revert to default theme , back-up and clean the DB and do a fresh install.

Answer 2

Since your server is already compromised,

• Take your host offlne soon
• Re-install your CentOS (easier than having to run forensics if you want your server backup soon)
• Install all updates
• Install the latest version of wordpress/mysql
• Harden your server -- turn off unneeded services, disable root login, secure SSH connections, secure wordpress and mysql
• Recover data from your backup
• Long term, follow best practices of keeping your OS and applications up-to-date
• Run periodic security checks such as remote penetration tests, rootkit checks, log audits
• Review your security policies, firewall rules.

Good luck!