How a Simple WordPress E-commerce Site Got Hacked – and How I Found Out!

The Problem: A Strange Website Behavior

A client reached out to me with a puzzling issue: their WordPress e-commerce site was behaving oddly. When accessed with www, the site showed a blank page, but without www, it loaded – albeit very slowly. Even when it did load, the performance was frustratingly sluggish.

I decided to investigate further. A quick check revealed that the www version returned a 200 OK response but displayed a blank page, while the non-www version loaded but had an unusually high response time.

The First Clue: Downtime and Latency Issues

To monitor the issue, I added the site to my monitoring system. A day later, I noticed something strange: the site was going down for a minute or two at random intervals and then coming back up. At first, I suspected server overload, but the server metrics told a different story – CPU, memory, and disk usage were all under 10%, which was completely normal.

Things got even weirder when my monitoring system flagged the site as down, but manual checks showed it was still loading. Digging deeper, I found that the 24-hour average response time was 2,556ms, with spikes reaching a staggering 45,000ms. This was a clear red flag – something was seriously wrong.

The Hunt for the Culprit

My first suspicion was a rogue plugin. WordPress plugins are notorious for causing performance issues, so I started my investigation there. Sure enough, I discovered a pirated version of Slider Revolution installed on the site.

In my experience, every hacked site I’ve encountered had a pirated version of Slider Revolution, and this case was no exception. The client was using Slider Revolution v6.6.12, which had a known Arbitrary File Upload vulnerability. This vulnerability was publicly disclosed on May 22, 2023, and patched in v6.6.13 (released on May 4, 2023). However, since the client was using a pirated version, they never received the update – and that’s how the attackers gained access.

Digging Deeper: The Hidden Webshell

I checked the Slider Revolution files for obfuscated code but found nothing suspicious. Turning my attention back to the latency issue, I analyzed the server response times:

• Request time: < 0.5ms (normal)
• Time to First Byte (TTFB): 30 seconds (highly abnormal)
• Content download time: ~2 seconds (normal)

This pattern indicated that something was executing before the site even started loading. I opened the index.php file and found hundreds of lines of obfuscated PHP code. Further investigation revealed additional malicious files scattered across the server, all containing similar obfuscated code. These files were part of a webshell, a malicious script that allows attackers to remotely control the server.

What’s a Webshell – and Why Is It Dangerous?

A webshell is a powerful tool for attackers. Once installed, it can:

• Delete the entire website and database.
• Modify site content.
• Steal sensitive customer data.
• Use the server for criminal activities (e.g., DDoS attacks, botnets).

This isn’t just a minor inconvenience – it’s a full-blown security breach with potentially devastating consequences.

Lessons Learned

1. Avoid Pirated Plugins and Themes Pirated software often contains vulnerabilities or backdoors. Always use legitimate, licensed plugins and themes.
2. Keep Everything Updated Regularly update WordPress core, plugins, and themes to patch known vulnerabilities. Enable automatic updates where possible.
3. Monitor Your Site Use monitoring tools to detect unusual behavior, such as downtime, latency spikes, or unexpected file changes.
4. Secure Your Server Ensure proper server configuration, use strong passwords, enable two-factor authentication, and restrict access to sensitive files.
5. Educate Clients Make sure clients understand the risks of using pirated software and the importance of regular updates.

Final Thoughts

This incident highlights the dangers of using pirated software and neglecting updates. By following best practices, you can significantly reduce the risk of your site being hacked. Stay vigilant, keep your site secure, and always prioritize legitimate, up-to-date software.

If you’d like, I can expand on specific sections, such as how to clean up a hacked site or steps to secure your WordPress e-commerce site. Let me know!