21 {{ upvoteCount | shortNum }}
21 {{ upvoteCount | shortNum }}

OMFG! I've been hacked!

by JackPowers
18 replies
Just found out, that one of my wordpress sites has been hacked!

I was checking my stats on Google Analytics and saw a big drop off in visitors, so I checked my site to see if everything was ok - which it wasn't!

The site has been hacked with some script showing off and telling me to get better security - don't tell me these hackers are all bad:rolleyes:

My luck is, it seems the hacker didn't cause too much destruction. The database seems to be ok and files as well.

Can anyone tell me where to go from here? Do I have to install wordpress again?

I would think I need to download the content folder trough ftp. How do I set up wordpress with my old database? Really appreciate any help!

I suggest those of you running older WP versions (my was 2.8) upgrade immediatly! This hacker was maybe just a kid playing around, but next time maybe not.

What else can we do to secure Wordpress?
#hacked #omfg
  • Profile picture of the author trytolearnmore
    change passwords, update everything
    {{ DiscussionBoard.errors[1425159].message }}
    • Profile picture of the author JackPowers
      Originally Posted by trytolearnmore View Post

      change passwords, update everything
      Hi,

      I can't log in to Wordpress admin to do that, the password has been changed I think?
      Signature

      {{ DiscussionBoard.errors[1425166].message }}
      • Profile picture of the author Prestigio
        You could log into your hosting account via CPanel, then got to the section for databases and use PHPMyAdmin to open up the Wordpress database file.

        You can then look directly in the databse to determine the correct password for the Admin user, so that you will be able to login again through the normal Wordpress Login.

        Hope that helps you.
        {{ DiscussionBoard.errors[1425191].message }}
        • Profile picture of the author trytolearnmore
          Emm... then write to Hostgator (or what is your hosting's name) with a password recovering request. Show them that it is you and they will do all the work.


          P.S I hope you've done backups?
          {{ DiscussionBoard.errors[1425198].message }}
      • Profile picture of the author sbucciarel
        Banned
        Originally Posted by JackPowers View Post

        Hi,

        I can't log in to Wordpress admin to do that, the password has been changed I think?
        Delete all the tables in your database and import the backup database file you have, if you have a backup. If not, go into your database and change the password back. Just click on the wp-users table and then click browse. You'll see a password table and click on the pencil. Go to the password drop down box and choose MD5 and then type in your new password and save it.
        {{ DiscussionBoard.errors[1425350].message }}
  • Profile picture of the author JackPowers
    Thanks guys, I got access to the admin area. Nothing has been affected, but the script is still running after I update.

    Have any idea, where it's hidden?
    Signature

    {{ DiscussionBoard.errors[1425215].message }}
  • Profile picture of the author UBotBuddy
    Read these two threads:
    http://www.warriorforum.com/main-int...revention.html

    http://www.warriorforum.com/main-int...-just-bad.html



    WordPress security: Hide login error messages
    WordPress security: Hide login error messages

    Prevent password reset hacking on your WordPress blog
    Prevent password reset hacking on your WordPress blog

    More tips
    WpRecipes.com : Daily recipes to cook with WordPress

    Search for ?wordpress security tips? - Technorati

    Wordpress Security Tips and Hacks - Noupe

    12 Essential Security Tips and Hacks for WordPress

    Wordpress Security - How to Secure Your WordPress Blog

    .HTACCESS pages
    21 very useful htaccess tips & tricks. htaccess tips tricks | ViralPatel.net

    A to Z of WordPress .htaccess Hacks|WPShout.com

    10 awesome .htaccess hacks for WordPress

    Perishable Press: Digital Design and Dialogue ~
    Stupid htaccess Tricks ? Perishable Press
    The htaccess Rules for all WordPress Permalinks ? Perishable Press
    1-Minute Tutorial: Permanent (301) Redirect via PHP and htaccess ? Perishable Press
    HTAccess Password-Protection Tricks ? Perishable Press
    Tag Archive for [ Htaccess ] ? Perishable Press

    HTAccess | Digging into WordPress
    {{ DiscussionBoard.errors[1425268].message }}
  • Profile picture of the author JackPowers
    Thanks, I found the script in the index.php file, should be easy enough to restore. But will definitly pay more attention to security now.
    Signature

    {{ DiscussionBoard.errors[1425287].message }}
  • Profile picture of the author JackPowers
    I'm now more worried about a theme I've been using, as three sites were hacked actually, but the others that have different themes were not. It's a popular theme as well.
    Signature

    {{ DiscussionBoard.errors[1425314].message }}
  • Profile picture of the author CliveG
    Ask your hosting company to help you work out how you were hacked. Simply changing the passwords may not be enough if that was not the cause of the problem.
    Signature
    AdsReact - Innovative Website Software that Supercharges YOUR PPC PROFITS!
    {{ DiscussionBoard.errors[1425411].message }}
    • Profile picture of the author JackPowers
      Originally Posted by CliveG View Post

      Ask your hosting company to help you work out how you were hacked. Simply changing the passwords may not be enough if that was not the cause of the problem.
      I will do that. I think it must be an exploit in a particular theme.
      Signature

      {{ DiscussionBoard.errors[1425417].message }}
  • Profile picture of the author Mountainmotorman
    This is bad. You need to figure out how it happened to prevent this in the future. Not just change passwords.
    Signature

    {{ DiscussionBoard.errors[1425423].message }}
  • Profile picture of the author Christian Fox
    I had that happen as well pain in the ASS! I tracked them to a turkish hacker group. They really messed up my rankings for a bit. There are folks here who sell things to lock down WP. I have used Login Lockdown a plug in the protects against the brute force description they typically use to try and log in with. It locks out after 5 failed attempts...

    Anyway I have had no issues after installing that on my 30+ WP Blogs...

    Good luck... Was if Flex Squeeze or Affiliate theme?

    Oh and HG backs up on every Sunday...They can back you up for 10 or 15 bucks, you will be right as rain.... Provided you were not hacked prior to last Sunday... Then things get ugly, but it can be fixed. I went through it.
    Signature

    {{ DiscussionBoard.errors[1425431].message }}
  • Profile picture of the author Steve Powers
    I think you should make backups frequently and keep your password privately.Make sure not to share it with others and make it be strong password.As to the main reason,you'd better ask your hosting company to help you find out so that you can avoid this next time.If it's their fault,they may compensate you.
    Signature
    HostEase Web Hosting
    20% for shared web hosting with coupon code "hostease"! $7.95 per domain with coupon code "695TLD"!
    99.9% Uptime Guarantee! 30 Day Money Back Guarantee! 24/7/365 Customer Support!
    {{ DiscussionBoard.errors[1425451].message }}
  • Profile picture of the author Profit-smart
    If your not running the latest WP release, thats the issue. Exploits for each version usually popup in the the SERPS about a month after they come out.

    These "hacker" groups arent real hackers. Their kids with to much time on their hands.

    Update your WP to the latest version 2 weeks after each update. This gives you time to skip the "0 day" exploits (new security holes because of changes to a products code) and keeps you fairly secure. So long as you stick to this strategy, you wont get hacked.

    Real hackers dont deface websites, they steal credit cards and stuff like that.
    Signature
    {{ DiscussionBoard.errors[1425540].message }}
    • Profile picture of the author JackPowers
      Originally Posted by Profit-smart View Post

      If your not running the latest WP release, thats the issue. Exploits for each version usually popup in the the SERPS about a month after they come out.

      These "hacker" groups arent real hackers. Their kids with to much time on their hands.

      Update your WP to the latest version 2 weeks after each update. This gives you time to skip the "0 day" exploits (new security holes because of changes to a products code) and keeps you fairly secure. So long as you stick to this strategy, you wont get hacked.

      Real hackers dont deface websites, they steal credit cards and stuff like that.
      You're right, the hacker left a message saying he wasn't out to destroy or steal anything. I don't want to give him any e-credit and mention his details, but it was obvious it was just some kid playing around. Anyway, it got me to take some measures, so it wasn't all bad.
      Signature

      {{ DiscussionBoard.errors[1425547].message }}
    • Profile picture of the author cdhartpence
      Once you've regained access and reset your passwords, etc., if you're not already using an automatic backup system, I heartily recommend the plugin from SME Storage...great plugin, automatic backups to your email account...basically plug and forget (till you need it, of course).

      -=Vel=-
      {{ DiscussionBoard.errors[1425550].message }}
  • Profile picture of the author John Romaine
    Out of interest - what was the "script" that you found within your index.php file? Is it an iframe injection attack?
    Signature

    BS free SEO services, training and advice - SEO Point

    {{ DiscussionBoard.errors[1425843].message }}

Trending Topics