They keep attacking my WP sites...HELP!

19 replies
Ok guys, I need some help. As quick as I can put up a WP site, someone attacks it and takes the entire site down . I put up two yesterday...and again, just like that someone or something has attacked them and shut them down. I keep reporting this to Hostgator and they are trying to analyze how they are getting in. These were new WP installs with ridiculously complicated passwords so the question is this. What are the exact steps I need to take in order to prevent this from happening again? Am I doing something wrong on my end that I should be aware of that leaves me vulnerable to attack? Thanks in advance.

E.
#attacking #siteshelp
  • Profile picture of the author The Pension Guy
    Just a thought: could it be that your computer is infected with a "keylogger virus" and the hackers get all the info from yourself...?
    Signature

    {{ DiscussionBoard.errors[1055538].message }}
  • Profile picture of the author DukeNasty
    Keylogger Virus? Didn't think of that specifically, but I did just do a scan of my desktop. I will Google that to see if there is a specific tool I can use to search for and remove that sucker if need be. In the meantime I am open for suggestions for a tool that you might recommend. Thanks!

    E.
    {{ DiscussionBoard.errors[1055614].message }}
    • Profile picture of the author Susan Hope
      In case this helps, this is a link to Jame's WSO for WordpressSecureV2

      Cheers
      Sue
      Signature
      One-to-One WordPress Coaching Service Available at Low Hourly Rate - Let the frustration end now! WordPress Installs, Theme Design, Site Tweaks & other WordPress services available
      Find me on Pinterest: PINTEREST
      {{ DiscussionBoard.errors[1055620].message }}
      • Profile picture of the author Michael Mayo
        Hi Duke,

        If you haven't already done so, run a virus scan on your system.
        Just a couple months back there was a pain in the arse Trojan key logger
        that once on your system would capture and use your FTP log in info to
        hack your sites.

        I went through it and it isn't fun as every time I fixed the sites involved it
        would wait a couple of days and then strike again and the cycle would
        have continued had we not discovered the the source was via FTP.

        To stop it you need to change your FTP passwords with out it knowing.
        It is a key logger so the only way is to do something like type a bunch of
        random letters in a text doc like this:

        dhsjekdivuendjslekdupqlwmendhsyetrncxc

        then select random areas of the text to copy and paste to change your FTP pass words.

        Key loggers can't read copy and paste plus after you have done this then
        write down your new pass words on a piece of paper and delete the text
        file so even if it did follow what you did it won't be able to recreate it.

        Hope that Helps,
        Have a Great Day!
        Michael
        {{ DiscussionBoard.errors[1055646].message }}
      • Profile picture of the author Steve Diamond
        Probably the best quick protection you can add is to create an .htaccess file in your /wp-admin/ directory with the following contents:

        Code:
        AuthUserFile /dev/null
        AuthGroupFile /dev/null
        AuthName "Access Control"
        AuthType Basic
        order deny,allow
        deny from all
        # allow my home IP address
        allow from XX.XX.XXX.XXX
        # allow my work IP address
        allow from XX.XX.XXX.XXX
        Replace the XXs with your actual IP address(es), which you can obtain from a site like Find-My-IP-Address. You can add or delete "allow from" lines as needed. BTW, an .htaccess file is simply a text file named .htaccess. If you have trouble creating one in Windows, you'll find one in your root WordPress directory that you can download, edit, and upload to /wp-admin/. Just be careful not to change the contents of the version in the root directory.

        The end result will be that no one can access the administrative area of your WordPress installation except the computers you've designated by IP.

        Here are a few resources that will help with additional security measures:

        Steve
        Signature
        Mindfulness training & coaching online
        Reduce stress | Stay focused | Keep positive and balanced
        {{ DiscussionBoard.errors[1055654].message }}
  • Profile picture of the author stma
    Several guides out there for free on securing wordpress blogs.... but I would be more concerned about it being a security hole in your shared hosting environment.

    If you are running protection on your p.c. and have a firewall (I hope you do) it raises the odds that your actual server has issues.
    {{ DiscussionBoard.errors[1055671].message }}
  • Profile picture of the author ChrisJamesG
    Are you downloading WP first? Try installing straight from hostgator instead in case it is a virus:

    Cpanel >> Fantistico (under software/services) >> Wordpress >> New installation

    Cheers
    Chris
    Signature
    *** 10,000+ Private Label Rights Niche Articles
    *** 90+ Private Label Rights Internet Marketing Articles
    *** 50+ Private Label Rights eBooks

    [ALL FREE] Private Label Rights - CLICK HERE
    {{ DiscussionBoard.errors[1055681].message }}
    • Profile picture of the author John Romaine
      You need to be a little more specific about your problem. What exactly is the issue?

      Are your sites redirecting to external sites or launching an add on?

      Is it only your index files that are being affected?

      More importantly - ARE YOU FTP'ing??? if so STOP!

      Are you getting hidden IFRAME injections that look somewhat like this?

      <iframe src="http://goooogleadsence.biz/?click=8F9DA" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

      If so, your local machine is infected. As soon as you FTP to anything its a goner. My advice, back everything up that is critical and blow the machine away.
      Signature

      BS free SEO services, training and advice - SEO Point

      {{ DiscussionBoard.errors[1055704].message }}
  • Profile picture of the author DukeNasty
    Thanks for all of the suggestions. That is why this place is so awesome. Interesting comment about the Trojan, because I had one about a week ago that normal virus protection could not remove. The virus protection would always ID the Trojan, but it could not remove it. So, I installed a trojan remover and it was supposed to remove the trojans because it could no longer pick up the Trojan during a scan and the original virus protection couldn't pick it up.

    I am going to try each of these suggestions one by one until I resolve the main problem because it/they even took down my main site! Thanks again everyone.

    E.
    {{ DiscussionBoard.errors[1055703].message }}
  • Profile picture of the author DukeNasty
    Michael and Ramone, you have correctly identified the probem, I have an Iframe Infection and my FTP logs show that my uncrackable passwords have all been cracked according to Hostgator. They were gracious enought to provide directions on several fixes so I will begin those. The reall issue is how many of my other accounts/passwords have been compromised. Will need to change all of them to be sure. This stinks!

    E.
    {{ DiscussionBoard.errors[1056051].message }}
    • Profile picture of the author barbling
      Originally Posted by DukeNasty View Post

      Michael and Ramone, you have correctly identified the probem, I have an Iframe Infection and my FTP logs show that my uncrackable passwords have all been cracked according to Hostgator. They were gracious enought to provide directions on several fixes so I will begin those. The reall issue is how many of my other accounts/passwords have been compromised. Will need to change all of them to be sure. This stinks!

      E.
      Ouch...that is painful indeed. Lots of empathy and hope you get it fixed soon!
      {{ DiscussionBoard.errors[1056142].message }}
    • Profile picture of the author garyv
      Originally Posted by DukeNasty View Post

      Michael and Ramone, you have correctly identified the probem, I have an Iframe Infection and my FTP logs show that my uncrackable passwords have all been cracked according to Hostgator. They were gracious enought to provide directions on several fixes so I will begin those. The reall issue is how many of my other accounts/passwords have been compromised. Will need to change all of them to be sure. This stinks!

      E.
      Just had the same thing happen to me recently. These things usually only go after the index files. So check the index on every one of your sites, and then like some said above, clean your system and use an untraceable password. Also talk to your provider about using a more secure method of transferring your files. FTP is very hacker friendly.
      {{ DiscussionBoard.errors[1056180].message }}
    • Profile picture of the author John Romaine
      Originally Posted by DukeNasty View Post

      Michael and Ramone, you have correctly identified the probem, I have an Iframe Infection and my FTP logs show that my uncrackable passwords have all been cracked according to Hostgator. They were gracious enought to provide directions on several fixes so I will begin those. The reall issue is how many of my other accounts/passwords have been compromised. Will need to change all of them to be sure. This stinks!

      E.
      Changing your passwords is useless until you remove the problem from your machine. Otherwise they will again "crack your passwords" as soon as you FTP again.

      Believe me, I had the same problem about 3 months ago. I tried almost every utility and application to get rid of it without luck, and I have 9 years IT experience.

      To be absolutely certain, back everything up and blow it away.
      Signature

      BS free SEO services, training and advice - SEO Point

      {{ DiscussionBoard.errors[1057359].message }}
  • Profile picture of the author bretski
    Malwarebytes.org is also awesome at removing a lot of things that AV and spybot and adaware just can't handle...and it's free..."so I got that going for me...which is nice..."
    Signature
    ***Affordable Quality Content Written For You!***
    Experience Content Writer - PM Bretski!
    {{ DiscussionBoard.errors[1056145].message }}
  • Profile picture of the author HeySal
    If you want a free scan for keyloggers it's SOPHOS.

    I just got another JS redirect on one of my sites. They build holes and if you miss one they come right back in. They are hard to get rid of - and there isn't anything completely secure, but some servers are more easily attacked than others. I just moved one of my sites to a new host that does 24/7 survellience - might have to move this one, too - this is the second time for JS on this site. We either missed a hole it built or the sever just isn't secure enough.

    They are getting in via FTP, too though, so that's a good piece of advice you were given.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[1056478].message }}
  • Profile picture of the author Jon Alexander
    move to a Mac.
    Signature
    http://www.contentboss.com - automated article rewriting software gives you unique content at a few CENTS per article!. New - Put text into jetspinner format automatically! http://www.autojetspinner.com

    PS my PM system is broken. Sorry I can't help anymore.
    {{ DiscussionBoard.errors[1057544].message }}
  • Profile picture of the author greenovni
    I was so sick of windows problems that I moved everything over to Linux!
    {{ DiscussionBoard.errors[1057979].message }}

Trending Topics