Wordpress site hacked - SiteLock worthless?

19 replies
My apologies if there is a better place to post this. I am a long-time tire-kicker and WSO-buyer here, but this is a wordpress quandary.

I am the half-assed "web guy" for a professional organization. We use our web site to sell tickets to an annual banquet, and we've been successfully using wordpress and paypal since 2008.

However, I dropped the ball with theme and plug-in updates, it seems, and my web site, plus some other "non profit event sites" that were sub-domains on my HostGator account, where severely battered by malware and whatever else there is.

To save my primary site, I have been paying $150 per month to SiteLock for firewall and scanning protection. We just started our fifth month with SL, and today I discovered my site has been completely hijacked by a Middle East extremist organization.

I guess I am just venting to folks who know more and may be able to make some suggestions. What is a small organization of volunteers to do? We can't afford to lose our site(s), but can't afford to survive these kinds of attacks, either.

Is worpress doomed by insecurities? is my weakness in my host company (HostGator)? Am I wasting money with SiteLock? is there a better option?

Thanks for letting me whine!
#hacked #site #sitelock #wordpress #worthless
  • Profile picture of the author Brent Stangel
    my site has been completely hijacked by a Middle East extremist organization.
    Ouch!

    HG is no help, I'll wager?

    I have been paying $150 per month to SiteLock
    Is the site that valuable?

    We use our web site to sell tickets to an annual banquet,
    Signature
    Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
    All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
    {{ DiscussionBoard.errors[10377494].message }}
  • Profile picture of the author Kherk Roldan
    that is not secure brah.. you can try a plugin to hide your wp-login and wp-admin. and customize it to what you like
    {{ DiscussionBoard.errors[10377500].message }}
  • Profile picture of the author Robert43
    HostGator is no help. Time to find new hosting.

    And SiteLock, clearly, isn't worth 1/10th that, if this is any indication! LOL

    I am being exposed as quite the newbie/idiot! I used to think the world of hostgator ... but previous issues with HG is what led me to contract with SiteLock because I was in danger of losing everything ... my sites, my sons' sites ...
    {{ DiscussionBoard.errors[10377502].message }}
  • Profile picture of the author chaotic squid
    Yea, Hostgator probably won't do much. I had Hostgator before too, was getting tired of my sites being slow, then once one of them got hacked (with no help from HG) I knew I had to look for something else.

    If you're serious about changing hosts and ready to stop pinching pennies for hosting, I would suggest Flywheel. It's all I use anymore, managed WordPress VPS hosting.

    https://getflywheel.com/

    https://getflywheel.com/why-flywheel...ress-security/

    They provide malware monitoring in their plans, and if your site ever gets hacked, they fix it for free.

    Take a look and do some research, but they do a hell of a job when it comes to WordPress hosting.
    {{ DiscussionBoard.errors[10377540].message }}
  • Profile picture of the author Graham Maddison
    I use a plugin - wordfence on my wp sites ..seems to keep them out okay, but only time will tell I guess.
    As far as secure wordpress hosting goes, I would go with WPEngine
    Signature
    Trade without Boundaries.
    Start with $30 Trading Bonus.
    No Deposit Required
    {{ DiscussionBoard.errors[10377879].message }}
    • Profile picture of the author irawr
      Banned
      HostGator is complete garbage.
      {{ DiscussionBoard.errors[10377891].message }}
      • Profile picture of the author ED1190
        Originally Posted by irawr View Post

        HostGator is complete garbage.
        I (and numerous other people) have had no issues with Hostgator.

        And the OP's issue would have happened with any host.

        Should have used two plugins called ithemes security and wordfence. Those two plugins would have kept your site on lockdown (literally).
        {{ DiscussionBoard.errors[10377900].message }}
      • Profile picture of the author Kherk Roldan
        Originally Posted by irawr View Post

        HostGator is complete garbage.
        how can this be a million dollar company if they are garbage?

        we are the one responsible with our websites.

        If we add more security to our websites then this problem would not be happen.
        {{ DiscussionBoard.errors[10378832].message }}
        • Profile picture of the author zapseo
          Originally Posted by Kherk Roldan View Post

          how can this be a million dollar company if they are garbage?

          we are the one responsible with our websites.

          If we add more security to our websites then this problem would not be happen.
          You ARE naive .. sorry, have to say it. Go look at what happenes to all web hosting companies which are taking over by EIG (which took HG over a few years' back)...

          Not keeping your site updated -- as well as keeping up on vital security issues -- nearly guarantees you're gonna get hacked ....

          $150 a MONTH ??? Yowza ... how big/many are your sites? How many installs?

          I would recommend reading the sucuri blog -- getting good security plugins on your site (like ones which enforce strong passwords for members)...check for unknown user accocunts (esp admin ones)....in particular, the xmlrpc vulnerability recently uncovered is devilish to the extreme,, and I just learned earlier today that ransomeware has come to linux machines (that is, webhosting accounts.)

          I've been cleaning up hacked websites since 2009 -- while they are mostly WordPress sites, they are not those alone. One of my clients this year had his sites on a HG account ... and I tried to get them to remove some very suspicious root-owned files -- which, even two weeks later, were still on the account ...my client moved hosting (he kinda did it without saying anything to me until it was a done deal.)

          My security mantra is ...
          Backup
          Update
          Monitor
          Protect

          Or, "BUMP" Security -- will this keep you 100% safe? Nope, not possible. But it will radically reduce your chances...because there are plenty of folks who don't even do these things.I would especially recommend you read about the xmlrpc vuln on the sucuri blog..because that is not exactly a specific vuln that's going to be easily closed...though there are those in the WP community who would like to see xmlrpc completely disappear...
          {{ DiscussionBoard.errors[10379045].message }}
          • Profile picture of the author PBScott
            Originally Posted by zapseo View Post

            You ARE naive .. sorry, have to say it. Go look at what happenes to all web hosting companies which are taking over by EIG (which took HG over a few years' back)...
            I completely agree with the above statement... sadly as I tried to escape EIG to a new host, EIG eventually took that one over as well, and things have never been worse. They have a nasty habit of poorly fixing what is not broken, until it is actually broken, then they try and fix that, all that madness leads to too much downtime. Recently they have started to try and deny the downtime even exists, even though you can see them being spammed on twitter about it, and their service queues become super long.

            Something to read:
            http://researchasahobby.com/full-lis...panies-brands/
            Signature

            If you don't look at this => Really Funny Shirts <= you missed something in life

            {{ DiscussionBoard.errors[10379284].message }}
  • Profile picture of the author esk
    I used to use Sitelock as well, and did get hacked constantly. For me the solution was to use extreme secures passwords like "73Ersas13rtZ322sas23".

    Also Change your wp-admin login information to say something else than "Admin" and "password". There is also a little plugin - I think it's called "wp limit login attempts" so basically someone can't brute force into your blog.
    {{ DiscussionBoard.errors[10377890].message }}
  • Profile picture of the author Asadullah72
    With Out security WP site hack is not a big matter. Use plugin for secure your WP site.
    {{ DiscussionBoard.errors[10377898].message }}
  • Profile picture of the author DIABL0
    I have been marketing on the net for 15 years and never used WP until just recently. Just figured I would try it, So why can't you just back it up and it something was to happen restore it.

    I have a lot of dedicated servers and see all the time people trying to access it. But I have only been hacked like twice in 15 years. My servers I get, but why bother hacking WP?
    Signature
    How to Build LARGE EMAIL LISTS on a Budget and MONETIZE Like a PRO
    19 Years Exp . . . . . . . . . . . . Email - CPA - PPL
    {{ DiscussionBoard.errors[10377973].message }}
    • Profile picture of the author irawr
      Banned
      Originally Posted by DIABL0 View Post

      I have been marketing on the net for 15 years and never used WP until just recently. Just figured I would try it, So why can't you just back it up and it something was to happen restore it.

      I have a lot of dedicated servers and see all the time people trying to access it. But I have only been hacked like twice in 15 years. My servers I get, but why bother hacking WP?
      It's usually just some automated attack from a botnet. They can easily add files right through WP (add custom plugins if they need to) and setup their credit card scam page, or whatever they are doing.
      {{ DiscussionBoard.errors[10378460].message }}
      • Profile picture of the author JohnMcCabe
        Originally Posted by DIABL0 View Post

        I have a lot of dedicated servers and see all the time people trying to access it. But I have only been hacked like twice in 15 years. My servers I get, but why bother hacking WP?
        Originally Posted by irawr View Post

        It's usually just some automated attack from a botnet. They can easily add files right through WP (add custom plugins if they need to) and setup their credit card scam page, or whatever they are doing.
        Phishing/credit card scams are part of it. Even bigger is the ability to inject malware that infects the computers of people visiting a site. Once infected, they get to download a variety of adware, and some even get to join the botnet, sending spam emails in the background when the computer is idle.

        esk gave good advice. Use secure passwords, change them periodically, and remove the obvious footprints.

        And keep things (WP itself, themes, plugins) updated.

        I'm not familiar with SiteLock, but you can have the best security system in the world on your front door, and it becomes useless if you leave the back door unlocked.
        {{ DiscussionBoard.errors[10378519].message }}
  • Profile picture of the author DrForum
    Wordpress has always been a good platform when it comes to website security. One thing am suspecting is that your host may be having issue. However, hackers today are not sleeping. They find fun in just hacking peoples websites and messing around with your information. My recommendation is that you carry out a proper internet research so that you can Identify the top companies or providers of security, Online. Especially when your site deals with monetary issues, then you are at a higher risk of being hacked. Please contact your hosts so that they can advice you accordingly and also help them know if the fault is on their side.
    Signature
    The Elite Ad-Network | Adsnik
    {{ DiscussionBoard.errors[10378620].message }}
  • Profile picture of the author Joe Ray
    Wordpress has too many vulnerabilities. For this reason, I have never used Wordpress.
    {{ DiscussionBoard.errors[10378824].message }}
  • Profile picture of the author dsouravs
    didnt you used bullet proof security plugin? Is it no good?
    Signature

    I can convert your Non-Responsive website to Responsive website ... How sweet is that? :)

    {{ DiscussionBoard.errors[10379301].message }}
  • Profile picture of the author coffeediva
    Sorry to say but Hostgator has become total rubbish. Even with a securoty forced login and also wordfence and other security measures all my sites were hacked and data deleted. I sent several tickets to hostgator and had several live calls but they were useless. I was with hostgator for 10 years with no issues at all but when the whole lot of my sites were hacked even the non wordpress ones there has to be a problem with the hosting so Yes it may be a multimillion dollar company but it will fall and fall hard
    {{ DiscussionBoard.errors[10379760].message }}

Trending Topics