My blog - HACKED - then SPAMMED (every post). Hosting company response inside

For a non-techie, thats gone right over my head. I guess its hard to keep up with spammers, just keep doing what you can, muddling through, making backups daily and keep your eys open the game

Hope your site is fixed soon.

I'll touch on this slightly, first off did you have a backup of your blog? If so revert to a good backup and restore....

The hosting company are quite right in what they are saying, this is a vunrability in WordPress that has been exploited, and reading between the lines there's not patch as yet. When sites are hacked more often or not it's from opportunists and a one off...

I would urge anyone if you value your website, blog etc make sure you take good regular backups, it's not the responsibility of your hosting company...

I'm trying to see if I can find anything official on the WP site, but it looks like an old article Dec 2010.

Bear in mind there's vunrabilities in anything that's been programmed, it's done by humans after all... Advice would be

- Use minimal plugins, athorized sources only
- Backup frquently

Good points. Now I just need to figure out how to do backups. Can anyone point me in the right direction!

If I'm reading that correctly they are telling you that it was caused by an SQL Injection Attack. Google: SQL Injection Attack

Here's a Wiki:
en.wikipedia.org/wiki/SQL_injection

There isn't much a non tech can do to prevent those types of attacks.

This is scary news for all Wordpress users.

I believe any website that uses SQL Databaes is vulnurable to SQL Injection Attacks - not just wordpress.

OK so this is one reason why I try not to use word press anymore. There are many. Actually, my primary reason is MYSQL is a resource pig. That means if you start getting traffic you can get kicked out by your hosting service. Yeah, that is my main reason.

It's really scary news to me, I am running almost all my sites on wordpress platform but I do backup every week once and installed plugin only from genuine source. Thank you to alert us about this.

When I built my first WP site it got hacked a few times, utterly painful. On all subsequent blogs I use Login Lockdown, Secure Press, Wordpress Firewall Plugins. Since then no attacks. I also use a back up plugin

First things first: you weren't 'spammed', your server space was hacked. Big difference. Exactly how it was done is up in the air at the moment.

Second, your hosting provider is sending you on a snipe hunt. The ONLY way that their explanation would work is that the trackback is from another blog owner who is an author (or editor or administrator) on your blog. If that is possible, then maybe you should be looking in that direction. If, on the other hand, you are the only admin/editor/author on your blog, you can write back to your hosting provider and tell them they are FOS (full of s&*t).

Third, to all of you who keep climbing on the "WordPress is vulnerable, the sky is falling!!" bandwagon, get back off and save your breath.

The 'exploit' described is very limited in scope and very complicated to pull off (did any of you even READ the post about it, and understand it?), and can't be used to add text to posts (which is what happened to the OP).

Without thorough investigation, there's no telling how your site(s) were broken into - but I can almost guarantee you it wasn't because of what the hosting company said it was.

I've recently started installing the captcha plug-in - it's significantly reduced spam sign-ups and/or spam comments.

I had exactly the same thing happen with all the wordpress blogs on one of my hostgator accounts. I was told that it was a weakness in FileZilla that enabled the hackers to get my password. Hostgator cleaned up all the sites for me - but they did miss some files in each blog called "Silence is Golden".

Once my sites were clean I have installed the plugin Wordpress Firewall 2 on all my sites (this is a bit of a pain as you need to disable it every time you want to make changes to the blog). I also upped the security level of my password, change it at least once a week and change it again immediately after I use FileZilla. No problem at all since.

Oh really, this sound scary... Is it can affect with a flip site?
If a site had transfer to another server, then the spammers still can access it?

Cheers,
Basyir

For those of you saying to use Akismet and other plugins, those won't work in this situation. Those plugins work when a comment is created, not when a post is editted (which is how this SQL injection hack is working).

As the owner of a web hosting company, I'm inclined to say that while what they are telling you could be correct, I'm not sure if I entirely believe it is the problem in this case, there are so many ways a hacker can do what they are doing. For this hack to work, the hacker needs a valid username/password to your blog that has editting rights. So unless you have a really easy to guess username/password (you really didn't just use "admin" as your username did you???) it's unlikely this is the case.

The main reason I don't believe this injection hack is the problem is that if you look at the link that was posted, first of all it's not on wordpress.org, it's on some russian blog. Secondly, it's dated 2010. I seriously doubt an injection hack would have persisted for the past 18 months.

There's more than one way to do this type of thing, but it really does come down to the hacker getting access to your database. Whether it's through the injection hack that they mentioned, or maybe they figured out your username/password (brute force attacks on a server without a good firewall or defense system can easily give them access), or maybe they got access via the root user on the server somehow. Regardless of how they got access, the server you are on has been compromised.

Here's what you need to do RIGHT NOW:

1) Change ALL of your passwords. Don't use words in your passwords. Go to Strong Password Generator and generate a unique password for each and every login you have. Include symbols, and have it generate passwords that are at least 15 characters long. NEVER use the same password for more than one login.

2) Change ALL of your usernames. I'm not kidding. Especially if you are using "admin" as your wordpress login name.

3) Ask your hosting company to change your cPanel username (takes them about 5 seconds to do).

4) Ask your hosting company what firewall they have. If they tell you they are just using ip_tables, then they are just asking for trouble. If they have something like CSF running and it's setup properly, then it's probably secure.

5) Go into your File Manager in cPanel. Look at every single file. Yes, this is a pain. But if somebody gained access to your account, chances are they uploaded a backdoor file to ensure they can keep accessing your server. If you see a file that doesn't look like it belongs there, chmod it to 000 and then make sure your site still loads properly. If it does, then the file doesn't need to be there.

5a) A really common backdoor is to create a file called "something.jpg" which looks like an image file, but they give it 755 or 777 permissions and it's actually a PHP script. So check your images.

6) Go into your Wordpress and look at all the users you have created. If a hacker gained access to it, they may have created a user without you realizing it. Delete any users you do not recognize.

7) Update your wordpress. If you are using anything below 3.1.0 a simple upgrade that takes only a few minutes should patch any old security holes on your blog.

That won't necessarily stop them, but it should stop about 90% of the hackers that have compromised your account/server.

don't you think that if this was really a sql injection problem with word press that there would be hundreds of thousands of wp sites getting hit?

don't you think that WP would have put out a fix by now?
your hosting company is full of it. their servers got hacked is how this happened.

also, how would anyone get into your server via ftp without knowing/guessing your login?
there is no vulnerability in filezilla or other ftp program that allows this.

if they get access to your system to find your login details, sure, but that is not a problem with filezilla/ftp.


robert

In your hosting control panel make sure that you DO NOT have the "Anonymous ftp" enabled.

If you do then, Disable it!

Good Luck,
Have a Great Day!
Michael

You should contact your web host and ask them about server security. I wonder if mod_security and a firewall is enabled on the server. Mod_security alone can help avoid some of the mysql injection attacks.

Every time you make a blog site, just delete the "xmlrpc.php" in your wordpress platform files to disable trackbacks feature. Spammers can't penetrate you this way.

spammers are not a security problem. they are certainly a problem but this is about hackers not spammers.

robert

Lets hope Wordpress can get a handle on this, and soon, it's inevitable that things like this happens, but usually they get solved before major damage is done

Now...I am not suggesting anyone posting here has done this...

But do not be tempted into installing premium plug-ins that may be offered free or nulled from less than scrupulous sources. This is a very common way of getting blogs messed up.

Quite alarming if you'll ask me. But I suppose you have a back-up of your website, right? This is the reason why we should always update when wordpress tells us to.

Andrea

Wordpress have security holes from time to time due to their flexible features. But this should not stop you from using them. Off the plugins that you do not need and be aware of the plug-ins that you need.

Backing up your files is never a responsibility of the hosting company. It is your responsibility to ensure that you have timely backups with the tools provided by your hosting company.

Do check and test the plug-in first on your mirror site before putting the plugin on your production site =P

limiting the amount plugins on a site and running a security plugin like wp-secure is your best defense against this type of attack

I would:

a) Stay calm and not freak out

If your host is telling the truth, then:

b) Upgrade your Wordpress version to the latest version by going to http://www.yoursite.com/wp-admin/update-core.php

c) Turn off trackbacks (which appear to be causing the security hole) by going to SETTINGS > DISCUSSION > and uncheck 'Allow link notifications from other blogs (pingbacks and trackbacks)' then save.

If you need any further help please PM me! I'll be glad to help.

Sorry to hear about this, the bigger the blogging platform, the more determined hackers are to vandalise it

Wordpress has been the most secure platform I've ever used, so it's surprising that such a 'bug' would remain unnoticed or unpatched.

What version of WP are you using btw?