I've Been Hacked Repeatedly, "Help"...

34 replies
Hi folks,

I've been hacked three times in the past month. I've hired Site Doctor twice now, this last time they've been trying to give me a clean cpanel backup three times in a row so I can switch hosts.

The new host saw the hacks on the first attempt to put my sites up under their service, but missed them all the second time, as apparently Site Doctor has as well.

I am extremely frustrated. It's as if all these professionals can't see the hacks.

What is happening is that some people are seeing our sites without issue, while others are seeing spam crap on them.

At first, my header looked broken on one of our sites, so I was going to go in and fix it, only to have my current host and other site-checkers see the site fine.

Other times I'd load another site only to see the spam all over the page...refresh the page to see the page as it's supposed to look.

I use WordPress, Bluehost.

Any suggestions would be welcome. I was trying to go to a new hosting service, but since they didn't spot the hacks, I question their competence. Any suggestions about anything would be appreciated.
#hacked #repeatedly
  • Profile picture of the author Nuno
    You need to know where the "hackers" are entering, most webhosting companies won't fix scripts with vulnerabilities. Always keep WP update and be careful with the plugins you use...
    Signature
    I have 15+ years of experience & millions of visitors (I'm also a warrior since 2002)!
    NunoAlex.com explains how I can help.
    I'm looking for a limited number of serious partners.
    {{ DiscussionBoard.errors[8910727].message }}
    • Profile picture of the author RetroFit
      Thank you for your input. When you say "be careful with plugins," can you be more specific? Is there a way to test plugins? Thanks.
      {{ DiscussionBoard.errors[8910755].message }}
      • Profile picture of the author Nuno
        Unless you are a php master you cannot test them. You need to know if they are currently updated (not abandoned).
        A plugin is just a script, if it's insecure... it's a doorway to your system.
        Signature
        I have 15+ years of experience & millions of visitors (I'm also a warrior since 2002)!
        NunoAlex.com explains how I can help.
        I'm looking for a limited number of serious partners.
        {{ DiscussionBoard.errors[8910758].message }}
    • Profile picture of the author RetroFit
      Thank you everyone for your inputs, I would be happy to have keep coming...

      Several of you are going way over my head with techie-stuff that I do not know how to do.

      I used sucuri's on-site checker for these websites and it found nothing wrong...so I don't have much confidence in them.

      I am considering dumping everything and starting over, because if several rounds of professionals cannot eliminate this, I'm just going to find a new host and start over.

      I would welcome hosting ideas. I can't believe it has been THIS HARD to find a decent recommendation for a host. I'm willing to pay two to three times what BH charges if I find one I can have confidence in, esp with WP. Thanks.

      And thank you to the admins on this site for not deleting my post like you do half the time for whatever reason. Especially as a paying customer (tho I won't be buying any plugins likely ever again)...
      {{ DiscussionBoard.errors[8912762].message }}
      • Profile picture of the author Katie Rich
        Originally Posted by RetroFit View Post

        And thank you to the admins on this site for not deleting my post like you do half the time for whatever reason. Especially as a paying customer (tho I won't be buying any plugins likely ever again)...
        Paying for what? You have been given some good advice for free here.

        For hosting I use Veerotech, they advertise on warrior forum and have been very helpful when I have a problem.

        Plugins - Wordfence, Limit Login and Spam Free Wordpress. All free.
        {{ DiscussionBoard.errors[9172793].message }}
        • Profile picture of the author Kingfish85
          Originally Posted by Katie Rich View Post

          Paying for what? You have been given some good advice for free here.

          For hosting I use Veerotech, they advertise on warrior forum and have been very helpful when I have a problem.

          Plugins - Wordfence, Limit Login and Spam Free Wordpress. All free.
          Thanks for the mention here.
          {{ DiscussionBoard.errors[9173215].message }}
  • Profile picture of the author DireStraits
    A wise man said the definition of insanity is doing the same thing repeatedly while expecting different results.

    Even if your host isn't at fault, you can't expect everything to be okay when you're just restoring from the same backup over and over again. Even excluding your themes, plugins and other customisations doesn't rule out the possibility that your core files contain malicious code. You're just restoring to the same compromised or vulnerable state ready for another round of frustration.

    Before you do anything, take that cPanel backup for good measure. But don't do anything with it.

    Can you access the Wordpress admin panel at all? If memory serves, there should be a backup/restore facility in there that outputs just your posts, pages and comments to an XML file.

    If you can get that, you can wipe everything clean and start afresh with a new, preferably manual installation (not through the cPanel/Fantastico auto-installer or whatever) and then restore all that stuff in the same way.

    The problem with this method is that you'll have none of the images or uploads associated with your posts, which aren't stored in the database. But you can manually go through all those folders to ensure there's nothing nasty in there before uploading them again.

    This way, you've essentially rebuilt your site from scratch by bringing over the very minimum of files and data from before. Everything should be okay content-wise, and you can start looking at putting your themes and plugins back - but very carefully, and not before going through them all with a fine-toothed comb. Leave out everything that's unnecessary and those less popular plugins that don't appear to be actively maintained.

    There's still bound to be a few loose ends with this method, and I'm afraid it doesn't preserve whatever data your plugins put in the database, if any. But for relatively small and simple sites this can work well as a last resort.
    {{ DiscussionBoard.errors[8910871].message }}
  • Profile picture of the author Lanii
    Sounds like wp-head injection. Are you using nulled templates or plugins? The guy who shared it, has most likely made there injection code. This can happen even if you downloaded it from wordpress plugins database.

    I cant remember plugin name, but search on wordpress plugins "vulnerability scan" or something similar. There is few plugins that is made to find exploits on plugins and templates you are using.

    Hope you get it fixed
    {{ DiscussionBoard.errors[8910891].message }}
  • Profile picture of the author RobinInTexas
    There are some good scanners that will look at all the files on the server. I tend to depend on Wordfence, and that seems to so a good job. If you have any plugins obtained from sites other than WordPress.org, Wordfence only looks for known exploits and cannot compare them to the distributions, you might run those files through virustotal just for a second look if you can't do without them.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8910900].message }}
  • Profile picture of the author karolk
    Here's what you can do to prevent any hacking attempts:

    - get a plugin like bulletproof security - it's an .htaccess protection plugin, works rather well
    - don't use BlueHost (it's an EIG company and they are known for lowering the quality of their service)
    - check out Sucuri Security - a great solution for website monitoring
    - use a backing up plugin for WP - something like Online Backup For WordPress - it will allow you to restore your site, should anything bad happen
    - use these two plugins for more protection: WordPress › Theme Authenticity Checker (TAC) « WordPress Plugins and WordPress › AntiVirus « WordPress Plugins

    I had my site hacked twice. Nothing nice. Anyway, if you're interested, I described some of my adventures here: There's Some Malware on Your Site
    Signature

    You know what, I won't try to lead you in with fake promises and false advertising. So let me just be honest. If you're looking for some online business advice for normal people (with no hype and constant product pushing) then hop over to newinternetorder.com

    {{ DiscussionBoard.errors[8910904].message }}
  • Profile picture of the author eklipz316
    Make sure you're changing all access passwords including the ones for your hosting panel, FTP, and your website's MYSQL database. And make sure you're using a super secure password with at least one capital letter, multiple numbers, and a symbol or two wouldn't be a bad idea either.

    Also make sure you're keeping Wordpress up to date along with all the plugins you use. It might be a good idea to actually go though plugin by plugin and go check out the official plugin rankings and comments on the Wordpress website. In fact, a complete Wordpress and plugin reinstall may be in order. This would get rid of any rouge files the hackers may have put on your system during the first attack.
    {{ DiscussionBoard.errors[8910963].message }}
  • Profile picture of the author DiggitySEO
    In addition to what everyone else has mentioned, add the Wordpress plug in: Limited Login Attempts.
    Signature
    ..:: High PR Backlinks for Sale | 100% Safe | Over 2000 Orders ::..
    Email orders@diggitymarketing.com for more information.
    {{ DiscussionBoard.errors[8911013].message }}
  • Profile picture of the author Sean DeSilva
    I second the recommendation for wordfence, a stellar plug-in that even seems to keep my own outsourcers out if they're acting too suspicious :-)
    {{ DiscussionBoard.errors[8911381].message }}
  • Profile picture of the author onSubie
    These are free Wordpress.org plugins that will check theme security.

    Theme Authenticity Checker
    Exploit Scanner
    Theme Check

    It is also possible that they are attacking a vulnerability in WP to inject the code externally from the website interface.

    You can use these WP plugins to help secure your site:

    Block Bad Queries
    Wordfence
    WP Security Scan

    Just search plugins at WP or in your dashboard to read more or install them.
    {{ DiscussionBoard.errors[8911561].message }}
    • Profile picture of the author joe ferdinando
      Ok lets start with the security basic!

      1) with your FTP program go your your site public_html file
      a) Set permissions
      all file set to 644
      all folders 755
      do this in all directories
      2) Your config file
      set permission to 600
      3) Go to your admin directory
      delete install.php and install helper php files

      Then add a security plugin if you like! there are many
      check out security plugin
      Signature
      {{ DiscussionBoard.errors[8911852].message }}
  • Profile picture of the author Trivum
    When I was repeatedly hacked and the person I hired couldn't seem to get rid of them, I went to Sucuri Security -- they did the trick, and then installed their monitoring system. One site was about $90/year at that time, but you can buy packages too.
    {{ DiscussionBoard.errors[8911982].message }}
  • Profile picture of the author Myles Sinclair
    Originally Posted by RetroFit View Post


    "......At first, my header looked broken on one of our sites, so I was going to go in and fix it, only to have my current host and other site-checkers see the site fine.

    Other times I'd load another site only to see the spam all over the page...refresh the page to see the page as it's supposed to look...."
    It sounds like you are viewing hacked pages stored in your browser cache. This may explain why other people are viewing the page OK, but you're seeing hacked pages. If the problem has been reported as fixed, try clearing your browser cache before checking your pages.
    {{ DiscussionBoard.errors[8911991].message }}
  • Profile picture of the author uk099
    2 key plugins are

    Wordfence
    WP File Monitor <<< this one will tell everytime a file chnages
    {{ DiscussionBoard.errors[8913135].message }}
  • Profile picture of the author ezjob
    I use "Limit Login Attempts" plugin.

    Works fine for me.
    Ez
    {{ DiscussionBoard.errors[8913311].message }}
  • Profile picture of the author julianaS
    never use null theme and use security plugin like better wp plugin to protect it.
    {{ DiscussionBoard.errors[8913403].message }}
  • Profile picture of the author JensSteyaert
    I'm no expert but the obvious reason could be a plugin which isn't updated... A simple line of code can cause hackers to get access.

    Wordpress is great, but the free plugins you download somewhere can cause serious problems. Always be careful what you download and never ever download nulled plugins or themes.
    {{ DiscussionBoard.errors[9172706].message }}
  • Profile picture of the author Danny Shaw
    I would run your site through cloudflare from your host.
    Signature
    **5 DAY FREE TRIAL** - The ultimate social media bot (FB, Instagram, Pinterest & G+).........
    Grab it >> HERE
    {{ DiscussionBoard.errors[9172716].message }}
  • Profile picture of the author Sheryl Bagley
    ...or have it scanned by a professional IT fellow. Maybe you will have to build it again with all the breaches in it.
    {{ DiscussionBoard.errors[9174953].message }}
  • Profile picture of the author barbling
    If you're looking for a professional to help, ping Nathan Briggs at

    WordPress stressing you out? - Nathan Briggs

    'taint nothing the man doesn't know about WP Security.

    Judy K is also hugely knowledgeable as well.

    Plugins I use are

    https://wordpress.org/plugins/wordfence/

    WordPress › Support » All In One WP Security & Firewall

    Best of skill fixing it!
    {{ DiscussionBoard.errors[9174975].message }}
  • Profile picture of the author seobro
    I am guessing you are using word press. Well, that is just a guess. STOP using word press. I use plain HTML and it uses a lot less resources. That allows me to make a profit and building my sites is way easy. Hey, trust me on this one. NERD press is a resource pig. Also, breaking in is a snap. Like stay away from programs that use MYSQL - stay away.
    {{ DiscussionBoard.errors[9178195].message }}
  • Profile picture of the author Ord Allenbea
    The first problem you have is using bluehost and the 2nd is using wordpress as a website. If you contact me I can stop the hacking 100% for you and even host you on a dedicated secured server. I can help you protect wordpress as I have ripped the coding part back and front many times.

    Originally Posted by RetroFit View Post

    Hi folks,

    I've been hacked three times in the past month. I've hired Site Doctor twice now, this last time they've been trying to give me a clean cpanel backup three times in a row so I can switch hosts.

    The new host saw the hacks on the first attempt to put my sites up under their service, but missed them all the second time, as apparently Site Doctor has as well.

    I am extremely frustrated. It's as if all these professionals can't see the hacks.

    What is happening is that some people are seeing our sites without issue, while others are seeing spam crap on them.

    At first, my header looked broken on one of our sites, so I was going to go in and fix it, only to have my current host and other site-checkers see the site fine.

    Other times I'd load another site only to see the spam all over the page...refresh the page to see the page as it's supposed to look.

    I use WordPress, Bluehost.

    Any suggestions would be welcome. I was trying to go to a new hosting service, but since they didn't spot the hacks, I question their competence. Any suggestions about anything would be appreciated.
    {{ DiscussionBoard.errors[9178231].message }}
  • Profile picture of the author Aaron0669
    Originally Posted by RetroFit View Post

    Hi folks,

    I've been hacked three times in the past month. I've hired Site Doctor twice now, this last time they've been trying to give me a clean cpanel backup three times in a row so I can switch hosts.

    I use WordPress, Bluehost.

    Any suggestions would be welcome. I was trying to go to a new hosting service, but since they didn't spot the hacks, I question their competence. Any suggestions about anything would be appreciated.
    What is your admin login username for both cpanel and wordpress? If it is admin, then you better add another admin account with another name, and delete the one with the username. Change it to something totally unrelated to your site and secure with a good password. That is the first line of defence you should have.
    Signature

    Get my Free Report "How to setup your blog in 7 minutes"
    http://boonkoh.com/7minuteswpsetup

    {{ DiscussionBoard.errors[9178434].message }}
  • Profile picture of the author yukon
    Banned
    Originally Posted by RetroFit View Post

    I use WordPress,
    How to check your site for base64 links
    Signature
    Hi
    {{ DiscussionBoard.errors[9178554].message }}
  • Profile picture of the author DireStraits
    Everyone: It seems this thread had lain dormant from the back end of January until a few days ago, when JensSteyaert mysteriously revived it. Unless I'm missing something (e.g. the OP's reappearance in posts subsequently deleted) there appears little point in sustaining it?
    {{ DiscussionBoard.errors[9178665].message }}
    • Profile picture of the author Chris Silvey
      Originally Posted by DireStraits View Post

      Everyone: It seems this thread had lain dormant from the back end of January until a few days ago, when JensSteyaert mysteriously revived it. Unless I'm missing something (e.g. the OP's reappearance in posts subsequently deleted) there appears little point in sustaining it?
      Actually there is, and this is very important to the community.

      A good number of antivirus programs will flag an infected site and block/kill the links to it without the owner being aware of it.

      Thus vendors and affiliates lose out. I had this issue happen to me back in 2012. One of my vendors sites was infected. At the time from my perspective the vendor site was down, but after checking with a browser service. The site was up like the vendor told me in an email. It was my anti virus program blocking the site and killing the links.
      Signature
      WP Animate - Increases Conversions & Clicks!
      Create Amazing CSS3 Animations in just a few Clicks - New!

      WPHeadline.net - Create Blazing Headlines in just a few clicks. Updated to WordPress 4.1.1
      {{ DiscussionBoard.errors[9178696].message }}
    • Profile picture of the author Ord Allenbea
      Regardless it is still best for others to have options and understand the options they have.

      For instance many go running to a "security plugin" when in fact you can secure wordpress yourself without any plugins.

      Changing the WP_ prefix is not very hard
      Adding additional security or hiding the actual login page is not hard
      Changing files can be done with any simple text editor
      None of these require "another" plugin

      Originally Posted by DireStraits View Post

      Everyone: It seems this thread had lain dormant from the back end of January until a few days ago, when JensSteyaert mysteriously revived it. Unless I'm missing something (e.g. the OP's reappearance in posts subsequently deleted) there appears little point in sustaining it?
      {{ DiscussionBoard.errors[9179089].message }}
  • Profile picture of the author DURABLEOILCOM
    Web root is the best out there
    {{ DiscussionBoard.errors[9178839].message }}
  • Profile picture of the author Vincent Denali
    I'm finding this information useful.
    {{ DiscussionBoard.errors[9178860].message }}

Trending Topics