WP site was hacked...

14 years ago

That sounds bad. I would delete the entire site, including databases, change ftp passwords, then re-install the entire site with strong passwords and admin username other than "admin".

That said, WP sites of mine have been hacked before no matter what security measures were taken. Vandals take pride at leaving their cyber-graffiti on sites. Get used to it.

It is a good idea to periodically back everything up so you can easily set it all up again if you ever need to.

[ 1 ] Thanks
2 replies

Signature

Project HERE.

{{ DiscussionBoard.errors[4535853].message }}

Gadi

14 years ago

Originally Posted by thunderbird

That sounds bad. I would delete the entire site, including databases, change ftp passwords, then re-install the entire site with strong passwords and admin username other than "admin".

That said, WP sites of mine have been hacked before no matter what security measures were taken. Vandals take pride at leaving their cyber-graffiti on sites. Get used to it.

It is a good idea to periodically back everything up so you can easily set it all up again if you ever need to.

The only password i didn’t change was for the ftp, because it tells me that "Special FTP Accounts have special restrictions and cannot be deleted." (i also can’t change the password).

So, I'm afraid that i would have to do as you said and "delete the entire site". It was more important to me to try and find the "breach" in order to handle things like that, in case they happen again. Thanks.

Thanks

{{ DiscussionBoard.errors[4539725].message }}

Gadi

14 years ago

Problem solved. I found three plugins (which one of them i had) that were hacked and acted as a "back door":

W3 Total cash
Add this
WPtouch

Thanks for trying to help people

Thanks
2 replies

{{ DiscussionBoard.errors[4606001].message }}

horowitzz

14 years ago

Your best option would be to change passwords, naturally. Go to your dashboard and look for the "users" somewhere in the settings on the left of the page.... I wouldnt be surprised if you find there are tons of users registered as admins to your account. Just delete all of them, except your own of course..

Thanks
2 replies

{{ DiscussionBoard.errors[4641992].message }}

fabuluousman 14 years ago

I use a lock down plugin to put more security to my blog.anyone have other same plugin.
- Thanks
{{ DiscussionBoard.errors[4716759].message }}

Gadi

14 years ago

Originally Posted by horowitzz

Your best option would be to change passwords, naturally. Go to your dashboard and look for the "users" somewhere in the settings on the left of the page.... I wouldnt be surprised if you find there are tons of users registered as admins to your account. Just delete all of them, except your own of course..

No. I'm the only one registered.

Thanks

{{ DiscussionBoard.errors[4819561].message }}

helfgott

14 years ago

Originally Posted by Gadi

Problem solved. I found three plugins (which one of them i had) that were hacked and acted as a "back door":

W3 Total cash
Add this
WPtouch

Thanks for trying to help people

Could we know any advice on how detect this kind of issues? /logs or files :p

Thanks

Signature

Estudiar en Argentina

{{ DiscussionBoard.errors[4717477].message }}

wanjugu

14 years ago

Originally Posted by Gadi

Hey guys.

My Wordpress site was hacked lately and ever since I get new posts published automatically like every other day (news articles).

Also I noticed that new links are added to old posts (Viagra and such) with what seems to be an HTML injection.

Does anyone know what to do?

Thats serious,what are you going to do?Are we all at risk?

Thanks
1 reply

Signature

Internet Marketing & Social Media Marketing in Kenya
Lecturer, Social Media Researcher & Strategist

{{ DiscussionBoard.errors[4535889].message }}

Gadi 14 years ago

Originally Posted by wanjugu

Thats serious,what are you going to do?Are we all at risk?

you sound like someone who do these things himself...
- Thanks
{{ DiscussionBoard.errors[4539541].message }}

RootShell-vb

14 years ago

Your web site is being spammed not hacked, use Akismet to protect your posts against spammers

Thanks
1 reply

Signature

AppsDoc.Com

{{ DiscussionBoard.errors[4535901].message }}

thunderbird 14 years ago

Originally Posted by RootShell-vb

Your web site is being spammed not hacked, use Akismet to protect your posts against spammers

"Also I noticed that new links are added to old posts (Viagra and such) with what seems to be an HTML injection."

That would be true if these links are just in the comments, but if they're in the actual posts, that is hacking, not spamming.
- Thanks
Signature

Project HERE.
{{ DiscussionBoard.errors[4535949].message }}

RootShell-vb

14 years ago

Yup, If posts published automatically
OP : Do you have any access_log file in your WP root directory OR in statistics directory located outside public_html or httdocs ??

Thanks

Signature

AppsDoc.Com

{{ DiscussionBoard.errors[4535965].message }}

HeySal

14 years ago

Been there and done that. Bites real hard.

First thing to do is go change your passwords - especially look at your FTP settings and make sure that they are not set to allow anyone's use but your own, and then change the passwords. You have to be ready to act fast, too because these things build holes and can get in faster than you can lock them out.

Then, Do as Gary says - get rid of that copy of the site. You're going to have holes and links all over the thing. If you put a copy up and still have problems, that means they even got into a few files that are your servers and you will need to contact them to change those out, too.

Thanks

Signature

Sal
When the Roads and Paths end, learn to guide yourself through the wilderness
Beyond the Path

{{ DiscussionBoard.errors[4537011].message }}

Dennis Gaskill

14 years ago

When you reinstall, don't use Fantastico. Install WP manually. Change the default WordPress Database Table prefix. Use strong passwords. Don't use Admin for your user name. There's more you could do if you do a little homework, but that will make your WP installation much safer than a Fantastico installation.

Also, be sure to keep updating to the latest version when Wordpress tells you an update is ready.

[ 1 ] Thanks
1 reply

Signature

Just when you think you've got it all figured out, someone changes the rules.

{{ DiscussionBoard.errors[4539812].message }}

Sherry Driedger 14 years ago

I agree with Dennis in that you should not use "admin" as a login name. However, I take this one step further. I assign "admin" as the nickname for an account, and have that nickname shown. I find that this is the name most frequently used by those trying to force their way in. It is unusual to have them try another name they find on the blog (I use WordPress), although I have seen that happen as well.

I then use the Limit Logins plugin to monitor failed login attempts, lock those IPs out for 24 hours on the first attempt, and notify me so that I can take action. With this information, I have the choice of banning that IP from all of my sites on that hosting account by using the IP Deny Manager in cPanel. IP Deny also allows you to ban an IP range, but that could lead to banning visitors or members you do want. This has really cut down on the number of force password attempts for my sites.

This may be a bit restrictive if you run a membership site, but for sites with only one legitimate user like mine, it works well.
- Thanks
{{ DiscussionBoard.errors[4556895].message }}

Chris Mercer

14 years ago

Here are a couple of resources I use:

1. Sucuri - Monitor & Scanner dashboard <- Free Site Scanner that may give you some details as to what you need to fix.

2. FAQ My site was hacked « WordPress Codex <- The "What do I do know?" guide from WordPress.

Of course, constant backups and a great security plugin (I like BulletProof Security) is always a good idea.

Hope that helps!

- Mercer

PS: I was doing a bit of digging on this issue... there is a HUGE mass of WP sites that have been hit with something similar... check your wp-settings.php file... look at the bottom for a line that starts with "function google_bot()" and if it's there... remove it. If it is there it's probably because your theme is using timthumb.php (you can find that in your themes folder). Make sure you update to the most recent version. PM me if you need any help!

[ 3 ] Thanks

{{ DiscussionBoard.errors[4540986].message }}

Sherry Driedger

14 years ago

I just received a notice from my hosting provider on the timthumb.php vulnerability. In the process now of finding all instances so they can be updated.

They pointed me to this site for more information on what is happening and how to fix the problem: Zero Day Vulnerability in many Wordpress Themes | mm

Chris' post above has added another area for me to check. Thank you Chris.

Fortunately, my sites appear to be fine at the moment (touch wood).