WP site was hacked…

by 18 replies
22
Hey guys.

My Wordpress site was hacked lately and ever since I get new posts published automatically like every other day (news articles).


Also I noticed that new links are added to old posts (Viagra and such) with what seems to be an HTML injection.


Does anyone know what to do?
#off topic forum #wordpress hacking
  • That sounds bad. I would delete the entire site, including databases, change ftp passwords, then re-install the entire site with strong passwords and admin username other than "admin".

    That said, WP sites of mine have been hacked before no matter what security measures were taken. Vandals take pride at leaving their cyber-graffiti on sites. Get used to it.

    It is a good idea to periodically back everything up so you can easily set it all up again if you ever need to.
    • [ 1 ] Thanks
    • [2] replies
    • The only password i didn’t change was for the ftp, because it tells me that "Special FTP Accounts have special restrictions and cannot be deleted." (i also can’t change the password).

      So, I'm afraid that i would have to do as you said and "delete the entire site". It was more important to me to try and find the "breach" in order to handle things like that, in case they happen again. Thanks.
    • Problem solved. I found three plugins (which one of them i had) that were hacked and acted as a "back door":

      W3 Total cash
      Add this
      WPtouch

      Thanks for trying to help people
      • [2] replies
  • Thats serious,what are you going to do?Are we all at risk?
    • [1] reply
    • you sound like someone who do these things himself...
  • Your web site is being spammed not hacked, use Akismet to protect your posts against spammers
    • [1] reply
    • That would be true if these links are just in the comments, but if they're in the actual posts, that is hacking, not spamming.
  • Yup, If posts published automatically
    OP : Do you have any access_log file in your WP root directory OR in statistics directory located outside public_html or httdocs ??
  • Been there and done that. Bites real hard.

    First thing to do is go change your passwords - especially look at your FTP settings and make sure that they are not set to allow anyone's use but your own, and then change the passwords. You have to be ready to act fast, too because these things build holes and can get in faster than you can lock them out.

    Then, Do as Gary says - get rid of that copy of the site. You're going to have holes and links all over the thing. If you put a copy up and still have problems, that means they even got into a few files that are your servers and you will need to contact them to change those out, too.
  • When you reinstall, don't use Fantastico. Install WP manually. Change the default WordPress Database Table prefix. Use strong passwords. Don't use Admin for your user name. There's more you could do if you do a little homework, but that will make your WP installation much safer than a Fantastico installation.

    Also, be sure to keep updating to the latest version when Wordpress tells you an update is ready.
    • [ 1 ] Thanks
    • [1] reply
    • I agree with Dennis in that you should not use "admin" as a login name. However, I take this one step further. I assign "admin" as the nickname for an account, and have that nickname shown. I find that this is the name most frequently used by those trying to force their way in. It is unusual to have them try another name they find on the blog (I use WordPress), although I have seen that happen as well.

      I then use the Limit Logins plugin to monitor failed login attempts, lock those IPs out for 24 hours on the first attempt, and notify me so that I can take action. With this information, I have the choice of banning that IP from all of my sites on that hosting account by using the IP Deny Manager in cPanel. IP Deny also allows you to ban an IP range, but that could lead to banning visitors or members you do want. This has really cut down on the number of force password attempts for my sites.

      This may be a bit restrictive if you run a membership site, but for sites with only one legitimate user like mine, it works well.
  • Here are a couple of resources I use:

    1. Sucuri - Monitor & Scanner dashboard <- Free Site Scanner that may give you some details as to what you need to fix.

    2. FAQ My site was hacked « WordPress Codex <- The "What do I do know?" guide from WordPress.

    Of course, constant backups and a great security plugin (I like BulletProof Security) is always a good idea.

    Hope that helps!

    - Mercer

    PS: I was doing a bit of digging on this issue... there is a HUGE mass of WP sites that have been hit with something similar... check your wp-settings.php file... look at the bottom for a line that starts with "function google_bot()" and if it's there... remove it. If it is there it's probably because your theme is using timthumb.php (you can find that in your themes folder). Make sure you update to the most recent version. PM me if you need any help!
    • [ 3 ] Thanks
  • I just received a notice from my hosting provider on the timthumb.php vulnerability. In the process now of finding all instances so they can be updated.

    They pointed me to this site for more information on what is happening and how to fix the problem: Zero Day Vulnerability in many Wordpress Themes | mm

    Chris' post above has added another area for me to check. Thank you Chris.

    Fortunately, my sites appear to be fine at the moment (touch wood).
    • [ 1 ] Thanks
  • Apparently it wasn't totally solved
    I don't get new posts published (involuntary) on my site, but I'm still having links posted on my old posts.
  • [DELETED]
Join the discussion

Next Topics on Trending Feed