My wordpress site "Hacked"?

14 replies
  • WEB DESIGN
  • |
So yesterday I got a email from my host telling me that account had been suspended because "Some one entered under your account and
created subdomain
"paypal.com.us.cgi.bin.blah blah blah blah.mywebsite.com""

First question. How could someone hack my account? I have a very very secure password. My computer and network are also both very secure, and I am very thorough about pages I visit and things I download.

Secondly, they were nice enough to give me all my files back (I didn't have backups), how do I get about making sure all the phishing stuff has been removed, and then how do I go about getting all the wordpress files and database files back onto my hosting? I can install wordpress from scratch, be reinstalling one that has already been setup... Wouldn't even know where to start.

Thanks!
#hacked #site #wordpress
  • Profile picture of the author Abledragon
    I'm sorry to hear that - it's horrible when this happens.

    It sounds as though you don't have a back up of your WordPress site. If that's the case then you probably have no option other than to re-install WordPress and re-load your content (assuming you created the original content in Word or some other application and have it saved on your computer).

    There are countless ways someone could have hacked your site, including getting access to the server your site is on via another entry - i.e. not your specific site.

    This article goes into some more details of the options you have for restoring your WordPress site and some steps to help prevent it being hacked again in the future:

    WordPress Security: How to Fix Your Site if it is Hacked | WealthyDragon

    Good luck with getting everything cleaned up!

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[6724972].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by Abledragon View Post

      I'm sorry to hear that - it's horrible when this happens.

      It sounds as though you don't have a back up of your WordPress site. If that's the case then you probably have no option other than to re-install WordPress and re-load your content (assuming you created the original content in Word or some other application and have it saved on your computer).

      There are countless ways someone could have hacked your site, including getting access to the server your site is on via another entry - i.e. not your specific site.

      This article goes into some more details of the options you have for restoring your WordPress site and some steps to help prevent it being hacked again in the future:

      WordPress Security: How to Fix Your Site if it is Hacked | WealthyDragon

      Good luck with getting everything cleaned up!

      Cheers,

      Martin.
      I see in your signature and on that site a bunch of security this, protect that etc. Would you mind explaining what exactly your "plugins" proactively do as far as security goes? From what I can gather, both services or plugins "scan" and tell you when something goes wrong, not actually stop it or prevent it from the get go when a thorough "by hand" audit/secure would...

      Just asking, because everyone and their brother has some fancy Wordpress security plugin now a days..
      Signature

      |~| VeeroTech Hosting - sales @ veerotech.net
      |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
      |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
      |~| Visit us @veerotech Facebook - Twitter - LinkedIn

      {{ DiscussionBoard.errors[6725108].message }}
      • Profile picture of the author Abledragon
        Originally Posted by Kingfish85 View Post

        ...Would you mind explaining what exactly your "plugins" proactively do as far as security goes? From what I can gather, both services or plugins "scan" and tell you when something goes wrong, not actually stop it or prevent it from the get go when a thorough "by hand" audit/secure would...

        Just asking, because everyone and their brother has some fancy Wordpress security plugin now a days..
        WP-Security-Scan scans your site for security vulnerabilities and highlights things that you need to change to strengthen your site against hackers.

        It does not prevent an active attack, for example, a brute force attack. I use Login Lockdown for that.

        However, making the changes it recommends will strengthen the defences of your site against hackers.

        Website Defender scans your site each day and reports on any changes to any files or file structure. Again, it does not proactively block attackers in the way a firewall would.

        Summary: WP-Security-Scan alerts you to things you should change to strengthen your site and Website Defender alerts you to anything that has changed in your site structure.

        Do keep in mind that if someone wants to get into your site badly enough, they will. Even highly protected Government sites get hacked. So NO site can ever be said to be totally secure.

        What these will do, though, is protect your site against most automated bot hacking attempts.

        By the way - they're not my plugins! They're just plugins (WP-Security-Scan and Login Lockdown) and a service (Website defender) that I use.

        Cheers,

        Martin.
        Signature
        WealthyDragon - Earning My Living Online
        {{ DiscussionBoard.errors[6725736].message }}
        • Profile picture of the author Kingfish85
          Originally Posted by Abledragon View Post

          WP-Security-Scan scans your site for security vulnerabilities and highlights things that you need to change to strengthen your site against hackers.

          It does not prevent an active attack, for example, a brute force attack. I use Login Lockdown for that.

          However, making the changes it recommends will strengthen the defences of your site against hackers.

          Website Defender scans your site each day and reports on any changes to any files or file structure. Again, it does not proactively block attackers in the way a firewall would.

          Summary: WP-Security-Scan alerts you to things you should change to strengthen your site and Website Defender alerts you to anything that has changed in your site structure.

          Do keep in mind that if someone wants to get into your site badly enough, they will. Even highly protected Government sites get hacked. So NO site can ever be said to be totally secure.

          What these will do, though, is protect your site against most automated bot hacking attempts.

          By the way - they're not my plugins! They're just plugins (WP-Security-Scan and Login Lockdown) and a service (Website defender) that I use.

          Cheers,

          Martin.
          I see, so to be correct this isn't "your" company? I'm interested in learning more if it is your company. If not, I'll contact them directly.
          Signature

          |~| VeeroTech Hosting - sales @ veerotech.net
          |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
          |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
          |~| Visit us @veerotech Facebook - Twitter - LinkedIn

          {{ DiscussionBoard.errors[6759738].message }}
  • Profile picture of the author Kingfish85
    Originally Posted by BenWesty View Post

    So yesterday I got a email from my host telling me that account had been suspended because "Some one entered under your account and
    created subdomain
    "paypal.com.us.cgi.bin.blah blah blah blah.mywebsite.com""

    First question. How could someone hack my account? I have a very very secure password. My computer and network are also both very secure, and I am very thorough about pages I visit and things I download.

    Secondly, they were nice enough to give me all my files back (I didn't have backups), how do I get about making sure all the phishing stuff has been removed, and then how do I go about getting all the wordpress files and database files back onto my hosting? I can install wordpress from scratch, be reinstalling one that has already been setup... Wouldn't even know where to start.

    Thanks!
    Your first sentence tells me that Wordpress most likely wasn't the problem. Even though you had what you thought was a secure password, does not mean it is. Many people think something like a word substituted with special characters & numbers is secure.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[6725118].message }}
    • Profile picture of the author BenWesty
      Originally Posted by Kingfish85 View Post

      Your first sentence tells me that Wordpress most likely wasn't the problem. Even though you had what you thought was a secure password, does not mean it is. Many people think something like a word substituted with special characters & numbers is secure.
      Trust me, my randomized 12 digit password is secure. The chances of someone "guessing" it is statistically impossible.
      {{ DiscussionBoard.errors[6725181].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by BenWesty View Post

        Trust me, my randomized 12 digit password is secure. The chances of someone "guessing" it is statistically impossible.
        You'd be surprised.

        EDIT: Anyway, there's no point in going back and forth on that. Was your web host able to analyze the logs and give any more info?
        Signature

        |~| VeeroTech Hosting - sales @ veerotech.net
        |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
        |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
        |~| Visit us @veerotech Facebook - Twitter - LinkedIn

        {{ DiscussionBoard.errors[6725213].message }}
        • Profile picture of the author BenWesty
          Originally Posted by Kingfish85 View Post

          You'd be surprised.

          EDIT: Anyway, there's no point in going back and forth on that. Was your web host able to analyze the logs and give any more info?
          I'm no maths buff, but according to my calculations a randomized 12 digit password containing both letters and numbers, would have 3.379220508056641e+18 possible combinations. That's going to be one very lucky guess...


          They looked at the logs and says someone under a certain IP had logged onto my account and created a subdomain for the phishing page. They have since banned that IP. Although that obviously won't stop him. I just need to know how he got my details.

          Also how I am supposed to re upload these wordpress files (And database)
          {{ DiscussionBoard.errors[6725364].message }}
          • Profile picture of the author pandu99
            You can can check your Index.php on your root for resolved your problem.
            {{ DiscussionBoard.errors[6725606].message }}
          • Profile picture of the author RichKent
            Originally Posted by BenWesty View Post

            Also how I am supposed to re upload these wordpress files (And database)
            Do you have a copy of the database? If so, it's straightforward:

            I'm assuming you'll have a new hosting account, so first you'll need to get the name servers and change DNS at your registrar.

            Next, assuming cPanel or something similar, go to Databases on the menu, and create a new one. Name it something random and copy down the name. Then create a database user account with a complex password. Copy the username and password. Finally, assign the user to the database and when it asks you what permissions assign all, then save it.

            Next you'll have to go into phpmyadmin - should be right next to the database in the menu. In phpmyadmin you'll want to select the database you just created, then from the menu at the top select 'import', and import the mysql file (database) that you hopefully have from your host.

            Next go into the files themselves. Look in the main directory for a file called wp-config.php. Open the file in a text editor, and near the top you'll see define DB-NAME, DB USER, and DB Password all in single quotes. Next to each is the quoted DB name, User name, and user PW. Replace with the ones you just created - make sure to leave the single quotes in place, then save the file.

            Now upload all the files to your new hosting account in public_html.

            That should do it.
            {{ DiscussionBoard.errors[6725676].message }}
  • Profile picture of the author chrislim2888
    It may not be necessarily related to your strong password. Indeed, it will take centuries to brute force it. However, hackers still have ways to sneak into your website via various vulnerability in wordpress platform.

    Therefore, always keep your wordpress version update and check on their forum if they have patch release for security threat.
    {{ DiscussionBoard.errors[6725686].message }}
  • Profile picture of the author praveenpious
    They used to target my website every week. It was disappointing to see the 'hacked' banner of some rebel group. Adding to the owe was the fact that I never knew how to take back-ups. Someone recommended that I should disable all the plug-ins. I did the same and hacking stopped.
    {{ DiscussionBoard.errors[6725692].message }}
  • Profile picture of the author doeenj
    Your wordpress was using for PayPal phishing scam page, if you have a secure password the only chance for hacker get your password is with some keylogger or maybe you have a vuln in your wordpress.
    {{ DiscussionBoard.errors[6777195].message }}
  • Profile picture of the author James Minnie
    That is why they are called "Hackers" – and they're good!

    Tip: Personally had two of my sites hacked before I installed the "Wordfence" plugin. Ever since no problem. You will be amazed what is happening on the Web (that you don't know about) from the security reports you get. Even attempts to utilize the password retrieval option in Wordpress login.

    All the best...
    {{ DiscussionBoard.errors[6778700].message }}

Trending Topics