I think I’ve been hacked

Forum Moderators: open

Message Too Old, No Replies

I think I’ve been hacked

jrpfhc

10:20 pm on Oct 11, 2020 (gmt 0)

Hello all. I got an email from google saying that there was a new verified owner in my webmaster tools under the site/web

I was able to see they’ve added pages under this /web folder by doing a “past 24 hours” google search.

Anyway, I have 2 factor authentication and don’t believe they got in though the main Wordpress dashboard.

Does anybody have any resources on how to secure my site and kill their access. Any help is appreciated. Thank you so much.

not2easy

3:05 am on Oct 12, 2020 (gmt 0)

Did the email offer you a means to dispute the changes? Have you logged in to GSC to dispute the "New Owner"? They would need to have been able to upload files in order to convince Google to change that information.

To kill their access you need to alter your login before they do that and I would also change your hosting login and remove any accounts you have not created or authorized.

Visit Google's "Hacked Sites" center for advice and tools to help: [support.google.com...]

jrpfhc

3:13 am on Oct 12, 2020 (gmt 0)

Thank you very much!

jrpfhc

3:19 am on Oct 12, 2020 (gmt 0)

I changed my login for my hosting and my root whm password. I am still an owner. They seem to not be able to or unwilling to remove me. They have just added themselves. Hopefully that’ll take care of it and I’ll restore a backup from a couple of weeks ago in the morning.

I really appreciate the response. Have a great night

engine

8:38 am on Oct 12, 2020 (gmt 0)

I'm sorry to hear this news, and it can be incredibly frustrating.

I can't say there's a one-size-fits-all solution as every instance is different. There's been good advice from not2easy.

There's a comprehensive paper which might be worth reviewing, published (PDF) by University of California, Berkeley, Google, International Computer Science Institute, titled, "Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension"
[static.googleusercontent.com...]

Part of the process should be to establish how it came about to help stop it again.

martinibuster

3:07 am on Oct 13, 2020 (gmt 0)

Did you remove the false owner from the GSC? You need to get them out.

Using PHPMYADMIN check your database logs to see if there are new subscribers, admins, editors etc. that you don't recognize.

Then check your wordpress folders via FTP and look for the most recently modified files. Those may be folders/files that they created to keep a door open for themselves.

Two factor auth doesn't protect you from a vulnerability that gives a hacker access to add files and manipulate the database.

Take an inventory of your theme and plugins, check to see if any are recently flagged as compromised or have been abandoned.

You're hacked.

Good luck!

Roger Montti