My site was hacked - possibly infected - WordPress forum at WebmasterWorld

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

My site was hacked - possibly infected

how to clear out a hacked site

Icinine

11:27 pm on Feb 3, 2015 (gmt 0)

Hello all,

A site I operate was hacked yesterday, I managed to get the site back online, ostensibly it was just the frontpage index.php that was altered, so reverting it back to the original wordpress code fixed it.
However, around the same time tonight, the same page reinstated itself. I have Bulletproof security and Limit Login Attempts installed. I'm not thinking that a plugin Im using is compromised and might be the cause of my problems but the plugins have been active a couple of days.
Anyone have any similar experience?

not2easy

2:28 am on Feb 4, 2015 (gmt 0)

I would suggest to change the username/login for your wp database and your domain. Google has some resources and tips for hacked sites: [google.com...]

Mroffline

10:26 am on Mar 3, 2015 (gmt 0)

Also make sure that both wordpress and plugins are up to date.

lorax

9:53 pm on Mar 3, 2015 (gmt 0)

Define "same page reinstated itself" please. Is this an uploaded file that replaces index.php or ?

JS_Harris

5:45 pm on May 19, 2015 (gmt 0)

- Take the site offline, make it inaccessible to all but you
- Immediately change any and all passwords
- Move all current files on the server into a new folder, call it quarantine(do not copy, just move)
- Set up a fresh new database
- Upload the most recent working backups(including sql backup) to your site
- Go to your quarantine folder and sort it by "last modified" and inspect the most recently uploaded or modified files for clues
- Cross check the upload times with your log files for those files to narrow down where they came from, you might find an IP if lucky
- Do some detective work with the data you have to figure out how they got in
- If nothing obvious is found turn the site back on
- Change all passwords again, all of them, for everything you use online, and don't use any password on more than one site
- Come back here and read up on improving security via htaccess

Also, a tip about passwords: an 8 digit password using letters, numbers, symbols, upper case and lower case takes less than 1 second to crack via brute force with what gov has in their toybox. Each extra letter/symbol increases the difficulty exponentially so "password" is no longer enough, you want "pass phrase" these days. Heck, make it as long and complicated as a wordpress salt key if you have to :)

Kendo

1:28 am on May 21, 2015 (gmt 0)

Please be aware that the server may be compromised. If it's a shared hosting server then it might be time to move.

Otherwise check write permissions on everything. I have never considered the practice of enabling write permissions so that WordPress can update itself or automatically install plugins to be clever at all.

JS_Harris

4:42 pm on May 21, 2015 (gmt 0)

I have never considered the practice of enabling write permissions so that WordPress can update itself or automatically install plugins to be clever at all.

Neither have I, I loathe those "we have automatically updated your site" emails. I know that the proper thing to do is to make sure everyone feels safe and accepts the new wordpress behavior so I won't say anything more about it. "oh, we disabled such and such plugin because it conflicted with the update"... thaaaaanks.

Good tip about the hosting though, in a cheap shared account it's possible that all sites are infected, or that all of your sites are infected if not the whole server. Quarantine them all, unfortunately.