Welcome to WebmasterWorld Guest from 34.203.245.76

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

My site was hacked - possibly infected

how to clear out a hacked site

     
11:27 pm on Feb 3, 2015 (gmt 0)

New User

5+ Year Member

joined:Mar 30, 2010
posts:4
votes: 0


Hello all,

A site I operate was hacked yesterday, I managed to get the site back online, ostensibly it was just the frontpage index.php that was altered, so reverting it back to the original wordpress code fixed it.
However, around the same time tonight, the same page reinstated itself. I have Bulletproof security and Limit Login Attempts installed. I'm not thinking that a plugin Im using is compromised and might be the cause of my problems but the plugins have been active a couple of days.
Anyone have any similar experience?
2:28 am on Feb 4, 2015 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4124
votes: 261


I would suggest to change the username/login for your wp database and your domain. Google has some resources and tips for hacked sites: [google.com...]
10:26 am on Mar 3, 2015 (gmt 0)

New User

joined:Mar 3, 2015
posts:12
votes: 0


Also make sure that both wordpress and plugins are up to date.
9:53 pm on Mar 3, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7577
votes: 4


Define "same page reinstated itself" please. Is this an uploaded file that replaces index.php or ?
5:45 pm on May 19, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1823
votes: 107


- Take the site offline, make it inaccessible to all but you
- Immediately change any and all passwords
- Move all current files on the server into a new folder, call it quarantine(do not copy, just move)
- Set up a fresh new database
- Upload the most recent working backups(including sql backup) to your site
- Go to your quarantine folder and sort it by "last modified" and inspect the most recently uploaded or modified files for clues
- Cross check the upload times with your log files for those files to narrow down where they came from, you might find an IP if lucky
- Do some detective work with the data you have to figure out how they got in
- If nothing obvious is found turn the site back on
- Change all passwords again, all of them, for everything you use online, and don't use any password on more than one site
- Come back here and read up on improving security via htaccess

Also, a tip about passwords: an 8 digit password using letters, numbers, symbols, upper case and lower case takes less than 1 second to crack via brute force with what gov has in their toybox. Each extra letter/symbol increases the difficulty exponentially so "password" is no longer enough, you want "pass phrase" these days. Heck, make it as long and complicated as a wordpress salt key if you have to :)
1:28 am on May 21, 2015 (gmt 0)

Preferred Member from AU 

10+ Year Member Top Contributors Of The Month

joined:May 27, 2005
posts:442
votes: 7


Please be aware that the server may be compromised. If it's a shared hosting server then it might be time to move.

Otherwise check write permissions on everything. I have never considered the practice of enabling write permissions so that WordPress can update itself or automatically install plugins to be clever at all.
4:42 pm on May 21, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1823
votes: 107


I have never considered the practice of enabling write permissions so that WordPress can update itself or automatically install plugins to be clever at all.


Neither have I, I loathe those "we have automatically updated your site" emails. I know that the proper thing to do is to make sure everyone feels safe and accepts the new wordpress behavior so I won't say anything more about it. "oh, we disabled such and such plugin because it conflicted with the update"... thaaaaanks.

Good tip about the hosting though, in a cheap shared account it's possible that all sites are infected, or that all of your sites are infected if not the whole server. Quarantine them all, unfortunately.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members