I host a number of sites, mostly a hobby site and some ones I do for charities. I stopped taking on customers when I took a fulltime day job earlier this year.
My wordpress sites keep getting hacked! I don’t know how to stop it. The email address and password are somehow changed.
But the latest one which happened just in the past day, is a message at the bottom of the pages with NawFalinHow Area Let’s GO To SPam. 100% inbox.
I am guessing they are sending out spam from my pages!! I am trying to disable all the sites but am so very frustrated.
Anyone else have this problem? Anyone know how to clean it up?
Ok, a couple of specific questions for those who might help. And I’m afraid maybe this should go in the security section. Not sure.
What measures should you take to secure your wordpress sites?
What steps should you take to ensure you don’t have malware on your home computer?
I have antivirus software, malware bytes and spybot. But I haven’t run them in awhile
What I would do is to always keep WordPress updated to the latest version, make sure the server is clean from malicious software (seems just the WordPress install was compromised though), keep a strong password policy, only run really necessary services, make sure services such as the web server is running under a non-administrative user, and limit incoming connections to web server and SSH, or whatever it is you need in your workflow.
That’s pretty basic. Perhaps there is someone who has further suggestions or who can go into greater detail. I’d say outdated WordPress installs are the most common reason why people get hacked like this.
Can’t really say how to get rid of any code that has changed during the attack without looking at the site. If you have your site in source control, it may be a good idea to re-deploy it cleanly. Surely you must have some kind of backups somewhere.
I am sure I have some backups somewhere. I have just moved and will have to find things again. I know the backups are a couple months old except for two of the sites which I just got back on schedule with backing up.
I can’t tell if it is something in the database or in some of the php files or both, but I did check my home computer with all my updated scan software and it is clean. Well, I guess I know they were in the database because they were changing user e-mail accounts and things.
The host says the server is clean and this is just isolated exploits, but it is hitting almost all my sites. One or two weren’t touched and I’m trying to figure out why. Some of my sites that were up to date were hacked and some that were up to date weren’t. Some that were out of date were hacked, and some weren’t. So there is a good chance it is something from the plugin or else the server really is compromised.
What log software does everyone use? My log files just don’t tell me much of anything. It will be a long weekend of reading through code trying to find this.
As others have stated always keep your Wordpress core script up to date. Wordpress makes this very easy to do. You just have to log into the admin panel and update. But you need to subscribe to their mailing list or RSS feed so you can be notified as soon as a new version is released. The sooner you can update your script, the better off you are.
One way to look at updates, if Wordpress is releasing a new version it is likely fixing a security hole and an exploit for that security hole is already out in the wild. So your Wordpress script would be vulnerable even before Wordpress releases a fix. Minimizing the time between an update being release and applying that update to your site will help the most.
Apply this same logic to any plugins and themes you have installed on your Wordpress site. Plugins can be useful because they can give you additional control of your Wordpress site. But if you aren’t using a plugin, then don’t keep it installed. Delete it from your webhosting space so that it cannot be exploited. Some plugins are developed better than others, so only install plugins that are from reputable developers. Knowing when a plugin is outdated is not as easy as the core Wordpress script, but you have to find some system for keeping them up to date if you want to stay secure. This is another reason why you should minimize the number of plugins and themes that you use.
Finally, insure that your personal computer is being kept up to date and malware free. If you have a keylogger or other piece of malware running on your personal computer and you log into your Wordpress admin panel, then hackers can retrieve your Wordpress login that way. With this information in hand, even if your Wordpress site stays up to date, hackers can still gain access to your account. Keep your anti-virus software up-to-date, keep your malware detection software up-to-date. Run routine scans. Keep all of the software on your computer up to date (browser, plugins, especially Adobe Flash, etc). I would really recommend only logging into your Wordpress admin panel from your own personal, secured computer, because if you log in from another computer, then you have to call into question the security of that computer as well (what if it has a keylogger installed on it?). If you do have to log in from a separate computer, one that you can’t audit the security of, then I would recommend changing your admin panel password as soon as you get home on your personal and secure computer system.
If your website has already been hacked, then you really can’t trust the integrity of it any more. What if the hackers left a backdoor some where on your web hosting account? They could use that backdoor to gain access to your website at any time. Your web hosting provider might be able to scan and see if any KNOWN backdoors exist on your account, but they can never be 100% certain. This is why taking steps to prevent a hack is better than trying to recover from a hack.
I tried to look at that, and the only ones that were on all the sites were the Genesis Hooks and another Genesis one, can’t remember now. The worst part is, I had 5 sites hacked, and only two of them had outdated plugins, everything else I had managed to keep up to date.
Thanks, for the advice. I definitely shouldn’t have let those couple of sites get behind in updates. I was overwhelmed with the new job, the move, the divorce and other stuff. Grr, I’m usually a detail oriented person!
Is there anything you recommend as far as detecting a keylogger? I am 90% sure they didn’t have one on my computer or they would have done a lot worse damage and would have been able to get into my other sites. One I have been actively working on wasn’t touched, and neither were a couple I know I have logged into recently. However, I have suspected for a few months that my ex may have installed one…and that could leave me vulnerable to someone else exploiting it.
My plan is to install everything fresh. They all could use a makeover anyway, and I will backup the db and add back as many posts as I can, slowly putting them up on the new install after checking the text for anything that isn’t right.
I’m really not sure on this. I’m a Linux person and don’t use Windows very often. I have heard that Microsoft Security Essentials is good, and a lot of people tell me that it is all that you need. But I’m not sure. MalwareBytes is another program I hear mentioned a lot.
Another recommendation, if you’re using FireFox as your web browser (If you’re using Internet Explorer, I would recommend switching to FireFox) is to install the NoScript addon. NoScript prevents javascript from executing on websites. So if you go to a website that has been compromised and injected with malicious javascript code, by default NoScript won’t allow it to run, unless you have whitelisted that website.
A lot of the hackings that I see come about because an account’s username and password was compromised. Maybe it’s their FTP login, maybe it’s their database login, maybe it’s the Wordpress or script backend login. How these got compromised is something that I am never able to determine. But generally it tells me that there is something insecure running on that person’s computer or a computer they have used to access these areas. Tracking that down is just impossible for me to do.
I’m not saying your computer is insecure. But if someone you did not authorize posts or makes changes to your website, then there’s an insecurity somewhere. Finding that insecurity may not be easy.
I just wanted to update, in case anyone else with the problem reads this, that I did a scan in cpanel using ClamAV. it found the malware ‘PHP.Mailer-3’ which had installed itself in the foot-widgets file of my genesis theme. Still looking to see what else and wondering how it got in. And still planning a fresh install.
I will look into the NoScript addon