• On Wednesday, 19th February between 10:00 and 11:00 UTC, the forum will go down for maintenance. Read More

Hacked: Strange WP Admin Login. What do I do?

matrix79

Junior Member
Joined
Jan 20, 2013
Messages
123
Reaction score
27
Hey everyone,

Wordfence alerted me that there was an admin login to my WordPress site with a username I didn't create from another country. It was only one hour ago. When I look at the site, things look normal. I am also able to log in with my own admin and everything looks normal in my dashboard as well. Also, I don't see their admin username (the one they used to log in to my site) in the list of users.

What do I do now?

Thanks!
 
May be, he is one of your registered user? logging in doesn't matter but what privileges you gave him matters, if he is normal registered user then it won't affect your site.
 
May be, he is one of your registered user? logging in doesn't matter but what privileges you gave him matters, if he is normal registered user then it won't affect your site.
No, that was an admin login. Also I didn't have any other users than me on that site.

I have an update though: Although their username didn't appear in my dashboard, I found it and their email in my PHPMyadmin database. They created that user yesterday. Also there is one thing I can see they did: They deleted my Wordfence plugin.

Needless to say, I deleted their user via database, changed my admin password and installed back Wordfence. But what else do I have to do? I can't believe all they did is to delete Wordfence. Also I don't know through which door they entered in the first place.

Any suggestions?
 
Yes, backdoor has to be from a theme/plugin. If they deleted wordfence only, it is just so that next time they login you dot get alerted and they can do whatever they want to. How do you know they didn't do anything: what if they have added a script or code to redirect some part of your traffic to one of their own.
 
I'm thinking they got in through a plugin or nulled plugin/theme. The uploads folder too. Perhaps you should try scanning your wordpress installation with Sucuri.It's a malware scanner.
 
Delete present installation, reinstall from backup, change admin name and pw from default, then install sql injection protection in htaccess.

Code:
# Chinese networks
deny from 42.120.0.0/15
deny from 180.76.5.0/24
deny from 180.76.6.0/24
deny from 182.112.0.0/12
deny from 202.105.0.0/16
deny from 101.224.0.0/13
deny from 74.52.0.0/14
# IPTelligent
deny from 96.47.224.0/23
deny from 110.85.124.0/24
#IPIntelligent
deny from 173.44.32.0/19
deny from 178.151.216.0/24
# Repeated hack attempt
deny from 37.221.160.0/21
# ahrefs
deny from 173.199.115.104
deny from 173.199.115.105
deny from 173.199.115.106
deny from 173.199.115.107
deny from 173.199.115.108
deny from 173.199.115.109
deny from 173.199.115.110
deny from 173.199.115.111
## Chinese Spammers
deny from 14.144.0.0/12
deny from 60.166.0.0/15
deny from 60.168.0.0/13
deny from 27.153.128.0/17
deny from 202.46.32.0/19
deny from 58.240.0.0/15
deny from 110.80.0.0/13
# Romainian Porn links
deny from 89.42.38.0/23

## Can be commented out if causes errors
Options +FollowSymLinks

## Mod_rewrite in use.

RewriteEngine On

## change non www to www
RewriteCond %{HTTP_HOST} ^somesite \.tld$ [NC]
RewriteRule ^(.*)$ http://www.somesite.tld/$1 [R=301,L]

##BLOCK BAD BOTS
## BLOCK BAD BOTS
#RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*AhrefsBot.* [NC]
#RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
#RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Nutch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [NC,OR]
RewriteCond %{HTTP_USER_AGENT} panscient.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [NC,OR]
RewriteCond %{HTTP_USER_AGENT} PECL::HTTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PeoplePal [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [NC,OR]
RewriteCond %{HTTP_USER_AGENT} PHPCrawl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} PleaseCrawl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Rippers\ 0 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SBIder [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SeaMonkey$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck\.internetseer\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Snoopy [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Steeler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Toata\ dragostea\ mea\ pentru\ diavola [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^TurnitinBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*TurnitinBot.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} URI::Fetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} urllib [NC,OR]
RewriteCond %{HTTP_USER_AGENT} User-Agent [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Web\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webalta [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} WebCollage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Wells\ Search\ II [NC,OR]
RewriteCond %{HTTP_USER_AGENT} WEP\ Search [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WWW-Mechanize [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zermelo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus\.*Webster [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ZyBorg [NC]
RewriteRule ^(.*)$ – [F,L]

## Prevent hot Linking
## Section commented out 9-19-2012
#RewriteCond %{HTTP_REFERER} !^$
## Original
#RewriteCond %{HTTP_REFERER} !^http://(www.)?somesite.nl/.*$ [NC]
#RewriteRule \.(gif|jpe?g|png|html)$ - [F]
## ADDED
#RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?somesite.tld [NC]
#RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?somesiteothersite.tld [NC]
#RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?somesiteothersite.tld [NC]
#RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
#RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

#Next Two Lines deny Googlebot
#RewriteCond %{HTTP_USER_AGENT} Googlebot
#RewriteRule ^.*$ "http\:\/\/somesite \.tld" [R=301,L]

## redirect blog to /blog
RewriteCond %{HTTP_HOST} www.somesite/blog/
RewriteCond %{REQUEST_URI} !^/blog
RewriteRule ^(.*)$ blog/$1 [L]

## redirect Forum to /Forum
RewriteCond %{HTTP_HOST} www.somesite.tld/forum/
RewriteCond %{REQUEST_URI} !^/Forum
RewriteRule ^(.*)$ Forum/$1 [L]

## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects

##
# Uncomment following line if your webservers URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##

# RewriteBase /

#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file does not directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file does not directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#

Options -Indexes
### Prevent wget, curl, and email harvesting
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww|libwww-perl|curl|wget|python|nikto|scan).* [NC]
RewriteRule ^(.*)$ – [F,L]
### END Prevent wget, curl, and email harvesting

<files .htaccess>
Order allow,deny
Deny from all
</files>

### Not sure about these yet 11/16/2012 ###
<files readme.html>
Order allow,deny
Deny from all
</files>

<files README.txt>
Order allow,deny
Deny from all
</files>

<files configuration.php-bak>
Order allow,deny
Deny from all
</files>

<files web.config.txt>
Order allow,deny
Deny from all
</files>

<files htaccess.txt>
Order allow,deny
Deny from all
</files>

<files readme.txt>
Order allow,deny
Deny from all
</files>

<files install.php>
Order allow,deny
Deny from all
</files>
### END NOT SURE ###

<Files 403.shtml>
order allow,deny
allow from all
</Files>
ErrorDocument 404 http://somesite.tld/error/404.php

## DENY UNWANTED BOTS AND KNOWN HACKER IPS ##
### hostile scanning ahrefs
## ahrefs.com
### end ahrefs.com
### Baidu crawler
## hostile scanning
### Joe Ellis botnets
## all calpop servers
## liveperson.net
## joe ellis IP cidr range @ NETBLK-THEPLANET-BLK
## end joe ellis botnets
##successful hack IPs
## end successful hack IPs
# National advertising
#deny from 91.205.234.0/16
## russian crawler
#deny from 77.0.0.0/8
## END DENY  ################################
AddHandler application/x-httpd-php53 .php .php5 .php4 .php3

deny from 208.73.210.128
deny from 23.21.250.45
deny from 50.28.23.235
deny from 61.18.62.46
deny from 64.27.0.0/19
deny from 64.27.29.28
deny from 67.227.159.10
deny from 88.80.11.71
deny from 208.73.210.125
deny from 207.44.192.64
deny from 204.13.160.52
deny from 204.13.160.53
deny from 204.13.162.11
deny from 204.13.162.127
deny from 204.13.161.177
deny from 208.73.210.52
deny from 208.89.12.169
deny from 74.52.0.0/14
deny from 178.137.83.41
deny from 178.137.92.57
deny from 178.137.160.68
deny from 178.137.165.172
deny from 193.41.60.108
deny from 180.76.5.0/24
deny from 180.76.6.0/24
RewriteCond %{HTTP_HOST} ^somesite\.biz$ [OR]
RewriteCond %{HTTP_HOST} ^www\.somesite\.biz$
RewriteRule ^/?$ "http\:\/\/www\.somesite\.tld\/Parked\/index\.htm" [R=301,L]
ga\.biz$ [OR]
RewriteCond %{HTTP_HOST} ^www\.somesite\.biz$
RewriteRule ^/?$ "http\:\/\/www\.somesite\.nl\/Parked\/index\.htm" [R=301,L]

#AuthType Basic
#AuthName "admin"
#AuthUserFile "/home/somesi/.htpasswds/public_html/passwd"
#require valid-user
 
Last edited:
Do as JustUs mentioned and install securi WP plugin as well. You can use both with no problem just and your own I.P in white list so you don't lock yourself out.
 
Thanks everyone! All my plugins are updated and for theme I am using Genesis Epik. I do use one old plugin because I have to. It's called .html on pages. I also used "Delete All Comments" plugin that was recently updated and I realized it lost its functionality after the latest update. I cannot be sure though. I just got rid of it.

Wordfence scan only showed two readme.txt files were modified. It cannot be it, can it? I mean you can't be hacked with a readme.txt file, can you?

I will go install Sucuri as well and implement other suggestions.

The site behaves as usual. No weird ads. No redirects. At least I don't see anything like it. Thanks again.
 
You can also install a two-step authentication plugin.

You probably do not want to do that, in spite of the hoopla behind it. The Posesta emails were gotten through knowing the telephone number of Podesta, contacting and social engineering the telco, and taking over the email.
 
maybe it just login attempt, someone trying to brute force with guessing admin username, well it happen on my multiple site too,
 
Check your plaugins/themes for any new code added. Had something similar happen to a clients wordpress, they installed a backdoor into one of the plugins that they could use to login without a trace.
 
In my cPanel I discovered a newly modified (and probably newly created directory) called login-protect-ninja. It appears to be a plugin, but

1. I never installed it.
2. It doesn't appear in my normal WP dashboard, only in cPanel.

Got rid of it.
 
I advise you to check every file once again, cause hacker could create 2 or 3 backdoors (new files or just a suspicious php-code for example)
 
you say you changed you admin password? Did you also change the SQL database password?

Also try using screaming frog or something to crawl your site and list all external links.

If you are on a static IP then use a htaccess to limit /wp-admin to just your own IP (no good if your IP is dynamic though)
 
Also use one of the plugins so you can rename your login page to a custom name and not the default wplogin page.
 
Back
Top