1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please Help Me! My Wordpress Blog Has Been Hacked. URL Injection

Discussion in 'Blogging' started by michelleWJ, Jun 6, 2016.

  1. michelleWJ

    michelleWJ Newbie

    Joined:
    Jun 11, 2012
    Messages:
    22
    Likes Received:
    1
    Hi, BHW members,

    First of all, thank you all BHW members who gave me advice and helped me solve the login problem. The thread: http://www.blackhatworld.com/seo/help-is-my-wordpress-website-attacked.845413/

    Let me explain my problem:

    1, I noticed that my site has lots of urls which were not created by me, I didn't know what they are and how to describe the problem at that moment. After resolving the login problem, I found in my wordpress account that there were two more users besides me (I didn't add them myself). All I know is my site has been hacked.

    2, I found that there are suddenly numerous irrelevant backlinks (according to Ahrefs and Majestic) pointing to my site (actually pointing to these hacker's urls), those backlinks started from 16, 05, 2016. It is increasing everyday.

    These hacker's urls are like this:

    http://www.mysite.com/?q=irrelevant-keyword

    When I click these hacker's urls, they redirect to other websites related to the irrelevant-keyword. It seems the hacker didn't create a real page on my site for his url, he just use it to redirect to other site.

    Then, the hacker created lots of backlinks pointing to these urls. (google search console, Ahrefs and Majestic)

    Finally, I received emails in my google webmaster account that shows: URL Injection. I eventually know what these urls are and what the problem is.

    The actions I have taken:

    1, I changed the WP password;
    2, I deleted the two unknown users;
    3, I use CloudFlare to protect my site.

    Now, when I click these hacker's urls, They don't redirect to other site any more. They show my homepage. But these urls and these backlinks are still there.

    Google asks me to clean my site and then submit a reconsideration request.

    My questions:

    1, What should I do to remove these hacker's urls from my site properly?
    2, What about those backlinks pointing to these urls?
    3, How to better protect my site from being hacked?

    Thank you in advance!
     
  2. niche racer

    niche racer Regular Member

    Joined:
    Feb 16, 2015
    Messages:
    400
    Likes Received:
    81
    The first thing you have to do is create backup of your site. which includes database image and files, etc.
    Check whether the content is edited or any DB content added to it.

    If you already have back up means its good enough. The only way

    By Killing the wordpress you can clean the hackers URL . Install the the new wordpress put back the backup of your original theme and contents.

    you can use Google's Disavow Links Tool to clean the backlinks pointing to these URL

    Create a new admin username - If you dont change it they will be easily hack your website once again.

    Strenthen your Password - Hackers use software to instantaneously test every word in wikipedia against your password. So don't put any real words or name in any language

    Add Login Attempts - Because Hackers use Infinite number of User name and Password combinations.

    Add Google Captcha - It will block the user who will try multiple number of username and password combinations through the IP .
     
    • Thanks Thanks x 1
  3. PixieForce

    PixieForce Registered Member

    Joined:
    Jun 4, 2016
    Messages:
    65
    Likes Received:
    16
    Gender:
    Female
    Sorry to hear this happened to you. Your best best is to use MySQL commands to find and replace that URL (or remove it) everywhere in your WP_POSTS database.

    The best way to avoid getting hacked on Wordpress is to disable SSH access, use File System instead of FTP (disable FTP server access expect from LocalHost), and jail all the bad login attempts with Fail2Ban. HTH.
     
    • Thanks Thanks x 1
  4. michelleWJ

    michelleWJ Newbie

    Joined:
    Jun 11, 2012
    Messages:
    22
    Likes Received:
    1
    Thank you for your quick reply. Your advice is really helpful. I have created backup of my site. strengthened my Password and install a security wp plugin to protect my site. And I found a file which is not a core, theme or plugin file contains the word 'eval' and the word 'base64_decode. It may be created by a hacker, I am going to deal with this file. Thank you again.

    Thank you for your advice. Google asked me to clean my site, I must remove these urls, but it seems they are not in my post, they are open redirects (I am not sure). The problem is, there are so many such urls, I don't know how to find out every url. When I search 'site:mysite.com' in google, the result shows some of them, not all of them. I will try my best to solve this problem. Thanks again.
     
  5. anythingispossible365

    anythingispossible365 Newbie

    Joined:
    May 29, 2016
    Messages:
    24
    Likes Received:
    8
    Location:
    The Internet Jungle
    PixieForce has the best advice concerning this. There are also several guides if you try a Google Search for "Hardening Wordpress" . Lastly, if you continue to struggle with this, always remember if this isn't your area of expertise, let those who have the experience deal with it instead. Don't lose sleep over it or spend too much focusing on it, it'll only keep you away from whatever it is that you do best. There are people on Freelancer or even here on BHW who may be able to assist you at a reasonable price and provide you with an immediate and more permanent solution.