1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress Keeps Getting Hacked!

Discussion in 'BlackHat Lounge' started by BlackSeng, Jun 15, 2014.

  1. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Hey guys, any suggestion?

    I'm hosting one of my blog in some cheap webhost. I notice it was hacked several days ago. Like if you were to visit the link, it redirects to some tutor registration site (www.myeasytutoring.com)
    So I wiped out the whole directory (deleted all the files) and just left the images. I did a fresh wordpress installation (the latest wordpress version) and manually post my contents again (just 15 posts, so no biggie). This time, I used the default wordpress theme.

    Then just now I noticed it was hacked again. I thought it was my webhost having some vulnerability. So I changed to a new webhost, redirected the name servers, did a fresh wordpress installation.
    I re-uploaded the images BUT it is just .jpg files, nothing else. And yes, default wordpress theme again. Plugins are from the wordpress plugins site. All authentic and verified.

    It has the limit wordpress plugin installed and such. Less than 30 minutes after setting up, it is hacked once more.

    Any ideas or solutions?
     
  2. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Also, the password I used is alphanumeric with special characters. How the hell is that possible?
     
  3. sforzando

    sforzando Jr. VIP Jr. VIP Premium Member

    Joined:
    May 27, 2011
    Messages:
    368
    Likes Received:
    120
    Did you scan your PC for malware like keyloggers?
     
  4. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Nope. Also, if it was a trojan, my few other blogs should have been hacked too. lol
     
  5. mickyfu

    mickyfu Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 14, 2011
    Messages:
    5,278
    Likes Received:
    15,454
    Location:
    Jennifers Office.
    Is it not your browser redirecting to the website?
     
    • Thanks Thanks x 1
  6. sassafras

    sassafras Junior Member

    Joined:
    May 27, 2013
    Messages:
    161
    Likes Received:
    63
    Have you scanned your computer lately? This would be possible if someone had installed a keylogger.
     
  7. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Nope, it is not my browser. Very strange...

    Yeah, I've had Eset Smart Security installed... it is scheduled to scan everyday. Nothing. So I'm pretty confused now.
    I checked the raw visitor log and only found this suspicious entry:

    198.46.141.114 /wp-cron.php?doing_wp_cron=*removed*

    There were a LOT of other IPs trying to access my wp-login page.
     
  8. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Okay, now it's back to normal. WTF?!?

    I hope my drink wasn't spiked or something. Very-very weird.
     
  9. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,121
    Likes Received:
    28,560
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    • Thanks Thanks x 1
  10. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Thanks W130SN.

    I've banned some of the suspicious IPs. Gonna do a fresh installation with all new details and such. Hope it doesn't happen again.
    Strange thing is... I kept receiving the "Brute Force Detected" message and have to wait 30 mins before logging back in now.
    And yeap, more strange IPs are going to the wp-login page.

    I just don't get it though.. it's just a PR2 old blog with just some stupid content. Nothing of value.

    And yeah, doing a full computer scan using online virus scanners just in case. Damn...

    Oh well, hope to get it done before the WC match starts. lol

    Thanks everyone!


    P.S:
    Just found an interesting article to increase your wordpress safety.
    http://www.inmotionhosting.com/supp...lock-down-wordpress-admin-login-with-htaccess

    Assuming your home's or office's IP is static.
     
    Last edited: Jun 15, 2014
  11. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,121
    Likes Received:
    28,560
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:

    One of my sites was getting attacked numerous times every day by bots trying to login but when I added the plugins above it stopped almost immediately.
    Good Luck and if you have any problems then let me know and I will try to help.
     
    • Thanks Thanks x 1
  12. SANTO007

    SANTO007 Registered Member

    Joined:
    Sep 9, 2013
    Messages:
    65
    Likes Received:
    18
    Untitled.jpg
    is this you are calling hacked
     
  13. BlackSeng

    BlackSeng Jr. VIP Jr. VIP

    Joined:
    Mar 5, 2009
    Messages:
    1,963
    Likes Received:
    3,519
    Occupation:
       
    Location:
    SG50
    Dude, read properly in my first post. I said if you visit my blog, it redirects to that link.
    But it's all okay now. Thanks everyone for the help and suggestion.
     
    Last edited: Jun 15, 2014
  14. healzer

    healzer Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Jun 26, 2011
    Messages:
    2,363
    Likes Received:
    1,966
    Gender:
    Male
    Occupation:
    Marketing automation tools
    Location:
    Somewhere in Europe
    Home Page:
    If it turns out to be a real hacking case then PM me.

    Cheers

    healzer
     
    • Thanks Thanks x 1
  15. SANTO007

    SANTO007 Registered Member

    Joined:
    Sep 9, 2013
    Messages:
    65
    Likes Received:
    18
    i can help you if you get hacked
     
  16. MixerDJ

    MixerDJ Regular Member

    Joined:
    Nov 20, 2012
    Messages:
    374
    Likes Received:
    147
    Buddy if you are in shared host you have to play with htaccess file.because there is method called symlinking.once hacker attack server he can read all config files.even you added strong pws you can't be safe.Most of hackers doing once they hacked servers backdoor the server.so they can get access whenever they need.
     
    • Thanks Thanks x 1
  17. ZennoBlaster

    ZennoBlaster Senior Member

    Joined:
    Jan 17, 2014
    Messages:
    1,025
    Likes Received:
    306
    Which protocol do you use if using FTP?

    In cPanel, you can set up a special password for the WP login page (and other sensetive WP files). Also, can transfer files from within cPanel.
     
    Last edited: Jun 15, 2014
  18. RockstarSEO

    RockstarSEO Jr. VIP Jr. VIP Premium Member

    Joined:
    May 16, 2014
    Messages:
    465
    Likes Received:
    69
    Even i had the hacking problem. I was seeing casino links in my money site in google cache. I decided to install iThemes security. Another way is to simply put a user pass from cPanel.
     
    • Thanks Thanks x 1
  19. SANTO007

    SANTO007 Registered Member

    Joined:
    Sep 9, 2013
    Messages:
    65
    Likes Received:
    18
    why not buy a premium plan from wordpress.com it costs $18 per year with 3gb storage to use your own domain and their servers are highly secured
     
  20. V

    V Elite Member

    Joined:
    May 18, 2012
    Messages:
    2,113
    Likes Received:
    2,543
    Occupation:
    Student
    Location:
    /tmp
    Install this plugin
    Wordfence Security - Set it to email you when someone logs into your site
    Also rename your wp-login.php to wp-login.xxx, so if someone tries to log into your site they won't be able to. When you want to login just rename the file using filezilla. It's what I do, so I told you but it doesn't necessarily mean that it's the best way. :)
    There are a lot of other ways to secure your WP installation, but since your site is being modified using the login page, this is the best way to avoid it. :)
     
    • Thanks Thanks x 1