All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
My website was hacked
Today I came to know that my WordPress blog was hacked. And not just one but all three which are on same VPS. It got hit with "Japanese SEO hack" which seems to be quite common. The hack works like this that when you visit your website, you will not notice anything as all pages will appear normal. But when you look at Google Search Console, then you will start to see errors and pages that don't exist.
Basically, it shows normal website when visited by user. But when Google bot visits then it shows a Japanese website.
What I find surprising that all tutorials and articles about it are generic ones where they say check your files, clean them, take backup bla bla bla. I thought the hack being common, someone must have laid exact steps to get rid of it.
I checked VPS auth.log
but found nothing suspicious. I think they found some exploit in WordPress file like improper file permissions or some buggy plugin. And since all three sites use www-data
user hence they were able to hit all of them. Or may be they actually got access to VPS....in which case......where to I check? Everything seems to be normal.
Found two PHP files which contain hacked
code. Stopped php-fpm
and nginx
, then I deleted one of them as it was not part of WordPress and replaced the other one with original but after restarting php-fpm
and nginx
, both files came back. Looks like code is also present somewhere else.
Also checked database but found nothing suspicious. Or may be because I just skimmed through it as it is difficult to go through all lines in database in Notepad++ as it is huge.
Comments
So, you have Wordpress with massive collection of un-audited plugins. Please hire competent security audit firm and/or person to help you with your sores.
No, I don't use many plugins. Plus, they are all updated. One of the sites is more than 2 years old and the other one is 2 months old. Last one is 4 days old on which I just created and installed some plugins but website is not in use yet as I haven't written any posts.
It's still most likely to be a vulnerability in one of those plugins; WP Core is (relatively) secure (unless you've set your admin password to
password1
, of course)Rather than trying to spot files with "hacked code", you'd be better off with a clean WP install and audit your plugins carefully.
Are you using a controlpanel or is it a manuel server installation?
Installed Debian 11 using template by provider. Rest of the installation, nginx, mariadb, ufw etc. was done manually.
Better suggestion would be not to use Wordpress, it has so many holes (especially the plugins)
Installed WordFence and ran a scan and it found 285 infected files.
It would be a good idea to use a control panel such as cloudpanel.io
It adds some security, and you can isolate your websites with it.
As somebody else wrote, it is a good idea to back up your database and make a fresh installation of WordPress and the plugins.
And use Wordfence or another security plugin.
How do I delete
.htaccess
files from all folders and subfolders of current directory?Tried the following and none of them worked. It does print on screen the name of
.htaccess
file but doesn't delete it.find . -type f -name ".htaccess" -exec echo rm {} \;
sudo find . -type f -name ".htaccess" -exec echo sudo rm {} \;
sudo find . -type f -name ".htaccess" -exec sudo echo rm {} \;
As a first step, I deleted all malicious
.htaccess
files using:find . -name ".htaccess" -exec sudo rm -rf {} \;
find . -type f -name ".htaccess" -exec rm -f {} +
Better suggestion would be not to use Wordpress, it has so many holes (especially the plugins)
as far as I know, .htaccess not supported by nginx, except you use apache as backend and nginx as reverse proxy.
Another day, another WP bug.
https://www.wordfence.com/blog/2023/06/miniorange-addresses-authentication-bypass-vulnerability-in-wordpress-social-login-and-register-wordpress-plugin/
Yes nginx doesn't support .htaccess but files were there so I deleted them all. Here's what I did:
php-fpm
andnginx
xit-3x.gif
which was in images folderindex.php
wp-includes/template-loader.php
wp-includes/plugin.php
wp-includes/general-template.php
wp-includes/cron.php
wp-includes/functions.php
chmod 444
on these files. Previously it was644
I need to isolate all these sites though and see if there are other checks I can place.
You can install ImunifyAV, which is the free edition. However, please note that it does not remove the detected files automatically.!
wp-cli will come handy. you can check wordpress core integrity. its also have ability to force reinstall core, themes, or plugins from official wordpress repository.
if everything is okay, you'll need to wait google bots to done his reindexing job
Hopefully you keep regular backups or snapshots. Compare the latest known good working site to the one that is hacked. All differences should be the infected files. Locate the culprit and when you revert, disable that plugin, or re-secure whatever was infected so it doesn't happen again.
As I've said before, people who host WordPress - and all its flaws - absolutely have to be security experts obsessed with updates. It generally attracts the opposite.
Not saying that's you OP, but that's just the reality of using WP.
Wordpress plugin.
Not that Wordpress is perfect but one should keep in mind that most of the bugs are actually not in Wordpress itself. They have like 60.000 third party plugins available, naturally there will be bugs in some of them.
Wordpress gets a lot of shit, and yes, sometimes it deserves it. But then again I've seen Wordpress sites with 100k visitors per day run for decades without ever being hacked, so clearly it's not just Wordpress.
No, the issue is plugins, themes & shared access
Set up a WP site on a seperated user, install 0 plugins, and enable auto updates, and it won't be hacked
Have 30 plugins with some not updated for a year, 3 inactive old shitty themes and share the same www-user for each, and yes, they'll obviously end up getting hacked
All it takes is ONE bad plugin on ONE site and then it's spread to every site you got and missing just 1 file when cleaning could mean it's now spreading once again
Keeping WP updated and minimal is important
But even more important is fully seperating websites
It has been more than an hour since I fixed files and all websites are working fine. Will definitely isolate websites. Plus, I have deleted a few plugins which were not in use.
I facing the same issue pass few weeks and help my clients fixd them all. All keywords ranking are going back now.
After long investigation, I found the main issue are caused by two of elementor addons. Some of them already report critical vulnerability by Sucuri back in May.
I have isolated one of the sites and now no hacker in the world can hack it. Not even NSA, FBI, CIA, ISI, NASA!!
Have you tried to power it off and on again?
WordPress is popular CMS and will stay popular. It is mostly free, simple and provide many features even in base setup.
As any other software WP need to be updated to actual version in time manner, as well as his plugin and templates.
If you do not download plugin or templates from suspicious sites and update WP in time manner, use strict password, then you will not have any problem with WP.
Most likely your site was hacked by uploading malicious content. Therefore you may need check your nginx or apache access logs for POST requests. Also you may need check ftp and ssh logs. In most case such hack happen because hacker upload to site shell script and then use it to complete his hack attempt. This is most popular technique in automated hacking bots.
Wordpress is garbage, and a huge security risk once you decide to start customizing it with skins and plugins. I've run websites for almost a decade and the only ones that would ever get hacked were the wordpress ones.
I think the key here is being careful with Wordpress plugins and it's something most people have said for ages. However just giving someone advice to stay away from Wordpress when the core is usually fairly safe (I hope) is kind of like saying don't buy chicken if the condiments are spoilt.
people get hacked through third-party themes listed on their site as well. there's almost no point to wordpress if just using the default theme and no plugins.
for a comparison, people do not get hacked through mediawiki themes and plugins for the most part. Why? I don't care, but I know the results and the results show using wordpress is exposing yourself to an enormous landscape of threats for little benefit. Maybe the best benefit of wordpress is it's collaboration feature, but you get get that with better security with dokuwiki, mediawiki or tons of other similar programs with almost no security risk.