Off Topic? Maybe, point me to where this would be On Topic!
Hi All,
My daughter attends a private school. Recently their wordpress website was hacked and they need some help cleaning it up. I don't have the experience with wordpress to help.
Are there services or websites that they could use to find the expertise to help with this?
Of course they would be compensated.
Here is a description of the problem:
Thanks! -DF5
Thank you for getting back to me. We are trying to detect any possible back door vulnerabilities in our Wordpress installation that may be allowing scripts or bots to place malicious code on our website. We have been hit by a specific drug company. This code seems to turn up in our pHp files. The original problem was that people who clicked twice on any page of our site were redirected to this drug website!!
We have cleaned the installation manually, but there may still be scripts running in the database or remaining vulnerabilities because we did not want a re-installation of a clean version of Wordpress. We have scanned the database and there appear to be no known rogue files, but we are concerned that there may still be scripts running that are very well hidden. We basically need someone to start by looking through our files to see if there is something we and the scan missed.
There is a lot of customization we did on our website and are trying to avoid a clean install. We are also in contact with Dream Host (our hosting company) to see if it is a server issue as we are uncertain if this is a Wordpress vulnerability via a plugin or a server issue that Dream Host can resolve.
The website seems to be functioning well now, we are mainly trying to prevent another problem and to eradicate any malicious code so we are not penalized in the search engines.
Off Topic? Maybe, point me to where this would be On Topic!
Hi All,
My daughter attends a private school. Recently their wordpress website was hacked and they need some help cleaning it up. I don't have the experience with wordpress to help.
Are there services or websites that they could use to find the expertise to help with this?
Of course they would be compensated.
Here is a description of the problem:
Thanks! -DF5
Share Improve this question asked Nov 23, 2010 at 3:04 DrFloyd5DrFloyd5 1134 bronze badges 3Thank you for getting back to me. We are trying to detect any possible back door vulnerabilities in our Wordpress installation that may be allowing scripts or bots to place malicious code on our website. We have been hit by a specific drug company. This code seems to turn up in our pHp files. The original problem was that people who clicked twice on any page of our site were redirected to this drug website!!
We have cleaned the installation manually, but there may still be scripts running in the database or remaining vulnerabilities because we did not want a re-installation of a clean version of Wordpress. We have scanned the database and there appear to be no known rogue files, but we are concerned that there may still be scripts running that are very well hidden. We basically need someone to start by looking through our files to see if there is something we and the scan missed.
There is a lot of customization we did on our website and are trying to avoid a clean install. We are also in contact with Dream Host (our hosting company) to see if it is a server issue as we are uncertain if this is a Wordpress vulnerability via a plugin or a server issue that Dream Host can resolve.
The website seems to be functioning well now, we are mainly trying to prevent another problem and to eradicate any malicious code so we are not penalized in the search engines.
- This is not a job board, sorry dude. I can understand you're a bit desperate, but you should look for a job board for such questions - Please see the FAQ wordpress.stackexchange/faq – hakre Commented Nov 23, 2010 at 15:28
- It's cool. The stack exchange crew is pretty helpful. I hoped, correctly, that they would at least steer me in the right direction. – DrFloyd5 Commented Nov 23, 2010 at 15:37
- possible duplicate of Verifying that I have fully removed a WordPress hack? – Chip Bennett Commented Jul 18, 2011 at 1:45
4 Answers
Reset to default 4See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex
I've cleaned quite a few hacks before. It's a multi-step process that's somewhat difficult to outline here. However, these folks (http://sucuri/) have become the go-to company for a lot of people. Reputable and thorough. (I'm not affiliated with them in any way, shape, or form.)
Dr Floyd, More than likely it was a botnet that went through a bunch of sites and found a vulnerability, and then exploited it. I can help you go through the files, but you should be prepared for to upgrade your WordPress installation. These hacks are fairly common, they aren't done by a specific drug company.
You can reach me here, or if you go to our website, you can call me directly. (Zippykid)
Your best bet is to setup a dev environment with a new version of WordPress, copy over your theme, and import all the posts into this environment. Then apply any of the settings as needed.
This is not an specific answer to your situation - however it is relevant to your situation.
a few ways that such problems can be avoided in the future.
- make sure you add the DISALLOW_FILE_EDIT parameter on your wp-config.php file to TRUE (look up if unsure)
- Use a child theme for customization of wordpress, dont modify the core files directly -- if you had used this approach, you could simply do a fresh install of wordpress and themes and be rid of any hacked files.
- Make sure you have a password that is very complicated. A good password might look like this: c38fuj%kfjiposC8jfwe! -- distributed botnets can crack even a 13 character password in a matter of months
- If using a shared hosting provider, ensure that the directory permissions on your wp-config.php file is not readable to the world.
- Find out if your hosting provider allows overrides to the htaccess files to take place -- if so, then once the htaccess file is set correctly, you should make it read-only.
- Always keep up to date with the most recent wordpress/theme updates.