Website hacked - What to do?

[Adam]

First of all my host, tsohost, have been great helping me with this but I appreciate there is only so much they can do.

Essentially the website has been hacked twice now, last week was the worst such hack and we found the website had been changed to an Islamic website supporting Palestine with lots of arabic text and the message it had been hacked. Not ideal. I was travelling with work at the time so only got the website back up and running on Friday night. I restored it using a backup from backup vault, took a local copy of the website, updated wordpress and changed the site password. Today the website throws up a 403 error message and tsohost has said the site is infected with malware and seems to be hacked again.

What more can I do and how can I get the site back up and running in the long term? It's my girlfriends website for her business so it's costing her money the longer it stays down.

 

[Deleted member 77746]

Ensure the latest versions of code is installed and change every password known. Possibly look through hosting logs to see if certain IP addresses are accessing the services.

 

[Hutchy]

Couple of things I'd check through:

1. Get a security plugin which will change the /wp-admin/ location to something else, ie. /hiddenadmin/
2. http://wordpress.org/plugins/better-wp-security/ - Follow the other instructions it might give, some might not really help, but it's worth doing.
3. You said your Wordpress is already upto date which is most important so that's good, jsut keep it updated as you have been doing.
4. Some themes use scripts like TimThumb which generate thumbnails. Some of these scripts have pretty big security holes in them and require updating as well as Wordpress itself. Have a look around your theme and see what it uses to possibly identify any third party scripts which might have potential security holes in them. (People even made some plugins to check for you: http://wordpress.org/plugins/timthumb-vulnerability-scanner/)
5. Lastly, it might be worth doing a bit of a virus scan on all the backup files as well, see if anything crops up.

Good luck!

 

[PMWD]

All great advice so far, also make sure you're not using 'admin' as the username for any accounts, it gives any bot 50% of your login details to start trying passwords with. I use an obscure name for my admin login and couple that to an 18 character password with numbers, upper and lower case letters and special characters.

In addition to what Hutchy suggested, delete any plugins you're not using as there could be code hidden in those. We had a similar hack once that had hidden files in the bundled Akismet folder, so even though that plugin wasn't active, it allowed them to access a file in the folder to keep writing files to the site.

If you can reduce the footprint of the site by losing plugins and themes you don't need, it'll be easier to spot anything that changes.

 

[PMWD]

Ensure the latest versions of code is installed and change every password known. Possibly look through hosting logs to see if certain IP addresses are accessing the services.

This is a good idea and should be easily accessible through your cPanel. Check for any dodgy links that seem to be directing to files on your site. Have a look in your htaccess file at the root and check it to the four corners to make sure there's no code hidden away in the file.

 

[Adam]

Cheers for the suggestions.

Also the hacked arabic text now appears as a result when searched via Google, how can this be removed? Will Google update over time?

 

[visibleman]

I'd be wary of any backup, unless you can guarantee it hasn't been infected with malware/backdoors.

I've always found it's better with WP sites to set up a local version of the site and populating it with the necessary data, creating a backup from that and then uploading it to the host. And any further changes i do to the local version and then transfer it to the host.
Granted it's a bit of work but if anything does happen to the site then i know i've got a clean backup that can be restored.

As for Google, have a look at the webmaster tools - there's the option of submitting the site's URL. But unfortunately it's going to take a while before it refreshes the search contents.

 

[Adam]

I think there must be something in the backups which is causing the issue. My work virus scanner highlighted a file called reboot.php as being malicious.

I understand the basic principles of how wordpress and editing it works, but it did take me a fair amount of time for me to edit the theme, add content etc. What's the best way of me getting up and running again from a clean install? That's the only way I can see myself getting out of this.

 

[daz]

There is most likely a backdoor in the backup that you're restoring - unless you can roll your site back to when you 100% know it was clean, then it was probably hacked before you saw anything visible on your site change.

If you want to start from scratch, I'd take a backup of the database, clear out your public_html and then install WordPress from scratch. You can then re-attach your database by editing the wp-config.php, re-install your themes and plugins and hopefully you should be OK.

By and large, WordPress is pretty secure - most hacks or exploits are normally caused by a vulnerability or poor coding in a plugin or theme that you're running.

 

[tidusjar]

If you want, Trust me your website and i'll do some pen tests on it for you to see If I can see anything obvious?

 

[Deleted member 77746]

I think there must be something in the backups which is causing the issue. My work virus scanner highlighted a file called reboot.php as being malicious.

I understand the basic principles of how wordpress and editing it works, but it did take me a fair amount of time for me to edit the theme, add content etc. What's the best way of me getting up and running again from a clean install? That's the only way I can see myself getting out of this.

Check the reboot.php code ?

 

[Adam]

Thanks for the suggestions, I am back up and running and everything looks good. The risk is that I could have used a backup which is compromised, but I only copied across the theme folder to a new wordpress installation with a new database username and password.

Better WP Security also threw up some suggestions so I hope I am more secure than I was before.

Cheers

 

[Adam]

Oh man it's happened again. This time the site threw up a 403 error. The host has said the site was hacked and they have brought it back online again. Why would the site get in to this state and what can I do to prevent it?

I have followed all of the advice in this thread by changing passwords, using the enhanced wordpress security plugin etc. I'm at a loss as to why this is happening!

 

[PMWD]

Sorry to hear you're still having issues. If the only files you brought in from the backup were your template files, then it's likely you've got a backdoor in there somewhere. Alternatively your FTP details have been compromised.

Tbh I think you're going to have to go back to basics. Clear the site of every file, have a single index.html file on there with nothing else, no folders hidden or anything, just have a notice informing visitors of maintenance and contact details. Leave it a week. If it gets compromised again, you know it's your FTP access that's the issue.

When you bring WordPress back, start with twentythirteen. There should be enough base templates in there to get the site operating again. I wouldn't trust any of the backups from now on.

 

[Th3M8dH8tt3r]

Sorry to hear you're still having issues. If the only files you brought in from the backup were your template files, then it's likely you've got a backdoor in there somewhere. Alternatively your FTP details have been compromised.

Tbh I think you're going to have to go back to basics. Clear the site of every file, have a single index.html file on there with nothing else, no folders hidden or anything, just have a notice informing visitors of maintenance and contact details. Leave it a week. If it gets compromised again, you know it's your FTP access that's the issue.

When you bring WordPress back, start with twentythirteen. There should be enough base templates in there to get the site operating again. I wouldn't trust any of the backups from now on.

Good advice. Unfortunately, there's no quick fix to compromised security when it gets to this stage.

 

[Deceptor]

Do you have said reboot.php in a backup still around? It's probably one of many backdoor files which is typical when someone manages to breach a system. The file itself is perfectly safe but they'll use it to regain access.

You wanna look inside the file with a text editor, and find some term to do a search for against your web directory (can do at a higher level if you want). This will likely reveal all the immediate back doors that have been left behind.