wordpress website hacked - help

Tomsk · 27 Jun 2019 at 14:18

Our company WP website has been hacked - rediverts to 'other' sites.
It's a fairly simple website with just a few pages.

Currently running 'malcare' - www.malcare.com on it.

Any other advice on how to clean up the webiste?
Perhaps delete everything and start again?

Vince · 27 Jun 2019 at 20:07

its probably only a single page redirect, do you back up wordpress? if so restore last nights backup and crack on, talk to your host and they should assist. Also look into WPEngine and never look back.

Also what kind of access do you have? is it cpanel or hosted locally? what does the setup look like and I can possibly help.

AHarvey · 28 Jun 2019 at 06:41

Ideally, just restore from backup. WP hacks can be a pain in the backside to find when it's subtle change.

A company I worked at once had it happen, search links for the site would bring back on sunglasses or some other odd products but clicking the link to the website brought up the normal page.

They couldn't figure it out, asked me to look at it, I remove a couple of bits but couldn't find the root cause.

In the end I just reinstalled and used it as an excuse to update the whole site

Deleted member 77746 · 28 Jun 2019 at 12:51

Wordpress is an absolute nightmare for been hacked. usually all down to the plugins.

Tomsk · 28 Jun 2019 at 17:23

I've got it on a holding page at the moment thanks to seedpod

www.vrff.co.uk

If I restore from backups, won't it just get hacked again?

Since the website is so simple I was thinking of just replacing it with a few simple HTML pages and ditching WP completely.
I'll have to check with boss, when she gets back in a couple of weeks.

Randomface74 · 28 Jun 2019 at 17:30

yeah ditch wordpress

Deleted member 77746 · 29 Jun 2019 at 21:42

Can I ask you if you have all the plugins updated to the latest version? You could take a copy of the database and the website files and replicate somewhere else like a locally hosted web server. You then possible could have someone check it over, if it was me though I would 100% ditch Wordpress.

Another option is to purchase a bootstrap template and customise that with your information from the current site. Bootstrap is awesome.

UberTiger · 29 Jun 2019 at 22:05

What theme and plugins were you using?
Were you keeping everything up to date?

Ideally restore from a known pre-hack backup. Do you have daily backups in place with your host?

If you can't, make sure your WP core, theme and plugins are all up to date.

Download WordFence and run their scan. This should detect any altered core files and will hopefully find obvious unexpected files inserted by the hacker.

You can install Seccuri and run the post hack checks it has.

You'll also want to check for any new unauthourised admin accounts, you'll want to check the database for any hidden admin accounts too, that may have been altered so they don't show up in the control panel.

You might want to search your files and the database for any unexpectured use of the eval() function

Check for any backdoors https://www.wordfence.com/learn/finding-removing-backdoors/

Check for any new plugins that you didn't install.

It's worth following the Wordfence blog and subscribing to their newletter to get notified of any major exploits.

If you don't need a dynamic wordpress site, definitely consider going down the static route or use a tool to create a fresh static version of the site you built in WP and start from scratch.

AHarvey · 30 Jun 2019 at 12:29

Just an FYI, if you google vrff.co.uk the top result returns the following:

Vale Royal Fresh Foods

www.vrff.co.uk/
This site may be hacked.
Vale Royal Fresh Foods Ltd – Quality Beansprouts ... Email: [email protected]. Phone: 01565 722931. Fax: 01565 722711. Copyright 2017 © Vale Royal ...

Which leads to this:

https://support.google.com/websearc...A&visit_id=636974903051776770-4084643017&rd=1

I would not be waiting 2 weeks until the boss comes back @Tomsk.

I'd be getting a new site up and running asap and get that hacked message removed from the site. Take a screenshot of the hacked message and if the boss makes a fuss, show her that and how damaging having 'hacked' associated with the company name can be.

Do you have screenshots of what the site looked like before?

Cached version of the site on the 25th June, you can see the links that have been added: http://webcache.googleusercontent.c...v8J:www.vrff.co.uk/+&cd=1&hl=en&ct=clnk&gl=uk

AHarvey · 2 Jul 2019 at 19:13

@Tomsk Did you manage to get it sorted?

Tomsk · 2 Jul 2019 at 23:24

AHarvey said:
@Tomsk Did you manage to get it sorted?

I've put a holding page up.

My boss is on her honeymoon, so I'm not going to ask her.

I'm starting to re-create the website in plain old HTML, but it's a long process as I've never built a website before.

Hopefully she'll agree and ditch Wordpress.

Thanks to all for the help and advice.

touch · 3 Jul 2019 at 09:50

You can just copy the HTML output by WordPress, you don't need to rewrite it all from scratch. (and obviously remove any of the dodgy links)
It'll include links to .css and .js files, you'll need to keep these files.

I'd still agree with those saying to restore a backup and go from there. WordPress is fairly secure as long as you keep it updated. From the webcache link that AHarvery posted, it looks like you were using Okab theme on version 3.5.1, that's over a year without updates to the theme.