WP site compromised

Mark M

Mark M

Mark M

Soldato
Joined
6 Jan 2006
Posts
3,388
Location
Newcastle upon Tyne
I received an email from Google to say that my site contained malicious code, loaded up the site and when you click on a link it opens up a new page that takes you to some advertising junk.

Whats the best approach to get to the bottom of this? I have very few addons enabled but presume one of them or the core WP has been exploited somehow? WP is automatically upgraded but Im a little lapse with updating the addons in all honesty.

Any pointers or advice greatly appreciated thanks.

Edit - not sure if linked to the recent Vidahost thread about a potential compromise but this site is hosted with Vidahost.
 
Hi Mark, I'd suggest rolling the site back to when it was clean to make absolutely sure there's no remaining evidence of the hacks code. I'd then do as you say and make sure Wordpress is fully up to date whilst also making sure plugins are up to date as well as doing a bit of research to see if your current plugins have any known issues / exploits. (You might have a plugin that's not been updated for years for example.)

The other things to consider is the file and folder permissions on the hosting, the host should be able to give you some insight in to what these permissions should be for your particular setup.

Lastly, try a plugin like Wordfence that checks for modified files, failed login attempts etc which might add another layer of security to your site.
 
I had this on a wordpress site of mine recently which did have some hardening applied. Though I didn't get a google warning, I just noticed the spam links myself.

I ended up cleaning the posts in the db manually and rechecking all theme files and plugins - fortunately the site doesn't have all that much content compared to others.

They were just javascript links inserted in the bottom of the post content which seemed to hijack link clicks on the page.

Hosted with Vidahost, incidentally.
 
Im with vidahost and my site seems ok, I just tried to login to the WP side of things to check a couple of things and got this error though..(starred out folder as it contains website name)

Fatal error: Incompatible file format: The encoded file has format major ID 1, whereas the Loader expects 7 in /home/********/public_html/admin/index.php on line 0
 
Plenty O'Toole said:
There's very little chance your website will be infected because another account on the same server has been infected.

The issue will be the theme or a plugin so the first step is to get it all up to date then look at whatever plugin you like for security - Sucuri is good.
Click to expand...
how do I update the site if I can't log in to WP ?

a preliminary google search seems to suggest it might have something to do with an incompatible PHP version.
possibly vidahost have updated PHP following the issues they seem to have had and my old WP theme (no longer supported) is not compatible
 
MassiveJim said:
how do I update the site if I can't log in to WP ?

a preliminary google search seems to suggest it might have something to do with an incompatible PHP version.
possibly vidahost have updated PHP following the issues they seem to have had and my old WP theme (no longer supported) is not compatible
Click to expand...
Log in to your control panel and you should be able to change the PHP version for your site.
 
MassiveJim said:
Fatal error: Incompatible file format: The encoded file has format major ID 1, whereas the Loader expects 7 in /home/********/public_html/admin/index.php on line 0
Click to expand...

That file isn't a standard path in wordpress, but there is a ../public_html/wp-admin/index.php
If you've used a one-click install or got your host to setup wordpress for you it's possible they use a non-standard install like that though.

Try going directly to the update link first: yoursite/wp-admin/update-core.php

You might be able to change the PHP version through the host control panel.

Otherwise, you can access the FTP and make a backup of all the files then try and replace all the standard wordpress files manually with updated versions.
 
Thought I had sorted the issue but just want to check if this is another (or linked) issue...

When I go to www.site1.co.uk/wp-login I get redirected to http://site1.co.uk/wp-login.php?redirect_to=http://site1.co.uk/wp-admin/&reauth=1

Ive removed the actual domain and replaced with site1 but unsure what the redirect is? It looks like its still my site but what is the bit with the %'s etc?

Havent tried actually logging in yest just in case its not safe.

Edit - thought it might be a cookie issue so tried it in incognito mode and it does the same.
 
Mark M said:
Thought I had sorted the issue but just want to check if this is another (or linked) issue...

When I go to www.site1.co.uk/wp-login I get redirected to http://site1.co.uk/wp-login.php?redirect_to=http://site1.co.uk/wp-admin/&reauth=1

Ive removed the actual domain and replaced with site1 but unsure what the redirect is? It looks like its still my site but what is the bit with the %'s etc?

Havent tried actually logging in yest just in case its not safe.

Edit - thought it might be a cookie issue so tried it in incognito mode and it does the same.
Click to expand...

The %s are URL encoded characters, nothing to worry about: http://www.degraeve.com/reference/urlencoding.php

As for the redirect parameter, that's safe too. It's just because you're going to wp-login instead of wp-admin, it's saying it'll take you to the admin section after logging in. For some users you may not want them going to the admin section, say an online store, they log in and get redirected to the current shop page they were looking at so the shopping experience isn't interrupted.
 
You must log in or register to reply here.
Back
Top Bottom