WP site compromised

Mark M · 6 Nov 2017 at 11:45

I received an email from Google to say that my site contained malicious code, loaded up the site and when you click on a link it opens up a new page that takes you to some advertising junk.

Whats the best approach to get to the bottom of this? I have very few addons enabled but presume one of them or the core WP has been exploited somehow? WP is automatically upgraded but Im a little lapse with updating the addons in all honesty.

Any pointers or advice greatly appreciated thanks.

Edit - not sure if linked to the recent Vidahost thread about a potential compromise but this site is hosted with Vidahost.

Hutchy · 6 Nov 2017 at 11:52

Hi Mark, I'd suggest rolling the site back to when it was clean to make absolutely sure there's no remaining evidence of the hacks code. I'd then do as you say and make sure Wordpress is fully up to date whilst also making sure plugins are up to date as well as doing a bit of research to see if your current plugins have any known issues / exploits. (You might have a plugin that's not been updated for years for example.)

The other things to consider is the file and folder permissions on the hosting, the host should be able to give you some insight in to what these permissions should be for your particular setup.

Lastly, try a plugin like Wordfence that checks for modified files, failed login attempts etc which might add another layer of security to your site.

gord · 6 Nov 2017 at 11:52

Sounds similar to something I experienced: https://forums.overclockers.co.uk/threads/wordpress-injection-attack-directly-into-db.18770559/

See if the fixes in the hardening Wordpress link I posted help.

Six6siX · 6 Nov 2017 at 14:22

I had this on a wordpress site of mine recently which did have some hardening applied. Though I didn't get a google warning, I just noticed the spam links myself.

I ended up cleaning the posts in the db manually and rechecking all theme files and plugins - fortunately the site doesn't have all that much content compared to others.

They were just javascript links inserted in the bottom of the post content which seemed to hijack link clicks on the page.

Hosted with Vidahost, incidentally.

gord · 6 Nov 2017 at 15:31

Mine was also with Vidahost, but my intrusion was back in Feb/March and it kept happening until the hardening was applied.

MassiveJim · 6 Nov 2017 at 23:44

Im with vidahost and my site seems ok, I just tried to login to the WP side of things to check a couple of things and got this error though..(starred out folder as it contains website name)

Fatal error: Incompatible file format: The encoded file has format major ID 1, whereas the Loader expects 7 in /home/********/public_html/admin/index.php on line 0

On Holiday · 6 Nov 2017 at 23:57

MassiveJim · 7 Nov 2017 at 00:52

Plenty O'Toole said:
There's very little chance your website will be infected because another account on the same server has been infected.

The issue will be the theme or a plugin so the first step is to get it all up to date then look at whatever plugin you like for security - Sucuri is good.

how do I update the site if I can't log in to WP ?

a preliminary google search seems to suggest it might have something to do with an incompatible PHP version.
possibly vidahost have updated PHP following the issues they seem to have had and my old WP theme (no longer supported) is not compatible

gord · 7 Nov 2017 at 09:29

MassiveJim said:
how do I update the site if I can't log in to WP ?

a preliminary google search seems to suggest it might have something to do with an incompatible PHP version.
possibly vidahost have updated PHP following the issues they seem to have had and my old WP theme (no longer supported) is not compatible

Log in to your control panel and you should be able to change the PHP version for your site.

touch · 7 Nov 2017 at 10:38

MassiveJim said:
Fatal error: Incompatible file format: The encoded file has format major ID 1, whereas the Loader expects 7 in /home/********/public_html/admin/index.php on line 0

That file isn't a standard path in wordpress, but there is a ../public_html/wp-admin/index.php
If you've used a one-click install or got your host to setup wordpress for you it's possible they use a non-standard install like that though.

Try going directly to the update link first: yoursite/wp-admin/update-core.php

You might be able to change the PHP version through the host control panel.

Otherwise, you can access the FTP and make a backup of all the files then try and replace all the standard wordpress files manually with updated versions.

MassiveJim · 7 Nov 2017 at 12:49

thanks both i'll give both methods a whirl when i'm home later and report back

Mark M · 20 Nov 2017 at 09:53

Thought I had sorted the issue but just want to check if this is another (or linked) issue...

When I go to www.site1.co.uk/wp-login I get redirected to http://site1.co.uk/wp-login.php?redirect_to=http://site1.co.uk/wp-admin/&reauth=1

Ive removed the actual domain and replaced with site1 but unsure what the redirect is? It looks like its still my site but what is the bit with the %'s etc?

Havent tried actually logging in yest just in case its not safe.

Edit - thought it might be a cookie issue so tried it in incognito mode and it does the same.

gord · 22 Nov 2017 at 13:20

Mark M said:
Thought I had sorted the issue but just want to check if this is another (or linked) issue...

When I go to www.site1.co.uk/wp-login I get redirected to http://site1.co.uk/wp-login.php?redirect_to=http://site1.co.uk/wp-admin/&reauth=1

Ive removed the actual domain and replaced with site1 but unsure what the redirect is? It looks like its still my site but what is the bit with the %'s etc?

Havent tried actually logging in yest just in case its not safe.

Edit - thought it might be a cookie issue so tried it in incognito mode and it does the same.

The %s are URL encoded characters, nothing to worry about: http://www.degraeve.com/reference/urlencoding.php

As for the redirect parameter, that's safe too. It's just because you're going to wp-login instead of wp-admin, it's saying it'll take you to the admin section after logging in. For some users you may not want them going to the admin section, say an online store, they log in and get redirected to the current shop page they were looking at so the shopping experience isn't interrupted.

touch · 22 Nov 2017 at 14:13

Wordpress wont work properly on different subdomains like some websites can - you have to direct all traffic to a single url.
http://www.site1.co.uk is not the same as http://site1.co.uk and you have to choose one of them to use.

If you go to www.site1.co.uk/wp-admin it will redirect you to site1.co.uk/wp-admin
You can change it under settings to use the www. address if you'd prefer.