WP Website hacked

dkh · 26 Apr 2013

My website got hacked (I'm using ProPhoto 4)

Using filezilla, I can see everything is there but, I can't see anything (blank white page) when I go to the site from a browser. It disappeared this morning.

Strange things started a few days ago, when I tried to give someone my website address in FB, I got a google image instead of my website's front page as an image snippet.

Then, I noticed that I was quickly dropping off my search terms in google.

In google webmaster tools. It says it hasn't been able to crawl my site since 21 April.

This is driving me up the wall!!!

arad85 · 26 Apr 2013

.htaccess or robots.txt file in there somewhere? New index.html file there?

Are you talking about dkh-photography.com? I get a picture of a shirt hanging in a open wardrobe and a couple of links to secureserver.net with a page title of: "Coming Soon - Future home of something quite cool"

Monstro · 26 Apr 2013

I get the same as above

Chaz Photos · 26 Apr 2013

I see anew web with a bit of content and what I am guessing is on the template ready to change.

dkh · 26 Apr 2013

I am currently trying to restore the site to an earlier date. Otherwise, it's going to be a few late nights.

Mithrail · 27 Apr 2013

Looks like you are on the way to restoring it.

tiler65 · 27 Apr 2013

Dilip....don't forget to contact your hosts about it!

dkh · 28 Apr 2013

My host want to charge me $150 to restore the database!

Looks like I'm going to have to make a new site.

Keith W · 28 Apr 2013

Who are your hosts?

Do you have back ups of your own that you could use?

Is you data base intact or has it been over written?

boyfalldown · 28 Apr 2013

dkh said:
My host want to charge me $150 to restore the database!

Looks like I'm going to have to make a new site.

$150 is what - an hour of your time. Paying it has a nasty taste, but surely its better then the potential lost revenue

dejongj · 28 Apr 2013

dkh said:
My host want to charge me $150 to restore the database!

Looks like I'm going to have to make a new site.

And how much did the hosting package cost in the first place? Did it include backup/restores? Just like you are running a business so are they

It is annoying but good lesson. Alternatively you can roll up your own backups as well

boyfalldown · 28 Apr 2013

Unless you resolve how and why you were hacked it will happen again

dkh · 29 Apr 2013

Thanks for all the input.

I was assured that backups were made every evening. I have backup of the wp-content folder. I have database backups. I am told that the database backups are corrupted (all 6 of them on different dates ???).

When I pointed them to their instructions on how to roll-back to a previous date, they say that only files are restored, Not the database.

The instructions specifically states that both the database and any files are backed up and restored.

It's when I pointed this out that I was told that the database restoration is $150. I did complain that the charge is not written anywhere.

The host is one I am going to avoid like a plague for the reason of not telling me before hand that there is a hidden charge - the name is the big US one.

treeman · 29 Apr 2013

Did you manage to find out how it got hacked in the first place?

I'm interested as I use the Prophoto too.

boyfalldown · 29 Apr 2013

treeman said:
Did you manage to find out how it got hacked in the first place?

I'm interested as I use the Prophoto too.

I'm guessing, only guessing mind its because there have been an awful lot of brute force attacks on wordpress sites over the last few weeks. Its worth taking a few simple steps to protect yourself from these.

1. Don't have a user called the default 'admin' call it something else. If you do have this then change it.

2. Install the 'Limit Login attempts' plugin.

3. Make permissions for wp-config.php 600.

4. Use strong passwords.

dkh · 29 Apr 2013

boyfalldown said:
I'm guessing, only guessing mind its because there have been an awful lot of brute force attacks on wordpress sites over the last few weeks. Its worth taking a few simple steps to protect yourself from these.

1. Don't have a user called the default 'admin' call it something else. If you do have this then change it.

2. Install the 'Limit Login attempts' plugin.

3. Make permissions for wp-config.php 600.

4. Use strong passwords.

Hi, I have done a number of back end changes. I use and did use wordfence (premium) and this allows a number of blocks. I never used the defaults for username etc.

Steep · 29 Apr 2013

dkh said:
the name is the big US one.

Don't be afraid to name and shame in this instance.

boyfalldown · 29 Apr 2013

dkh said:
Hi, I have done a number of back end changes. I use and did use wordfence (premium) and this allows a number of blocks. I never used the defaults for username etc.

It was really general advice

, do you know how they got in?

If wp-config isn't secure the can use it to directly access your database for example. The other common one (that sadly you can do nothing about) is to attack through your shared hosting, but normally they'd go for ever wp site on a server, not just yours

treeman · 29 Apr 2013

boyfalldown said:
I'm guessing, only guessing mind its because there have been an awful lot of brute force attacks on wordpress sites over the last few weeks. Its worth taking a few simple steps to protect yourself from these.

1. Don't have a user called the default 'admin' call it something else. If you do have this then change it.

2. Install the 'Limit Login attempts' plugin.

3. Make permissions for wp-config.php 600.

4. Use strong passwords.

Thanks Hugh, I'd done all that except the Limits Login plugin, which I've just installed

dkh · 29 Apr 2013

Hi Hugh, I have a plugin that helps. will pm if you want.

I don't know what happened and how the site was attacked as my host really don't want much to do with it - I was told that if something I was doing put their server in any possible harm, they would suspend my site until I personally fixed the site. This was in response to "can't you do a virus or malware check on my site?"

Name wise, they are the US big-xxxxx (famous wrestler).

boyfalldown · 29 Apr 2013

dkh said:
Hi Hugh, I have a plugin that helps. will pm if you want.

I don't know what happened and how the site was attacked as my host really don't want much to do with it - I was told that if something I was doing put their server in any possible harm, they would suspend my site until I personally fixed the site. This was in response to "can't you do a virus or malware check on my site?"

Name wise, they are the US big-xxxxx (famous wrestler).

Thats not great service from a host. I'd be thinking about moving anyway.

Can you pm me plugin info

dkh · 29 Apr 2013

Hope that helps Hugh

Keith W · 29 Apr 2013

If your talking about godaddy then I would get rid ASAP and find a new host

They are a big fat pile of poo as far as hosts go IMHO

TSOHost are pretty good and Hostgator were OK when I was with them

dkh · 30 Apr 2013

Who do you guys use - looking for recommendations (TSOHost and Hostgator noted).

Thanks in advance.

Rob L · 30 Apr 2013

Vidahost - fantastic customer support.

treeman · 30 Apr 2013

I moved to TSO Host this year, and I wish I'd done it sooner.

Very helpful when I deleted my entire site, within an hour it was back up and running again as they'd taken backups from the moment I moved to them.

boyfalldown · 30 Apr 2013

Rob L said:
Vidahost - fantastic customer support.

same here - can't recommend strongly enough

tiler65 · 30 Apr 2013

Rob L said:
Vidahost - fantastic customer support.

boyfalldown said:
same here - can't recommend strongly enough

Me too!

-RV- · 9 May 2013

Just had hundreds of attempts to hack my WordPress site last night.

I'd already taken all the advice from this thread and thankfully all is still ok.

I did note however and thought I would share is that they are getting smarter and I see they maybe "scraped" my site looking for users and have attempted to hack with not just "admin" but also users that posted blog entries too.

I have an "admin" user although its called something else and only that user can do the admin stuff... All other users are just for posting blog entries. All users have very strong passwords.

One question - the "Limit Logins" plugin is not smart enough to realise that an attempt using the user "admin" which does not exist should be blocked immediately, but instead it waits until the number of failed logins is reached. Anyone seen a way to tweak this ?

treeman · 9 May 2013

Would reducing the number of failed login attempts not work? I've mine set to 4 attempts before it times out for 20 mins.
If you're confident you wont forget your login details you could set it to 1 attempt.

dkh · 10 May 2013

I have gone with TSO. Fingers x.

-RV- · 11 May 2013

I am now getting 1000's of attempts a day to hack my site.

I use the "Limit Login Attempts" plugin and it works great. However, I still get annoyed with all the attempts so had another quick look around and found one called "Lockdown Wordpress Admin" which basically changes the address you use to Login to your website. This means now that the hacker does not know what the address is for my login screen so can't even attempt to login - excellent.

Just thought it would be good to share with you all.

WP Website hacked

dkh

arad85

Monstro

Chaz Photos

Jack Elam

dkh

Mithrail

tiler65

dkh

Keith W

boyfalldown

dejongj

boyfalldown

dkh

treeman

boyfalldown

dkh

Steep

Nutcrack Rapids

boyfalldown

treeman

dkh

boyfalldown

dkh

Keith W

dkh

Rob L

treeman

boyfalldown

tiler65

-RV-

treeman

dkh

-RV-