My WordPress website was hacked

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
26
Dear Sir,

My DirectAdmin control panel is easily hacked even I have implemented 2FA using:

1. Google Authenticator
2. Security question

together; the hackers still manages to enter my server and modify my core website's files.

Is there any way of stop the hackers completely.

Many thanks in advance.

Regards

Thon
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,965
Location
Maastricht
A Directadmin control panel is certainly not easily hacked.

If some hacker manages to modify core website files, most likely you got a compromised FTP account or a compromised theme, addon or something else on the website itself.
Another possibility is that they compromised your server and have root access. That is not very likely, but also not impossible.

Is there any way of stop the hackers completely.
Yes, but you first have to figure out how they manage to change your core websites.
For that, you need SSH access to our server and check various logfiles at the time you see something changed.

Also it's a good start to change all your passwords, so not only DA pass and 2FA, but also your FTP password(s) and if the website has passwords (like Wordpress) then change those passwords too.

Install malware detection, which can also often detect malicous scripts. So install Maldetect.
Some information:

Do they change your core files again? Check your server logs to see what was going on and when and most likely you will also find out how.
 

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
26
Dear Sir,

Thank you for great support.

FTP and DA control panel use the same 2FA. Of course they managed to get pass through 2FA to change core files of my websites. They cant access SSS as I use a different port number.

The reason for the above is when I use Wordfence plugin to scan which files have been modified, then I fix them; then I change password for DA and 2FA, it takes a few days or a week before the hackers managed to access my server to modify core files again. If they access my server using SSH, they should be able to do so straight away.

Is there any way of stopping the hackers completely.

Many thanks in advance.

Regards

Thon
 

toml

Verified User
Joined
Oct 3, 2003
Messages
1,256
Location
Scottsdale, AZ
Is there any way of stopping the hackers completely.
The problem with trying to block them completely is you still don’t know how they are getting in. Until you find out how they are getting in, you will never block them. The best you can do is sift through ALL of the log files to identify their ingress and then mitigate it. It could be an unknown open port or a service vulnerability or any number of things.
 

sparek

Verified User
Joined
Jun 27, 2019
Messages
281
What specific files are being modified? Just files within your account's home directory? Or files that exist within the server's root?

What script are you using to manage your website? Is the login to that script protected by 2FA?

What version of the script are you using? What plugins are you using? What theme are you using? Are all of those being kept up to date? When were they last updated by their developers? A plugin that was last updated in 2015 may be up to date, but that doesn't mean it's secure.

Does DirectAdmin have 2FA for FTP? From a fundamental level, I don't know how that would work.

Are you sure your computer, devices, and networks don't have any malware or keyloggers running on them?
 

jamgames2

Verified User
Joined
Aug 16, 2019
Messages
749
2FA and Security Question will work only for :2222 Panel not apply to other service.
 

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
495
Location
Belgium
Good passwords, and changing it regularly is still the most important thing.
I rotate passwords every month or so.
 

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
26
Dear Sir,

I can confirm that I have used 2FA mentioned above for DA and FTP.

All my websites on the server with DA are Wordpress. The hackers modify different core files of all my WP website on that server like:

index.php
migration.php
jquery

and so on.

I believe they entered my server via FTP of DirectAdmin which use 2FA stated above.

Is there any way of allowing only my IP to access DA and its FTP (File Manager)?

Cheers
 

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
495
Location
Belgium
Dear Sir,

I can confirm that I have used 2FA mentioned above for DA and FTP.

All my websites on the server with DA are Wordpress. The hackers modify different core files of all my WP website on that server like:

index.php
migration.php
jquery

and so on.

I believe they entered my server via FTP of DirectAdmin which use 2FA stated above.

Is there any way of allowing only my IP to access DA and its FTP (File Manager)?

Cheers
Sounds like your wordpress site is hacked, not directadmin.
Make sure everything is up to date (wp themes, wp plugins), change passwords on wordpress etc.
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
730
Location
🇳🇱
I believe they entered my server via FTP of DirectAdmin which use 2FA stated above.
2FA does nothing with FTP. Or do you mean File Manager within DirectAdmin?

As suggested before, check for vulnerable plugins with Wordfence. Setup Web Application Firewall with Wordfence and follow it’s suggestions. Check for unwanted php files in the uploads directory and make sure the uploads folder is not allowed to execute PHP scripts.

For us it’s a wild guess because we don’t have a URL:)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,965
Location
Maastricht
I can confirm that I have used 2FA mentioned above for DA and FTP.
Like others already said, there is no existing 2FA method for FTP.

As in my first reply, I already told that it is most likely a leak plugin, addon or theme. Even if it might be up to date, there can still be security issues with it.

Seems you have not started to use the tips that I and others already gave.
1.) Check your logfiles to see how theyu got in
2.) Install Maldetect and do a scan on your website!
3.) What Erulezz says, add that too, the Wordfence plugin.
 

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
26
2FA does nothing with FTP. Or do you mean File Manager within DirectAdmin?

As suggested before, check for vulnerable plugins with Wordfence. Setup Web Application Firewall with Wordfence and follow it’s suggestions. Check for unwanted php files in the uploads directory and make sure the uploads folder is not allowed to execute PHP scripts.

For us it’s a wild guess because we don’t have a URL:)
Yes, sir. The hackers accessed my website via File Manager of DirectAdmin.

Thanks
Thon
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,965
Location
Maastricht
The hackers accessed my website via File Manager of DirectAdmin.
Can you show part of the log which prooves that?

Also you might want to scan your pc for malware (adwcleaner and afterwards Malware Bytes) and then change your mail password too.
 

Active8

Verified User
Joined
Jul 13, 2013
Messages
1,156
Sorry to say but It seems to me that your WP is hacked because of outdated theme or plugin.
We always install standard Wordfence on all of Worpress sites, stops lot of attacks at forehand.

If the DA panel has an vulnerability then thousand of sites would be compromised right now and the internet would be full of it, but it isn't
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,537
Location
Netherlands Germany
Yes, sir. The hackers accessed my website via File Manager of DirectAdmin.
then I change password for DA and 2FA,

So you didn't solved then the real problem only pass and changed back some files, but the "open door (s)" you didn't closed at all?

You also didn't use the forum / support rules, while you didn't post your OS and versions used, the versions of DA and the versions of the APP as WP ( and plugins) you using and where the hacking takes places at the first time.

LOG FILES with some more info's you also forget to post!

So how should users of this Forum and DA help you whithout all those info's ??

Also you didn't post / say what your User rights are for those files an directorys, while lot of users set some to 777 or so, to have some plugings or WP working ??


Oyea and as @Richard G mentioned the devices you have access with could be hacked (to). ( or even not hacked but another Person who have access in real there. ( remote or on location) ( Yes for the 2FA if they managed that then more then 1 device, so probably problem with user rights or plugins / addons on server)

Some people do use for their 2fa a kind of forward for those mesages to same device where they login with, then it is nomore 2FA.
 
Last edited:

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
26
So you didn't solved then the real problem only pass and changed back some files, but the "open door (s)" you didn't closed at all?

You also didn't use the forum / support rules, while you didn't post your OS and versions used, the versions of DA and the versions of the APP as WP ( and plugins) you using and where the hacking takes places at the first time.

LOG FILES with some more info's you also forget to post!

So how should users of this Forum and DA help you whithout all those info's ??

Also you didn't post / say what your User rights are for those files an directorys, while lot of users set some to 777 or so, to have some plugings or WP working ??


Oyea and as @Richard G mentioned the devices you have access with could be hacked (to). ( or even not hacked but another Person who have access in real there. ( remote or on location) ( Yes for the 2FA if they managed that then more then 1 device, so probably problem with user rights or plugins / addons on server)
Dear Sir,

Thank you for your advice.

How can I get log file? via SSH or in DA's control panel?

Cheers
 
Top