My WordPress website was hacked

[zmippie]

I've updated the title.

Haha! I was only half-joking when I wrote that, but I think this indeed describes the situation at hand better.

Yes, your DA install can be compromised when hackers get full control over PHP, but I think it's more accurate to point out where the actual attack has taken place.

I've looked at the WordPress sourcecode a couple of times, and man, it really hurt my eyes ;-)

 

[BillyS]

Please share how the hacker was able to infect your wordpress sites.

 

[Johnws2022]

forgot:
3. Change username Admin of WP to a long string by creating a new username with Administrator privelage, then delete the current username Admin. Or you can implement 2FA for WP backend using Wordfence.

That will well protect your WP backend too.

 

[Johnws2022]

Please share how the hacker was able to infect your wordpress sites.

Hi,

What the hackers did to my Wordpress websites was all my WP websites were redirected to spam sites when trying to access them on browsers. That is how I know my website. At that time I did not implement 2FA on DA nor implement Wordfence plugin on my WP websites. I believe the hackers entered my VPS server via DA or DA's file manager to modify some core files. This is because it hard to access my server via SSH because I use a different port number than 22, and use Firewall as well.

Then I installed Wordfence plugin to scan for affected files modified by Malware Codes; it is very good it found a number of affected files; they are all similar files affected on all other WP websites on the same VPS server. I initially fixed or deleted only those affected files which caused my websites to be redirected to spam sites; one affected file I did not deleted was sitemap.xml in which malicious codes were inserted; that file was on one website. I was completely wrong because the malicious codes in sitemap.xml keep running, every couple or few days, and making other files modified which cause my WP sites to be redirected to other spam sites mentioned above.

After I posted my issues, I got great support and advice which made me understand that sitemap.xml contained malicious codes which kept running, so I deleted it.

Now all my WP sites seem to be OK.

Please read my above messages of how to secure and well protect your WP websites using DA.

Thanks

 

[zEitEr]

One can always check logs:

- /var/log/directadmin/2022-Jul-*.log
- /var/log/directadmin/2022-Jun-*.log
- /var/log/directadmin/2022-May-*.log

etc

for any logins from unknown/not-trusted IPs:

grep "POST /CMD_LOGIN" /var/log/directadmin/2022-*.log

The suggested code will list LOGIN requests with IPs from which they were made. If you see a login attempt from unknown IPs, you might check the entire log, which contains the record for further entries with the particular IP.

The mentioned logs can not be either emptied or removed from Directadmin, so even if somebody hijacked your password for DirectAdmin, they hardly could affect the logs. So, the logs can be trusted.

Beside the logs, DirectAdmin shows in the interface a list of last connections/logins with IPs. They also can be trusted, as neither admin nor users can truncate the lists of last visits.

It's near to impossible to brute-force and guess a strong password for DirectAdmin, as the control panel will block IPs, unless the protection against brute-force is disabled in the panel. Thus if they really accessed DirectAdmin it could happen only when they've stolen your password by other means. I hope you've always connected to DirectAdmin over HTTPs.

 

[LawsHosting]

This might be harsh, but OPs advice on securing servers/WP after the fact made me chuckle... You should've learnt & done that BEFORE you installed anything.

This reminds me of when big organisations get hacked, FIX the problem, and then apologise to the customers their details have been stolen..... How about prevention......

My 2ps worth

 

[ivanvb]

can you use wordfence on the wp site?

 

[Johnws2022]

This might be harsh, but OPs advice on securing servers/WP after the fact made me chuckle... You should've learnt & done that BEFORE you installed anything.

This reminds me of when big organisations get hacked, FIX the problem, and then apologise to the customers their details have been stolen..... How about prevention......

My 2ps worth

Not everyone Big Expert like you, sir.

Thanks

 

[k1l0b1t]

This might be harsh, but OPs advice on securing servers/WP after the fact made me chuckle... You should've learnt & done that BEFORE you installed anything.

This reminds me of when big organisations get hacked, FIX the problem, and then apologise to the customers their details have been stolen..... How about prevention......

My 2ps worth

You'd even be suprused how many organisations do not know if they're hacked

 

[LawsHosting]

Not everyone Big Expert like you, sir.

Thanks

Far from being an expert, basic security is a must though (as discussed in other replies)..... Plus I (personally) do not (and won't) use WordStress even if my life depended on it - would spend more time getting updates installed every day hoping all plugins would still work!.......

When my business was open, I didn't change the site for years, it was all custom... But I digress.

Good luck.

 

[Johnws2022]

Far from being an expert, basic security is a must though (as discussed in other replies)..... Plus I (personally) do not (and won't) use WordStress even if my life depended on it - would spend more time getting updates installed every day hoping all plugins would still work!.......

When my business was open, I didn't change the site for years, it was all custom... But I digress.

Good luck.

You are right. I hate spending every day updating plugins and even core Wordpress. I ll stop all together at some points; just use outdated stuff; will my WP sites be hacked every day?

 

[k1l0b1t]

You are right. I hate spending every day updating plugins and even core Wordpress. I ll stop all together at some points; just use outdated stuff; will my WP sites be hacked every day?

As long as they have potential security bugs, yes.

 

[Zhenyapan]

As long as they have potential security bugs, yes.

if you don't add any new info to website, and want to keep it without updates - you can just lock it on filesystem level by "chattr +i -R" for whole public_html. I have a lot of clients that have such "protection"

 

[Johnws2022]

if you don't add any new info to website, and want to keep it without updates - you can just lock it on filesystem level by "chattr +i -R" for whole public_html. I have a lot of clients that have such "protection"

Unfortunately my WP websites are very dynamic; I cant do that.

 

[johannes]

"chattr +i -R" for whole public_html

Ha, nice trick, thanks man!

 

[LawsHosting]

if you don't add any new info to website, and want to keep it without updates - you can just lock it on filesystem level by "chattr +i -R" for whole public_html. I have a lot of clients that have such "protection"

How will that prevent hacks/vulnerabilities through - which the thread is about - or was it "sarcasm".

 

[k1l0b1t]

How will that prevent hacks/vulnerabilities through - which the thread is about - or was it "sarcasm".

I hope it was sarcasm xd

 

[Zhenyapan]

How will that prevent hacks/vulnerabilities through - which the thread is about - or was it "sarcasm".

as I see thread about "sitemap.xml which has malicious software inserted" - with chattr this file can't be hacked untill whole server hacked.

 

[k1l0b1t]

as I see thread about "sitemap.xml which has malicious software inserted" - with chattr this file can't be hacked untill whole server hacked.

it doesn't realy protect you though

 

[Johnws2022]

Update: No more hacking; no more files have been malwarED

Thanks