I have an issue with my WordPress site.
My website is generating adult pages which is not present on our website/database or server. It is showing in google search result like this for example siteurl.com/en/aarp-dating (around 500 pages google crawled) we have checked all our database and found around 30 new tables are automatically created and while we delete it after sometime it restore automatically.
How can I find the malicious code on my server/pages or what kind of problem is this?
Thanks in advance !!
Download the full installation, then compare the files' checksums with a clean backup or a fresh installation of the same WP + Plugins + Theme versions.
Most important: find out how they infected your site and close that hole or you will be back at square one in a short time after you've uploaded a clean backup. Check the Access Logs, filter out known IP addresses of you and your users, and look at the rest, especially POST requests. Also make sure to check the FTP-logs and (if you have ssh access to your host) auth logs to make sure that your/your coworkers' machines/passwords haven't been compromised.
Also make sure you don't miss any extra individual files or plugins that shouldn't be there.
You cannot trust what you see in the backend at this point, so check the database directly for new users you don't know and users with privileges they shouldn't have. Comparing with a recent backup can help.
Since it's not clear how long your site has been infected, I wouldn't trust recent backups (or any, really) either. Set up a fresh install after you found and fixed the entry point, then manually (or with a script, but be careful not to transfer back doors) transfer content to the clean install.
Use Wordfence Security Plugin & scan for infected core files of wordpress.
Use Sucuri plugin.
Also, desactivate ALL of your plugin and install a basic theme of wordpress before.
Related
I have seen lots of critical errors on my WordPress website. I attached a screenshot below that shows some of these issues. Please look at this and provide some suggestions so that I can fix this problem.
Thank you so much.
Depends how badly broken your site has become.
What is it doing to make you think it's been hacked? Is it just the warnings in the Wordfence scan report?
Before going much further you should for sure grab a backup of your database, wp-config.php, and the contents of the directories wp-content/themes, wp-content/uploads, and wp-content/plugins. Might be a good idea to make a separate backup of the entire WordPress installation directory.
Since you can still access the administration panel, might as well change your password just to be safe. Are there multiple users for your WP installation?
What changes have been made if you click "Details" button in the Wordfence scan?
If you're sure changes to the wp-core files are due to a hack, you can try to repair them using Wordfence's repair feature--it'll restore them to their base WordPress version. But if significant differences are showing for dozens of core files, might be a good idea start over with a clean installation of WordPress.
You'll also want to track down what allowed these malicious changes to be made (has an unknown IP logged into your administration panel recently? Are you using a plugin with a known security issue?), or it'll just happen again.
I've got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org. (sloppy code even, found their names. Some Russian dudes. But that's off topic) I've taken some measurements to prevent a new hack, but alas...
I've installed a clean WP installation on the server, with clean files and a clean DB.
reinstalled the plugins clean
I have All In One WP Security & Firewall plugin for file scanning, firewall, hide inlog page, etc.
Changed all the wordpress passwords.
I've notices the encoded code is being placed in files called assets.php.
I'm curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I've asked them before and they just say it's my fault, update the wp installation and move on. What should they check if the code is injected from their side?
Your log files (of the web server) e.g. /var/log/nginx/access.log with the nginx web server will tell you who it was. Look for the change date/time of the assets.php file. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.
Usually Wordpress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the index.php (or other) file under attack read-only. In the past I have worked around particular attacks by chown root.root filetobeattacked.php which usually works (but may hinder updates, so it's a temporary solution). If you are not root on the server (shared hosting) perhaps chmod 444 filetobeattacked.php could work.
I had same issue before. It might be the wordpress core files.
Delete all files except wp-content, then download and replace it with the new wordpress files.
Search for 'autofaucet.org' inside wp-content, and remove if necessary.
Open wp-contents/themes/ then check functions.php - check if any additional code is there on top. Check the last updated files and time inside the theme and plugins.
Export database files and searcg for 'autofaucet.org' and remove if any item found.
I have a Wordpress-theme-based web published on the net, uploaded in a hosting.
I have to edit/simplify/modify the whole page, offline, on local for example.
While I make the changes offline, the page (an online magazine) has to keep online, as it is, until I publish the new version.
I have to be able to show the changes online, without affecting the original until the end.
What is a good way to do the whole process? Thank you very much.
Make offline server by installing eg. XAMPP.
Copy files, and export database from online to local,
Modify wp-config.php to match local database settings
Modify theme offline
Upload theme to online FTP when work is done
Make sure if changes you made are only in wp-content/themes/theme_name files - not in database content. If not, you will have to sync databases.
You can make the same to work online by cloning your WP to eg. subdomain, then protect it by htpasswd, to prevent unauthorised access.
I assume you mean with the same content?
One way is to make a copy of the main database (possibly refresh it now and then) for a second install online, with same plugins, settings etc.
Another way (bit riskier, but would give realtime sameness) would be to have a demo install on the same server that shares the same database: https://codex.wordpress.org/Editing_wp-config.php#table_prefix. I'd suggest with a custom user and usermeta where NO ONE has update privileges to avoid updates to the main site https://codex.wordpress.org/Editing_wp-config.php#Custom_User_and_Usermeta_Tables
I was informed by google that my wordpress website has been hacked. i installed wordfence and i scanned al my files, I deleted all the infected plugins and restored all my original files. I scanned again, all is clean, i sent the reports (many scanners) to google, they verified and remove the "this site may be hacked" message.
I tried now to open my website to check the responsive mobile design on my samsung note 5, before the theme appearing about 300 little hyperlink such arx arm bmp amzd , every hyper link takes me to a scam website. My website is injected for sure how can i clean it from those hyperlinks ?
First of all make sure that your database is clean from all those infected links, it surely happened due to some vulnerable plugin or a theme, before you perform any action, backup your entire site, ground it, scan it using some reasonable wordpress virus detectors. Once you're done with it, start scanning your database for any unusual pages and links that you might have seen on your website. After performing this cleanup process. Install a fresh copy of wordpress by downloading it from the official website and install latest version of each and every plugin, also make sure to google about those plugins whether they are safer to use or not. import your wp_posts table at last and try to avoid importing unnecessary or easy to post / add stuffs.
Backup the database via PHPMyAdmin and completely uninstall WP. Then reinstall it again and restore the database.
Also, update any passwords on your webserver and even do a fresh install of the webserver.
Finally, avoid installing plugin's that aren't from the official repo as these can cause infections to your site.
I have a wordpress site which is acting strange lately. It seems like the database is spontaneously rolling back a few hours from time to time. I have noticed it happen at least four times.
When I updated to wordpress 3.5, after a short time, maybe 30-60 minutes I noticed the nag to upgrade was back. I ran the upgrade a second time, even though I was certain that I had already upgraded.
I added a new category and changed a widget on one of my sidebars, only to find that my changes were gone the next day and I had to redo them.
I added a post yesterday, linked to it in various places and then returned several hours later to find the post missing. I rewrote the post from memory and put it back on the site.
This morning when I went to the site, the original post was back and the one that I had recreated from memory was gone. The post's id number was the same as the previous day. I think there was also a draft post that disappeared and reappeared as well.
One last clue which may or may not be related is that when I go to a page on the blog that should generate a 404 message I get a single piece of text which says: "defaced by t3ll0" I noticed this recently, within the last few weeks. I'm not sure how long it has been like that.
I ran Sucuri Scanner, and it found no evidence of malware. Any suggestions of how to troubleshoot this? Could this be a problem with my database rather than wordpress?
UPDATE: It appears that the primary problem I was noticing was because of two versions of the site being up simultaneously. The DNS settings had not been updated to the new site. I'm still investigating if the site was hacked.
You got hacked. "defaced by t3ll0" is the clue. Someone has control of your site and your hosting account.
Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.
Change all passwords. Scan your own PC for spyware that may have grabbed your login and password.
http://sitecheck.sucuri.net/ is a good resource, but it scans for malware and not accounts that were hacked and are not being used to distribute malware or have spam links.
Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
You have not applied security may be at number of places.
1. File permissions, folder permissions.
2. Upload folder permissions.
3. Execute permissions.
Now, if you are not a developer how would you check for these vulnerabilities?
I am suggesting you to take a backup of your DB(Export it). Get rid of the existing WP core and reinstall it from fresh.
Delete all plugins and install them all from fresh sources.
If you have used a custom theme then get the backed up version of it and delete the current one as there is a deface to it.
And you can check for a lot of vulnerabilities with plugins like this: http://wordpress.org/extend/plugins/better-wp-security/
Rename your administrator account. Harden your password. Remove write permission from .htaccess and wp-config.php file.