I was informed by google that my wordpress website has been hacked. i installed wordfence and i scanned al my files, I deleted all the infected plugins and restored all my original files. I scanned again, all is clean, i sent the reports (many scanners) to google, they verified and remove the "this site may be hacked" message.
I tried now to open my website to check the responsive mobile design on my samsung note 5, before the theme appearing about 300 little hyperlink such arx arm bmp amzd , every hyper link takes me to a scam website. My website is injected for sure how can i clean it from those hyperlinks ?
First of all make sure that your database is clean from all those infected links, it surely happened due to some vulnerable plugin or a theme, before you perform any action, backup your entire site, ground it, scan it using some reasonable wordpress virus detectors. Once you're done with it, start scanning your database for any unusual pages and links that you might have seen on your website. After performing this cleanup process. Install a fresh copy of wordpress by downloading it from the official website and install latest version of each and every plugin, also make sure to google about those plugins whether they are safer to use or not. import your wp_posts table at last and try to avoid importing unnecessary or easy to post / add stuffs.
Backup the database via PHPMyAdmin and completely uninstall WP. Then reinstall it again and restore the database.
Also, update any passwords on your webserver and even do a fresh install of the webserver.
Finally, avoid installing plugin's that aren't from the official repo as these can cause infections to your site.
Related
I have an issue with my WordPress site.
My website is generating adult pages which is not present on our website/database or server. It is showing in google search result like this for example siteurl.com/en/aarp-dating (around 500 pages google crawled) we have checked all our database and found around 30 new tables are automatically created and while we delete it after sometime it restore automatically.
How can I find the malicious code on my server/pages or what kind of problem is this?
Thanks in advance !!
Download the full installation, then compare the files' checksums with a clean backup or a fresh installation of the same WP + Plugins + Theme versions.
Most important: find out how they infected your site and close that hole or you will be back at square one in a short time after you've uploaded a clean backup. Check the Access Logs, filter out known IP addresses of you and your users, and look at the rest, especially POST requests. Also make sure to check the FTP-logs and (if you have ssh access to your host) auth logs to make sure that your/your coworkers' machines/passwords haven't been compromised.
Also make sure you don't miss any extra individual files or plugins that shouldn't be there.
You cannot trust what you see in the backend at this point, so check the database directly for new users you don't know and users with privileges they shouldn't have. Comparing with a recent backup can help.
Since it's not clear how long your site has been infected, I wouldn't trust recent backups (or any, really) either. Set up a fresh install after you found and fixed the entry point, then manually (or with a script, but be careful not to transfer back doors) transfer content to the clean install.
Use Wordfence Security Plugin & scan for infected core files of wordpress.
Use Sucuri plugin.
Also, desactivate ALL of your plugin and install a basic theme of wordpress before.
I have a local wordpress backup which is a copy of the main dir from the previous webhost.
I runned the site using wampserver but when I tried to open the index page it said: "Error establishing a database connection".
I think this is because the database is not imported in phpMyAdmin. How can I make this work so I can access the site?
The WordPress database stores all of the site content - Posts, Pages, custom post types, images, and so forth. Unless you have a copy of the database, the files you have will only be useful for setting up the same plugins and theme that were being used on the old host.
There may be a couple of ways to restore your lost content:
Check Wayback Machine - if it's a larger site it may be indexed here, and you can go through page by page and rebuild.
Check Google's cache - if the site was only recently removed from the old webhost, the individual pages may be cached for a time. It would be wise to download as "complete webpage" each page and then go through page by page and rebuild. Same with images - if they've only recently been removed, you may be able to find (possibly lower-resolution) cached versions and download them. To check, do a Google search for site:http://example.com (replace with your URL).
If neither of these exist, you'll need to start from scratch on the content, but you'll have learned a valuable lesson about backing up. :)
I’m working on a wordpress site, it’s almost finished.
Left it lying on the server for a few weeks after the launch to gather user feedback, and now ready to make some minute adjustments.
Loe and behold, can’t login.
Going to parentsauxassembleesgenerales.org/wp-admin won’t show me the admin page, but will instead redirect.
Sure enough, I had an automatic update to 3.8.2 on April 9 that seems to coincide with the admin access being gone.
Contrary to most redirect errors for login pages after an automatic update on forums, the exact url it redirects to is not actually a valid url.
You see others reporting the url they are redirected to as being:
http://www.domain.org/wp-login.php/?redirect_to=http%3A%2F%2Fwww.domain.org%2Fwp-admin%2F&reauth=1
But mine displays: http://www.parentsauxassembleesgenerales.org-login.php/?redirect_to=http%3A%2F%2Fwww.parentsauxassembleesgenerales.org%2Fwp-admin%2F&reauth=1
And is therefore missing three characters: “/wp” to be identical to the other bugs I saw reported. Needless to say, I still tried all the fixes recommended elsewhere, namely:
(using FTP, Softaculous, dowload of WP 3.8.1 and 3.8.2 from wordpress.org, and PHPmyAdmin)
1- deactivating, renaming, removing plugins, theme, both plugins and theme
2- adding lines of code to wp-config
3- looking at the database to make sure the site url and home url were the right ones and the same
4- updating key files like wp-login.php with a fresh version straight out of a vanilla install.
5- moving the content and wp-config to a fresh install (only recreated the problem).
I’m sort of confused at Softaculous (wp install script in cPanel) for asking if you want automatic updates, but still enabling the small automatic updates (3.8.1 to 3.8.2 or 3.8.3) even if you don’t check the box for automatic updates. I don’t, and never will, want automatic updates on my wordpress: too many plugins and themes have a lag to the wordpress core deployment schedule. (I now know I can just add a line to wp-config.php, but the Softaculous interface could be clearer about the automatic update deal).
Am now in contact with the hosting service to look at solutions such as emptying webcache, restoring from their own weekly backups, their own diagnosis of the faulty redirect route, etc.
I’m looking for a solution that will do one of the following:
help me know what causes the redirect error so I can target the problem-solving
help me regain access to wp-admin login and the dashboard
I found the issue.
Despite deactivating the plugins, one of the plugins had caused a problem in the DB which remained even when deactivated, removed or renamed. Had to clean up the relevant redirects in the DB with PhpMyAdmin.
The plugin was Velvet Blues Update URLs, which was recommended for a very small move I was doing (moving the dev version of the site up one folder on the server file system).
I hadn't used this plugin before, but it seemed straightforward enough.
Not.
I usually migrate sites using UpDraftPlus with the pro addon for migration, which works fairly well, but felt longer than it needed to be for a one-folder-up move.
Not.
The search and replace feature on UpDraftPlus that covers both for file/folder locations and for urls is without compare, and even for what it was supposed to do, Velvet Blues Update URLs didn't deliver on its promise.
I have website (thebyandby.com) that got hacked several weeks ago. The problem is, the description on Google is showing a spam description for viagra and one the most popular posts (when linked to from Google) goes to a spam website.
The site is a WordPress website so I reinstalled the theme and made sure everything was updated. There are only two plugins installed, Akismet and Google Analytics. I don't think the plugins could be effected but I am not sure. The problem was still there so I checked when Google last indexed my site and it was after I had reinstalled my theme. I checked for malware from Google Webmaster and it said it didn't find any malware. I ran grep -r "viagra" on my entire web directory and nothing was found. I really don't know what else to do. Could this be a database problem?
Yes, it could well be that you have content in the database which is compromised. After all, that's where all the pages and posts are stored. Does your hosting company provide a tool like phpMyAdmin for browsing and editing the database?
But equally, if you have only reinstalled the theme then there are a lot more core WordPress files that could have been compromised by the hacker. Given that you are having problems, it would be well worth doing a complete reinstall of the WordPress files. Just make sure you keep a copy of your wp-config file, as you will need to copy that back. Also make sure you reinstall the same version of WordPress that you currently have.
But you know what: It may save you time in the long-run to just export all your posts and pages from within WordPress and then wipe the hacked site completely and install the whole thing from scratch. You can open the export file in any decent editor and once you've got your head around the XML structure, you can delete any rubbish that the hacker put there. I guess this option depends on how much content you had already put up on the site and how readily you could reconfigure the new site to match the old one.
Of-course if you have a full files and database backup from before the hacker got there, then you have an easy option that avoids all this grief ;-)
I've got Drupal working on a shared host, and I uploaded some modules from my home system successfully, but I've got the message that there is a security update for my version, and I should update immediately.
I'm not sure how I'm supposed to do that. It seems like the update is an entire new installation. I originally installed it using the hosting company's installer, Fantastico. Should I simply over-write the existing installation with the new files? Or ignore the message? I realize I shouldn't over-write the sites folder, or anything I've modified.
The instructions that come with the download seem to be for a major version upgrade, and are way too much trouble for frequent security updates. Searching Drupal's site shows many other methods, but no indication of anything official. And some were ridiculously error-prone, and not really useful.
I don't have shell access to the hosting site, although I can pay extra to get it if I really need to. Or, maybe I can clone the site on my local Linux system, do the update using a script, then upload the whole thing.
Does anyone have experience with this situation?
With only FTP access you should:
Download and extract the new Drupal version.
Delete the sites folder (in the downloaded Drupal), this is very important.
Put your site in maintainance mode.
Upload the content of the new Drupal (not the sites folder). This should give you a new version of all the Drupal core files, but leave the sites folder intact where you have your custom and contrib modules, your settings.php file and your uploaded files.
Run update.php as user 1.
Lastly put your site in online mode again.