Home – New Forums Tech talk WordPress site hacked!!!

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 21 total)
  • Author
    Posts
  • #981019
    Leisa D
    Member
    • Total posts: 563
    Up
    0
    ::

    Hi all, just need to vent here. I’m not a web designer but I managed to set up a website for a primary school using WordPress with custom theme, newsfeed, lots of pages of info, etc. and they were really happy with it. But today it was hacked! Fine on a computer, but on a mobile it redirected to a porn site! I’ve deleted the whole wordpress installation and started again using a different program. Anyone else had this problem? I’d been updating the wordpress software and plugins so what else can cause this?

    #1127498
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::

    I’ve had this happen a few times, all of them were via an insecure web server configuration on what turned out to be poor quality shared hosting … got into the index.php file and injected javascript that caused a redirect to a scareware site.

    A redirect to a porn site’s a bit of a worry for a school site.

    I’m sure if you Google around you’ll probably find information on your specific attack symtoms and how to clean it up… there’s enough WP gurus here, I’m sure someone will have a few clues.

    Often it’s not WP itself, but a dodgy plugin thats causes problems.

    The response I got from my then hosting provider was that the site was not updated properly or the password was inadequate (which was complete crap). In the same series of attacks a lot of WP sites went down across a number of hosting companies.

    WP is a great CMS but it does cop a lot of attention from malicious attackers.

    I changed over to VPS hosting and still had my hands full maintaining it (didn’t get hacked again though).

    Hope you get it sorted … not much fun cleaning up the mess.

    #1127499
    Divert To Mobile
    Member
    • Total posts: 2,751
    Up
    0
    ::

    I hate to say I told you so.

    Sorry that was mean,
    this link is actually useful

    Also when picking passwords its also useful to understand how they get cracked. This is another useful page – I quite like this one.

    Steve

    #1127500
    Past-Member
    Member
    • Total posts: 1,815
    Up
    0
    ::

    I don’t use WordPress but I found this page that may be helpful to you. It indicates plugins that could help you with security.
    Hardening WordPress Security: 25 Essential Plugins + Tips

    http://www.hongkiat.com/blog/hardening-wordpress-security/

    Good luck. All the best.

    #1127501
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::
    Divert To Mobile, post: 144296 wrote:
    I hate to say I told you so.

    Sorry that was mean,
    this link is actually useful

    Steve

    Your original call was pretty good though, I reckon all the open source CMS’s (maybe any CMS) should come with a similar caution.

    I won’t start a flame war about server side programming languages or design patterns, but my experience stopped me using any of them.

    If I need a CMS now I use a hosted platform that puts all the server side and security stuff in someone else’s in tray.

    #1127502
    kathiemt
    Member
    • Total posts: 1,167
    Up
    0
    ::

    Check with the web host and ask what security precautions they have. Also make sure you use strong passwords.and check your settings so that no-one else can log in.

    Finally make sure you run a regular back up of the site so that you can restore it if necessary.

    #1127503
    Divert To Mobile
    Member
    • Total posts: 2,751
    Up
    0
    ::

    The amount of hacking going on is absolutely phenomenal. If you ever have the opportunity to look at the tail end of security logs, a constant stream of login attempts and error logs, thousands of injection attempts and phpmyadmin hack attempts. All of which is automated and self perpetuating botnets. The more you understand it the scarier it is. I don’t even try to manage security myself anymore I leave that for qualified system admins.

    Steve

    #1127504
    dmac
    Member
    • Total posts: 20
    Up
    0
    ::

    Getting your website hacked is a major pain. I had a similar experience and it took big chunk of my time and resources to remove their traces. I believe all essential tips to overcome this problem has been covered pretty well by our friends here in FS. It’s really important to follow them and create some premeditated plan to prevent this from happening again. Although, I can guarantee you, hackers will always find a different way to get around. Just be ready for that when it happens. If you have deleted your WP installations due to this, were you able to create a dedicated backup system for this? You should have a solid backup system, to restore all your data once everything has been restored.

    #1127505
    Greg Wallace – 46digital
    Member
    • Total posts: 1
    Up
    0
    ::

    Lots of great replies here but none mention that you also need to have a good backup strategy in place. There are a number of plugins that can do this for free or you could use a service like Vaultpress – the guys who run WordPress.com (http://vaultpress.com/) which backs up your website in real time for a low monthly fee. The service also scans your website for malware which is quite important.

    A key point about using WordPress is keeping up with updates and only using plugins/themes that are reputable and regularly maintained. I recommend at least a quarterly review of each website you setup with WordPress to make sure everything is up to date.

    A plugin that I use for all of my client sites is Backupbuddy (http://ithemes.com/purchase/backupbuddy/). It’s easy to use and is a lifesaver if your site gets hacked.

    Greg.

    #1127506
    Dinus
    Member
    • Total posts: 38
    Up
    0
    ::

    Worth considering, for business sites especially, is this service:
    http://sucuri.net/
    I include it in the hosting for my clients. They monitor the site and if hacked get it fixed/cleaned within hours.

    #1127507
    eWAY
    Member
    • Total posts: 524
    Up
    0
    ::

    WordPress is a great product to help smaller businesses and individuals build a website quickly, but unfortunately in it’s standard form is incredibly prone to being hacked, especially when paired with a budget shared hosting option.

    If you’re looking for a basic blog or business website it may be better to consider wordpress.com which covers the hosting and security for you for free.

    If you’re going to tackle hosting WordPress yourself then make sure you’re using a reputable host, a VPS would be minimum and install security/monitoring/backup plugins.

    Some great ones are:

    Securi (for security/monitoring)
    BulletProof (for security)
    ManageWP (for backups and statistics)

    The above is useless if you don’t set your folder/file permission correctly though.

    Maclean
    eWAY.com.au

    #1127508
    kathiemt
    Member
    • Total posts: 1,167
    Up
    0
    ::

    Maclean, wordpress.com doesn’t like people using their site for business purposes, only for personal and other things, not for commercial use.

    Self-hosted WordPress is fine as long as it’s kept updated. Hopefully whoever they host through will have a secure system – using reputable hosting services helps. And if they need the assistance of a webmaster, then that person should be ensuring the updates are run regularly, otherwise they can learn to do that themselves.

    #1127509
    Cool Zephyr
    Member
    • Total posts: 54
    Up
    0
    ::

    Totally agree with Kathie, WordPress is a great platform as long as you keep things up to date. You’d be hard pressed to find too many mainstream aussie web hosts that don’t have their security up to scratch (given most resell through larger providers anyway).

    Most importantly:

    1) Keep backups (historical backups) a daily backup is pretty useless if you don’t realise it’s been hacked for a couple of days

    2) Update regularly – someone mentioned quarterly, I’d say monthly would be more advisable.

    #1127510
    kathiemt
    Member
    • Total posts: 1,167
    Up
    0
    ::
    Cool Zephyr, post: 148182 wrote:
    Most importantly:

    1) Keep backups (historical backups) a daily backup is pretty useless if you don’t realise it’s been hacked for a couple of days

    2) Update regularly – someone mentioned quarterly, I’d say monthly would be more advisable.

    Yes, definitely monthly, and if you do a major change, before and after as well.

    #1127511
    Netorigin
    Member
    • Total posts: 421
    Up
    0
    ::
    eWAY, post: 147946 wrote:
    WordPress is a great product to help smaller businesses and individuals build a website quickly, but unfortunately in it’s standard form is incredibly prone to being hacked, especially when paired with a budget shared hosting option.

    If you’re looking for a basic blog or business website it may be better to consider wordpress.com which covers the hosting and security for you for free.

    If you’re going to tackle hosting WordPress yourself then make sure you’re using a reputable host, a VPS would be minimum and install security/monitoring/backup plugins.

    Some great ones are:

    Securi (for security/monitoring)
    BulletProof (for security)
    ManageWP (for backups and statistics)

    The above is useless if you don’t set your folder/file permission correctly though.

    Maclean
    eWAY.com.au

    Hi Maclean,

    I’d have to disagree in regards to hosting WordPress on a VPS at the minimum. For most businesses out there, a VPS would certainly be overkill and it simply increases the costs for hosting. You would also need to factor in VPS Management as most businesses wouldn’t have the time or perhaps required knowledge to manage a VPS in terms of security, software packages, configuration files and etc. Shared hosting is the way to go for most businesses wanting to run a WordPress site because the web host takes care of the server’s security and maintenance.

    Cheers,

    Shaun

Viewing 15 posts - 1 through 15 (of 21 total)
  • You must be logged in to reply to this topic.