Domain hacked

xblink · Oct 5, 2013

Hi , my domain ganja.org.uk has been hacked , if you go to the website now it comes up with page put up by hacker , never had this happen before. Can anyone help please

thanks

monaghan · Oct 5, 2013

restore from backup and start looking through the logfiles for clues.

Most "hacks" are not sophisticated, usually an un-patched mainstream web app (WP, VB etc...) that has been found by a bot and a delete & restore will do the trick.

If in doubt, ask your host to help.

Edwin · Oct 5, 2013

Move your WP installation out of /wp-admin/ as that's the first place hackers will look. Create a new user with a completely random (long) username and password, give it admin privileges, then downgrade "admin" to a regular user. Create a third user just for posting, so that the username that shows up as the "owner" of posts only has posting access.

Won't help that much, but it's at least a start.

Murray · Oct 5, 2013

All I'm seeing is a blank/freshly installed wordpress blog.

Have you not just clicked "install wordpress" somewhere?.

philipp · Oct 7, 2013

monaghan said:
Most "hacks" are not sophisticated, usually an un-patched mainstream web app (WP, VB etc...) that has been found by a bot and a delete & restore will do the trick.

There's also a bug in mod_rewrite that seems to be catching out people with out-of-date Apache installations at the moment.

P.

dashu1 · Oct 7, 2013

I've seen a lot of this lately, mainly trojans being installed on wp sites.

You need to:

1) delete all files and reinstall fresh copy
2) delete user names and passwords
3) create new user names and good passwords
4) change database password
5) change ftp password
6) update all plugins etc
7) install bulletproof security and wordfence, adjust settings as necessary
8) to stop brute force attacks consider moving the login page away from wp-login - there is of course a plugin (http://wordpress.org/plugins/stealth-login-page/) or you can do it a more sensible way by editing your functions.php file (5th block of code down): http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

Good luck!

Admin · Oct 7, 2013

Wordfence lets you block admin logins after X wrong attempts for X days, block immediately for unknown users (change your "admin" for this to be effective). Not as robust but easier than hacking the functions file.

I had attacks on my sites and setting this soon made them go look for easier targets.

Admin

robertsone · Oct 7, 2013

When I've dealt with hacked WordPress sites I found WordFence helpful at keeping scripts and hackers out, Bulletproof less so. However, if they do get in I found WordFence has limits when it comes to detecting files and code that shouldn't be there.

Finding the source of the issue, planted code or the backdoor can be difficult. Esp. as one of the latest tricks is once they have access to your site, they plant encrypted code in one or more of your files or they create additional files amongst your WP install (often with innocent looking names). Sometimes it's to hide malware in your site or plant hidden links. Often the first you'll know about it is when your description in Google suddenly changes or Google blocks your site for malware.

The only thing I found reliable at finding issues was Sucuri. I use the free scanner to help track down issues and verify the site is clean - http://sitecheck.sucuri.net/scanner/

I've not used their commercial services, just the free scanner.