Wordpress hacked, adsense code changed

[Murray]

I checked my adsense just now and noticed yesterdays earnings were below what I would expect

I checked my ads and one was reporting no earnings, I thought maybe there was a technical problem but after doing some googling and checking my Ad id's on site one had been changed to a code that is not mine

How would this have happened?

I've changed my wp password and going to change my FTP password , Is it likely they did it through a plugin?

I recently had to turn off Wordfence Security because it was making the site take 10+ seconds to load, so I was running no security plugins at all

I thought with a sensible username (not Admin) a hard password like exmaple - 5226iuhis@&!!*S&Sz!, an up to date wordpress and running barely any plugins I would be cool not having a security plugin but apparently not

 

[Adam H]

There was been a wealth of core and plugin vulnerabilities of late which were being exploited days after disclosure. If you didnt update wordpress or plugins for a short time you might have been hit.

Id normally recommend going overkill on a cleanse if you don't know, or don't have the ability to analyse the logs to find how and when it was done.

• Save wp-config to your machine
  
• Save wp-contents folder to your machine
  
• Delete everything from server.
  
• upload newly downloaded wordpress files
• upload wp-config to the new install checking there is nothing in there that shouldnt be compared to the default wp-config. ( If you have custom rules in htaccess its worth saving that too, but check again for things which shouldnt be in there )
  
• Do a virus and malware scan of your wp-contents folder for obvious nasties. ( this still wont pick up backdoors as generally they are simple php files which are not malicious , hence the reason for deleting everything else and taking additional steps mentioned below )
  
• Upload the wp-content folder back to the newly uploaded wordpress apart from the plugins folder
• download fresh copies of all the plugins previously installed. ( do not upload the old ones and overwrite ).

Once all of the above is done you should be left with everything new apart from your uploads and theme folder. Enable wordfence and in the options there is a tick box at the bottom saying "Disable Code Execution for Uploads directory". Its also worth ticking :

• Hide WordPress version
• Block IPs who send POST requests with blank User-Agent and Referer
• Immediately lock out invalid usernames
• Don't let WordPress reveal valid users in login error
• Prevent users registering 'admin' username if it doesn't exist
• Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, and the WordPress REST API

I also add these usernames to the "Immediately block the IP of users who try to sign in as these usernames" option ( obviously this is counting on you not having one of the following as your admin login ) :

• admin
• administrator
• qwerty
• root
• user
• test
• (your site name, eg: ) acorndomains

All said and done, that should leave your theme folder the only thing which is unchecked, you should check each template for code which shouldnt be there.

There shouldnt be any reason that wordfence should slow the site down unless its having to deal with something, slowness could have been a sign to keep wordfence enabled rather than disabling it. I dealt with 3 people last week that were complaining about the same thing, all 3 of their sites were being hit every 20 seconds by 13 different IP addresses, not enough to be considered an attack but with out the noticeable slow down they could have been doing that for months undetected.

Obviously if you can analyse log files, all of the above can be missed as you can probably trace back to how and when it was done.

Passwords, its also worth changing all passwords and making sure there isnt any users in the database who have suddenly given them selves admin permissions. Passwords include : Cpanel, FTP, WP admin and WP database user/password.

Once happy you are reasonably clean, make sure the wordfence web application firewall is setup correctly, it maybe in learning mode if its newly setup , that's fine it will activate once its finished learning.

 

[monaghan]

Presumably you have reported the new adsense code to the adsense fraud team, I'm guessing if they can get clicks then they'll be wanting to withdraw the earnings and can be traced to a real person at that point.

 

[Murray]

Presumably you have reported the new adsense code to the adsense fraud team, I'm guessing if they can get clicks then they'll be wanting to withdraw the earnings and can be traced to a real person at that point.

I tried to earlier via this report form - https://support.google.com/adsense/contact/unauthorized_code

But it says "Missing or incorrect Publisher ID in the unauthorised ad code"

Maybe they've already been removed as a publisher?

 

[Edwin]

If you put the numeric part of that rogue Adsense ID into Google, you'll see it shows up on a few Arabic-language sites, suggesting they've hacked other places too (and not just those running Wordpress).

 

[atlas]

@Adam H 's post should be sticky'd

 

[Adam H]

@Adam H 's post should be sticky'd

It should probably be written properly by someone who isn't dyslexic to make it worth highlighting . For those who are used to my gibberish its probably just about followable .....followable ? Is that even a word

 

[Murray]

It should probably be written properly by someone who isn't dyslexic to make it worth highlighting . For those who are used to my gibberish its probably just about followable .....followable ? Is that even a word

No it was fantastic, thanks, I really appreciate the effort

I'm just having trouble accessing cpanel, password doesn't seem to be right, waiting for my host to get back to me then I will try and go through your recommendations

 

[Adam H]

No it was fantastic, thanks, I really appreciate the effort

I'm just having trouble accessing cpanel, password doesn't seem to be right, waiting for my host to get back to me then I will try and go through your recommendations

Get them to reset it, might also be worth getting them to do a quick maldet scan ( They will know what that is ) aswell to make sure cpanel is clean.

 

[Edwin]

Worth running a few different scanners on your PC as well, if you use the same one all the time to log in. It might be that they didn't actually "hack" anything, but compromised your machine instead to steal your passwords. I assume that your Wordpress password was unique, and hard to guess? Also, FTP isn't particularly secure so if possible switch to SFTP https://southrivertech.com/whats-difference-ftp-sftp-ftps/

 

[gimpydog]

But it says "Missing or incorrect Publisher ID in the unauthorised ad code"

Have you tried dropping the "ca" prefix??

http://spyonweb.com/pub-9298186752611808

 

[Murray]

Have you tried dropping the "ca" prefix??

http://spyonweb.com/pub-9298186752611808

Just tried, wont accept it

Interesting link, all those sites are registered to the same person, Jalal tut tut