Hacked Wordpress

[woopwoop]

So I have an old theme for a Wordpress site, I like it and have been applying the WP updates, but on searching for the site in Google noticed these types of listings (which can only be hurting the SEO of the site):

• You can see the site in the screenshot, does anyone know about this type of exploit?
• Where is it living? In a file header or independent files on the server?
• Is this really helping their SEO and hurting mine?
• Any way that I can get rid of this for good with the current theme? Or are themes usually the problem?

I haven't put new content on the site in ages but was about to...

Update: Found this in the .htaccess and the named file (now deleted)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*93c71.*|^tobeornottobe$) /mrseed.php?q=$1 [L]
RewriteRule ^mrseed.php$ - [L]
</IfModule>

Any solution to stop this happening again? (ideally without changing theme - or is it most likely to blame?)

 

[chrisduggan]

I use sucuri on all my sites.

http://blog.sucuri.net/2011/08/wordpress-sites-with-htaccess-hacked.html

 

[Adam H]

You need to find the cause otherwise it will continue to happen, was the theme Nulled ?

Download the entire site to your local machine, if you've got a decent Antivirus ( NOD32 ) it will pick up at least some of the malicious scripts ( if there are some ) which will give you clues as to what to look for and they may reference any back door scripts

Backup the install to make sure you've got one, then delete the wordpress tree saving only your uploaded files and any files which you may have uploaded like an external image folder or theme folders, once clear Upload wordpress again , upload all plugins again and ensure they are still updated, then check your template files for anything suspicious.

Remove any old test installs you've got laying around or anything in the file system which you no longer use.

Change all your passwords including WP-admin and Cpanel.

Reset the permalinks and see if the htaccess changes.

You can also install a plugin called wordfence and set it up to scan and email you when something changes or when there is a mismatch. Once your at that stage you can think about locking down the install with some htaccess and robots.txt entries to prevent future scanning assuming your host is secure.

Beyond that there is little that can be advised with out seeing the setup.

 

[Admin]

Install Wordfence and set it to alert you on changes. Will also let you see visitors by Country, I block ones who I don't think will be use the site for any good reason.

Change your Admin username to something else and have a decent password.

Admin (oops)

 

[tifosi]

Start by checking your file permissions. You should never have a .htaccess that is web writable! Maximum 0641 depending on owner of the web server userid.

 

[Murray]

Have you got any messages in webmaster tools?

When my wordpress site got hacked I had a tag under my site in search results, "this site may be hacked"

Had to ask for a review

Request a review in Security Issues when your entire site is clean and secure. Once we determine your site is fixed, we will remove the hacked label.

But at least this hack on yours was quite polite, guitar pro, mine was foreign payday loans and viagra lol.

 

[Retired_Member38]

Install Wordfence and set it to alert you on changes. Will also let you see visitors by Country, I block ones who I don't think will be use the site for any good reason.

The problem is many legitimate things are outsourced to countries you can't sell anything to via sites like Freelancer etc. So you might miss out of something of interest that someone in UK was trying to send you, because he outsourced it on Freelancer.com to someone in Ukraine or whatever. This guy isn't doing anything wrong so likely won't even think to disguise the fact he's in Kiev.

And if some Ukrainian hacker was going to try something, he'll know to disguise it anyway.

So there doesn't seem any real reason to do it? Unless you're just getting sick of Indians emailing 'do you needing seo' all day long and figure its worth throwing away the occasional valuable enquiry just to bin off Abdul and his SEO pals :lol:

 

[Skinner]

So there doesn't seem any real reason to do it? Unless you're just getting sick of Indians emailing 'do you needing seo' all day long and figure its worth throwing away the occasional valuable enquiry just to bin off Abdul and his SEO pals :lol:

I think you mean "Kate" and "Harry" which seem to be the latest

 

[woopwoop]

Thanks for all the help guys. Really great advice.

I'm on it later today.

@AdamH it's not nulled - I think it was a paid theme - will see if I missed an update.

Will also look into Sucuri, put Wordfence on it (if it's not there - I have WF on all my other WP sites and even use WPmanager.com but maybe not on this one - it's been such a long time!)

I don't think I added this to Webmaster tools either.

Does anyone think there's a benefit to not adding it to WM tools, and even not running adsense on it with the same publisher codes... to avoid them being seen as linked sites... Difficult to explain but in the past I've heard that even same whois details can connect sites and lower the SE power of a link between the two?