Hacked

[Admin]

I just had 18 Wordpress sites obliterated by an Algerian hacker.

They all had Wordfence security plugin etc. so maybe it was a Server level hack rather than Wordpress itself but just alerting you, do your backups

Admin

 

[GreyWing]

Sorry to hear that mate, any idea how yet how it was done? Nothing worse than not being able to find the problem and having to put them back up knowing they are insecure, but ultimately nothing else can be done at this moment.

 

[Admin]

Yeah it's a pain, digging through Apache logs now.

Whenever this happens I always delete the entire account and start again

Admin

 

[Admin]

Somehow they changed my Wordpress admin password and were able to login.

Block this IP from your servers:
41. 200. 135. 29

 

[Skinner]

I've just run a scan over my WP installs on 1 account, and found an infected blog.

Its linking to imamasim dot com, and they inserted lots of links for gambling into my content. Only 1 blog on the account infected (but will have to clean install them all, and wouldn't you know its the only one not set to auto update to the latest wp. They have changed the admin password here too, and added some other files.

Looks like a long ass weekend, the breach happened on the 4th June around 17:50.

 

[Admin]

Try to find the IP and block it from your server.

Install Wordfence plugin and tick all the firewall settings. You can get an alert any time someone logs into the Admin. You can also block invalid usernames.

Change "Admin" username to something else.

Sorry you have the same trouble, I have 80 sites still to check :-(

 

[Skinner]

I have about 30-35 to check but only have shell on 1 more account,so lotta manual checks, I'm hoping I remembered to turn on auto updates, I'll add wordfence into the new installs.

WP has a login blocker by default now too.

Good Luck, lets hope we are the only ones.

 

[retired_member36]

Sorry to hear that admin but thanks for giving us the heads up, on with backing them all up now and checking to make sure nothing has been tampered with.

Has anyone tried this plugin before?
http://wordpress.org/plugins/limit-login-attempts/

■It is possible to whitelist IPs using a filter. But you probably shouldn't.

That would probs be a very good way of securing the admin login if you were on a static ip.

 

[mat]

Heart Internet now have some captcha type page that comes up if there have been multiple login attempts to wordpress.

 

[Admin]

My hackers even have a Facebook page where they advertise the sites they just hacked, 10,000 Likes

Admin

 

[mat]

When it happened to me I stalked down the hacker who did it and talked to him on messenger. Was only a kid living in the middle east. He actualy said sorry to me They do it for bragging rights like a game.

 

[seemly]

My hackers even have a Facebook page where they advertise the sites they just hacked, 10,000 Likes

Admin

the likes are probably from the 10k facebook accounts they hacked too.

 

[Admin]

Probably!

But I do find it incredible that a Public company like Facebook hosts this. They all sorts of bad stuff on their pages, guns, shootings, etc.

Admin

 

[dashu1]

I don't know if this will be of any use what so ever, it would only help if they get in via your login I think, but if you add the following to your htaccess file:

<Files wp-login.php>
order deny,allow
allow from 127.0.0.1
allow from 127.0.0.2
deny from all
</Files>

then it's impossible for them to get to the login page.

You can if you have a static IP address put it in the code above, or change it each time you want to log in if you have a dynamic IP address.

Worth a try I suppose.

 

[Admin]

Good idea, thanks

Admin

 

[Admin]

<files .htaccess>
Order allow,deny
Deny from all
</files>

<files readme.html>
Order allow,deny
Deny from all
</files>

<files readme.txt>
Order allow,deny
Deny from all
</files>

<files install.php>
Order allow,deny
Deny from all
</files>

<files wp-config.php>
Order allow,deny
Deny from all
</files>

<Files wp-login.php>
order deny,allow
Allow from MYIPADDRESS
deny from all
</Files>

Will see how this goes.

Admin

 

[GreyWing]

Cheers for that, I looked up something similar and a great idea for joomla users is to drop a .htaccess file inside the /administrator/ directory.

Containing..............

Order Deny,Allow
Deny from all
Allow from **.***.**.**

// * = Your IP's

Looks to work great and cuts out a huge amount of the methods used by hackers.

 

[Admin]

The method used to get WP Admin password is via SQL injection.

Badly coded plugins are the cause.

They use the plugin to reveal the authcode for a password reset, once they have the password reset link (including a valid authcode) they change it to whatever suits them.

If they cannot get to the wp-login.php page then this method won't work.

YouTube has videos on this is you want to see more.

Protect your WP sites now, I am seeing sites with attacks from 15 different countries all trying to get Admin access.

Admin

 

[dashu1]

Hi,
have you got bullet proof security installed?

It handles a lot of the sql injection stuff and denies access to a lot of files as well.

 

[Admin]

Hi,
have you got bullet proof security installed?

It handles a lot of the sql injection stuff and denies access to a lot of files as well.

Been looking at that today, thanks

Admin