On Wednesday my blog was hacked. It wasn’t a big deal, more of an annoyance, but it could have been worse (or it is in fact much worse and I just don’t know it yet). To get back online I deleted and then re-uploaded my Wordpress files via ftp. It was faster than trying to hunt down which files may have been altered. After that I took a look at the MySQL database to see if there were any extra tables and checked to see if any users were added to the users table. All clear, but also used the WordPress Exploit Scanner to take a look and was clear too. Hopefully, that’s the end of the hack.
I’ve been good about keeping my WordPress installation up to date, which is important in keeping your site safe. With WordPress 2.8 there’s really no excuse not to since it’s a one button push operation. Just a minute ago I updated. It took thirty seconds to upgrade to 2.8.1. Unfortunately, I was lazy with changing passwords every so often and had grown lax with scanning my PC for malicious ware — as an uneducated guess, this is how I got hacked. Full deep scans have since been done. Thanks to Gargron for reminding me over Twitter to change the database password as well as the ftp and blog admin passwords.
If anyone knows what else I should do, please let me know.
Oh wow, that must suck. Good that everything is back in order again. I don’t change my passwords too but I do scan for malicious ware regularly. Then again I don’t have a pretty blog like this so I guess thats okay XD
Glad you’re back. Damn hackers…
Are you on shared hosting? Sometimes when you’re hacked it might be due to someone else being hacked. Talk to your ISP if you’re really paranoid about it :3
Hadn’t thought of that. I might as well take a minute to send them a note about it.
That sucks really bad…
It becomes more often I see wordpress bloggers get hacked (me too several weeks ago). Replacing all your files with the original, take a look in the database and a scan should do the trick. You should also search for malicious files which doesn’t belong to Wordpress.
I had a `cache.php` file in ‘wp-contents/plugins/’ which was a compressed script. The script gave access to my filesystem, shell and database without any passwords. :/
I hope you don’t have it, it’s scary.
Don’t have it thank goodness. The ‘wp-inclides/plugins.php’ file had been altered as well as the index.php file in the main. After that I just deleted and re-installed, so don’t know what else wasn’t supposed to be.
You didn’t tell what exactly the hackers did, I’m curious. As for what to do else, I know a plugin called WP Security Scan, it should close all doors to your system. (I don’t know the WP Exploit Scanner plugin though, it may be already enough).
Sad to hear, but glad to hear you are back and on top of the problem. XD
damn that sucks… glad you’re back online without any problems. i guess that’s one of the benefits of remaining on wordpress.com ^^; well, assuming they can keep the site secure…
glad you managed to restore all.. dunno why the hackers even bother to hack a blog.. there’s nothing here worth money for them @_@
hmm did you manage to get the hackers IP?
That’s a real bummer, it’s unfortunate that some of these people have nothing better to do than hack someones anime blog. Glad you were able to restore everything without too much difficulty. I keep constant backups of my databases and files just for that reason.
Was the restore difficult? I dont know if WP has some way of doing a periodic backup for this cases…
It seems like it was a pretty dumb bot hack. It inserted a link into a couple of the WP files that I saw, but inserted it in a way that caused none of the pages to load due to misplaced brackets. As far as I can tell it didn’t do anything to the database (though I’m no expert).
Restoring was as easy as reinstalling WordPress. The time consuming part was looking around to see what else the hack might have done and reading a few things to do after being hacked. I use a plug-in to backup the database every week, which is fine since I only update once or twice a week.
You might want to contact your web host and ask them if the MySQL database is on another server, and if it is, is it firewalled so only the web server can communicate with it?
This is a pretty common exploit, and thankfully not that difficult to prevent. Good luck to ya.
glad that you fixed it. I remember one of my friend’s blog being hacked and it sorta gave everyone warnings that its dangerous lol
Oh my! Good thing that you’re back online and nothing much serious. I saw some people had a hard to make everything back to normal.
Wow seems you were pretty lucky in this unlucky situation!
Any Idea how this might have happened?
Glad nothing serious happened. I never heard of wordpress blogs being hacked until now. I guess I should change up my password now too as an extra precaution.
[...] recently, super rats reported that Happy Soda had been bot-hacked. A few weeks ago, my anti-virus program stopped me from visiting Mega Megane Moé [...]
It is possible that your saved FTP password in your FTP client were stolen by some malicious code coming from e-mail etc. (worst case is Total Commander – its FTP config file is often a target of lot of mailicious sw), this is most common case (then attacker modifies some template files like footer or header and put there some iframe with/or obfuscated code).
Just try to avoid saving FTP passwords or use some strong password manager for keeping those and filling forms for you instead of saving it directly in FTP app (there is lots of password managers – depending on OS you are using).
I also recommend you to hide WP version you are running and rsd and wlwmanifest if you are not using Windows Live Writer or other external thing to publish – just by putting these three lines:
remove_action('wp_head', 'wp_generator');remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
at the end of functions.php in your theme directory, just before last php closing tag –
?>- it will (partly) prevent attacker from getting to know which version you are running (secondary you need to apply your own login style, since it is changing almost with every version it is easy to guess wp version by its style).
BTW do not upload readme files (even to plugins) etc., it is easier for hacker to get wp version directly – see
http://www.happysoda.com/readme.html or http://www.happysoda.com/readme.txtAlso create new admin account with some different name than “root”, “admin” or “administrator” and after creating this admin accout log in to it and then delete “admin” account. WP will ask you what to do with posts, pages and stuff, created by admin. You can convert those to your newly created account just by selecting account from selectbox.
Good luck and happy blogging!
PS: Excuse my language, I am not native EN speaker.
Btw: If you are using some Flickr or Twitter plugin somewhere at your web, then use only first line (wp_generator) to be able to get those plugin data into WP ^_^ otherwise those plugins may not work.
First part of my comment:
It is possible that your saved FTP password in your FTP client were stolen by some malicious code coming from e-mail etc. (worst case is Total Commander – its FTP config file is often a target of lot of mailicious sw), this is most common case (then attacker modifies some template files like footer or header and put there some iframe with/or obfuscated code).
Just try to avoid saving FTP passwords or use some strong password manager for keeping those and filling forms for you instead of saving it directly in FTP app (there is lots of password managers – depending on OS you are using).
I also recommend you to hide WP version you are running and rsd and wlwmanifest if you are not using Windows Live Writer or other external thing to publish or suck data – just by putting these three lines (if you are using Flickr or Twitter or other plugins, use only first line):
remove_action('wp_head', 'wp_generator');remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
at the end of
functions.phpin your theme directory, just before last php closing tag –?>- it will (partly) prevent attacker from getting to know which version you are running (secondary you need to apply your own login style, since it is changing almost with every version it is easy to guess wp version by its style).
BTW do not upload readme files (even to plugins) etc., it is easier for hacker to get wp version directly – see
readme.htmlorreadme.txtin root of your website…You can also create new admin account with some different name than “root”, “admin” or “administrator” and after creating this admin accout log in to it and then delete “admin” account. WP will ask you what to do with posts, pages and stuff, created by admin. You can convert those to your newly created account just by selecting account from selectbox.
Good luck and happy blogging!
PS: Excuse my language, I am not native EN speaker.
Thanks for the tips.^^