Support » Fixing WordPress » hacked, found where, but what now?

  • inspirationally



    my site has been hacked yesterday by a Syrian group with the nice message, that the database has not been deleted etc., it was just forwarded to another site.
    After a bit of search, I found, that only the most recent post was edited, a meta redirect was added to the text field.
    It says, it was edited by buticut, one of my administrators (there’s also a revision from myself the same time), we both weren’t online at that time, she wasn’t online for weeks because of her studies.
    (see the Screencap)

    I just edited the post (just had to save it again) and all was fine, and changed her and my passwords (and the secret keys in the config)

    but of course I wonder
    – how could this happen? Just through an easy password? Or can they have come in in another way and manipulated it somehow? maybe through a plugin? SO that the password change does not help a bit?
    how can I prevent them from doing it again? Is there any certain log file I should request by my server provider where it is possible to see what exactly happened?

    means: what shall I do now? Just wait if it happens again?

    Thank you, Martina.

Viewing 4 replies - 1 through 4 (of 4 total)
  • esmi


    Forum Moderator



    Thank you, esmi,

    I read some of those before but THOUGHT, it was done as I have the most recent version up and running.

    I did a synch with my ftp program to find the recently changed files, and found my style.php in my current theme to have the meta redirect, too.

    Some days ago, my akismet suddenly did not work anymore, and I pushed it to an “Old plugins” folder to install it again in the plugins folder. That akismet folder had a help.php file in it with a long long long eval() code.

    Does that mean, they came in through akismet, which means again, that plugin is insecure?
    I have no idea how to make them NOT do it again. If they could add that eval() code, why shouldn’T they be able to do it again?

    Such a code was also in a (deactivated) plugin “clean-up” in the plugin.php. Is this plugin also better NOT to use anymore?

    Oh, and funny thing – I also searched through my database if there’s any more about that syrian site and found this in the referrers:
    translated to English



    Does that mean, they came in through akismet, which means again, that plugin is insecure?

    Absolutely not. That’s just a convenient place for them to place the malicious code.

    You need to do a clean installation and re-install themes and plugins. You cannot trust file modification dates – most exploits are clever enough to avoid being detected this way. Unless you’ve replaced every file in your installation with a known good copy – you have the potential for hidden backdoors. is an excellent tool for rapidly identifying suspicious and compromised files.

    Where are you hosted?



    I have an own server (managed) at ds-siegen (unfortunately no root access).
    It runs on ispCP.

    The other sites in the above links, which had the same problem, run at

    Urgs, new installation. OK. I did some HUGE modifications to some of my plugins (regarding the frontend), this will be a lot of work (that I do not have NOW that my son doesn’t take is naps anymore).
    Thanks for the info with the modification dates.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘hacked, found where, but what now?’ is closed to new replies.