[Resolved] Have I been hacked, or..?
Got hacked too with this yesterday.
Check your htaccess file in the root – it will be linking from there.
I just deleted everything in it and it fixed things for me.
FYI – my hosting company has told me the issue was related to the Auto Thickbox Plus plugin.
Hi davros, thanks very much for your response – but I don’t suppose you could translate that into layman speak for the blonde, could you please? Thank you!! 🙂
davros20 – Can you (or your hosting company) email firstname.lastname@example.org with details about why they think it’s that plugin?
frau_dietz, you need to start working your way through these resources:
Thank you, Ipstenu. After an afternoon and evening of serious googling and staring blankly at various parts of WordPress and Bluehost, I am slowly making my way through several of those already. Slowly of course being the operative word – I find a lot of it extremely confusing because it generally assumes the reader has a half-decent level of knowledge, which I don’t. But I *think* I’m getting there… even though it’s doing my head in!!
Thanks again 🙂
One question… where I am instructed to delete the entire directory structure using the cPanel’s File Manager (e.g. in smack down link) – I am using Bluehost – I just want to be clear, does that mean deleting absolutely every last file and folder in there – i.e. the /home2/myname folder? Presumably so, but I just want to be absolutely sure before I hit the big red cross. Advice much appreciated, thank you.
I’d suggest downloading a backup copy of the wp-content folder first. You can then check through this folder for any hack files/backdoors at your leisure.
I’ll try – tbh they have not been too helpful on that front – used the plugin before with no issues – I am developing the site on a clients server, not one of my own.
Will see what I can get from them and email it over to plugins@.
Frau – all I did was FTP into my server, find the .htaccess file in the root (main folder where wp-content etc etc live) and delete the offending stuff (from the htaccess file) that linked back to the .ru domain. I use Fetch on a Mac, so it’s pretty easy.
Thank you davros, had found it 🙂 Unfortunately
1. every time I amended my .htaccess file – and even added in some code I found that was supposed to prevent hackers getting in – it miraculously got changed back. So I thought I would go for the mega cleanup, delete everything and start again…
2. having followed the advice of deleting everything and have obviously deleted too much of everything, because I appear to have totally ****** absolutely everything up. So that’s good. I have absolutely no idea what to do now, but at least I’ve learned lots in the process so far and I’m sure I’ll somehow work it out. *sigh*
You probably also deleted wp-config.php which is the file that tells WP where to find your database. Just download a new download from wordpress.org (red link on top of this page), upload everything, edit the wp-config file to how it was (your databasename, user and password) and you should have your website back.
Note, though, many hacks put backdoors in files, some do so in the database, so setting everything back up, may still leave you with a backdoor present.
Thank you very much, Roy. I had deleted absolutely everything for the document root for my site so nothing existed at all; I have since uploaded a backup which enabled me to uninstall and reinstall WordPress. I have now deleted the backup again, reinstalled WordPress in WordPress and have a completely blank slate from which to rebuild my blog (which was thankfully pretty new) – and I’ve changed all my passwords. And I’ve found a friend to translate Bluehost’s email into plain English so that I can do all the additional security things that they advise. Do you think this is sufficient? Is there any way of eliminating any leftover backdoors or might I have, though deleting the entire database, avoided them altogether?
Ipstenu gave you all the links you need. Particularly read the ‘how to completely clean…’.
When you’re positive the website is clean, read this:
I have been following the information provided by those links, Roy… this is so far where they have got me. Seeing as there were a couple of generous human beings around on here though I just wanted to double check that I was on the right track (see above re: I totally messed everything up but with amazing luck and a bit of logic managed to recover everything) before I continue, as I’m nervous about making further mistakes. Though to those with good knowledge in this area all these links may appear to provide incredibly easy-to-follow advice, for those of us with absolutely zero experience in doing these things, it’s really overwhelming and not necessarily clear. The point at which *I* as a total novice thing my website is clean isn’t necessarily the point at which it is! But I thank you for your time, I do really appreciate it.
Ah no, getting hacked is a pain in the ass for anyone. Fortunately I had never had to clean up a hacked website. Of those here who do, do often do it as occupation or are new to the phenomenon like yourself. There used to be a forum user who could do magic in investigating hacks, but for most people getting hacks is security for a couple of sleepdays days and headache. The problem is that there are many different hacks, from pumping spam links into your theme to code injections presenting viruses to your visitors. There is not just one way of tackling a hack.
But… since a while there are more and more security checker plugins. Perhaps there is one who can scan the database for you. Also ‘google around’ a bit for database scanning scripts, there are most likely several of them.
One thing to keep in the back of your head, once you’ve been hacked and there is a backdoor that you missed, they’ll be back. You can have your website back up and running and looking normal only to find out a week later that there is a user that you didn’t create yourself, new spam links, a redirect or whatever. This is not to scare you, just an advice to be thorough in cleaning up and be aware for a while when you think the problem is solved.
There still are those of us who can do that. It’s a pain in the ass to anyone. I’ve been hacked, though never through WordPress (just through my own stupidity and a non-secure FTP client, really I know better).
If the hack is in your files, the best thing you can do is this:
Delete EVERYTHING on your server, with the following exceptions:
Everything else? Chuck it.
Change your passwords. ALL of them. Especially your FTP/SSH/control panel one. Make a dedicated SQL user ID and password (if you’re using cPanel, this isn’t that hard, go in to the database section, make a new user, give it admin rights to your DBs). Then make THAT user the one in your wp-config.php.
Now get a fresh copy of WordPress and upload that. Get fresh copies of all your themes and plugins. Upload them.
Turn it back on.
- The topic ‘[Resolved] Have I been hacked, or..?’ is closed to new replies.