Support » Miscellaneous » I’ve Been Hacked!!

I’ve Been Hacked!!

  • I have 2 different databases, and one each one I have a WordPress… and one of them was hacked. The person got in, removed every category besides the default one, and renamed in very inappropriately!!! so i changed my password, renamed the category, and downloaded my files…. but still? how can i prevent this from happening again?? i never told anyone my password.,…

Viewing 15 replies - 1 through 15 (of 23 total)
  • Moderator James Huff


    1. Make sure you’re running the latest version of WordPress (currently v1.5).

    2. Change your password.

    I changed it already. How do I upgrade?

    Is there any way to check to find an IP of someone that logged in?

    Choose a strong password.

    Use this:
    and choose mixed case and numbers as well.

    Upgrade if you want to keep your 1.2.x templates

    Is there any way to check to find an IP of someone that logged in?

    I’d check your server access / error logs

    in my cpanel, to backup my whole account, what does this mean:

    Backup Destination:
    Email Address:
    Remote Server (FTP/SCP only):
    Remote User (FTP/SCP only):
    Remote Password (FTP/SCP only):
    Port (FTP/SCP only)
    Remote Dir (FTP/SCP only)

    im gonna check now for the access thing

    I don’t know about you all, but I also password protect the wp-admin directory as an extra layer of security (and do database backups on a frequent basis).

    In your case, Sparky, it’s difficult to tell whether your hacker just got into the WordPress administration section, got in through a web hosting account admin panel, or hacked the server itself.

    I don’t know. I’m gonna upgrade WP tonight, but right now I’m trying to figure out the IP address of the hacker. I got my raw access log from my cpanel, and I see a different IP than mine, so I’m gonna check that out. Should I do a WHOIS lookup with the ip? or will that not help?

    i will put a pw protection to get into the admin folder, like you said

    ok, i did searches. in the raw access log from my cpanel, i found a few different ips, but never my own.. i looked them up and got the info from them too….. is it not supposed to have mine? i found like 5 different ones

    actually, more…. x_x

    How do you pass-protect the wp-admin folder?

    in cpanel there’s a password protection thing

    This may help i came across it a little while ago on a site |
    This message is aimed at everyone who has converted their website to PHP using the index.php?x=about.html method to include their pages, as seen in many tutorials all over the web (like for example at EnglishSun.org).

    This method is very insecure, and allows hackers to gain access to your server. Because you are specifying what file to include via a URL, anyone can change the bit after x= to something else to include any file they want. This means they are able to see sensitive files, that hold password and other sensitive information. Once a hacker has gained access to your server, they will generally proceed to upload malicious scripts (like trojans or egg drops), with which they can attack other networks and send out SPAM emails. This eats up the bandwidth and disk space you’re paying for, and can get you kicked out by your host. And, even worse, if any damage is caused to the server you’re hosted on, your host can hold YOU totally responsible for those damages, because you allowed the hackers to gain access by using insecure coding! If they wanted to, they’d have the right to sue you over this.

    I’ve discovered this because several friends of mine recently contacted me after having problems with hackers on their servers. In trying to figure out what let the hackers gain access, I discovered the insecurities in this script. Also, one of those friends noticed she had been getting a lot of referrals from Google.com for searches looking like “allinurl: index.php?x=”. This means that there are people out there specifically looking for sites using these scripts, they are being targeted by hackers because it is KNOWN these sites are insecure.

    Therefore, it is VERY important that you change your coding ASAP, as in RIGHT AWAY, if you were using this method of PHP coding. Here’s what you should do if you used this script:

    1. Change your passwords for your domain control panel and MySQL databases. It can’t hurt to change your password to your email accounts as well, just in case.

    2. Change your coding. There are other ways of converting your pages to PHP, two examples of which can be found here:
    Fitting In With Your Site

    3. Make sure there are NO urls left in your site anywhere that use the “?x=filename.html” method to include files.

    4. Contact your host, and explain to them that you’ve just discovered you were using a script that wasn’t completely secure. Tell them that it might have let hackers gain access to the server. Your host will then be able to run a security check on the server to get rid of any malicious scripts that might be present if you have been hacked.

    5. Spread the word. It’s very important we let as many people as possible know about this ASAP so they can protect themselves. Please post about this in your blogs, forums, mailing lists, LiveJournals, etc. If you know of anyone who has a tutorial up on how to implement this method, please send them a link to this thread. The more people read this, the more will hopefully be able to change their coding before they get hacked. Feel free to include this entire message, or alternatively, include a link to the thread about this at CodeGrrl.

Viewing 15 replies - 1 through 15 (of 23 total)
  • The topic ‘I’ve Been Hacked!!’ is closed to new replies.