Support » Theme: Pinnacle » Pinnacle theme hacked

  • Resolved NormanW

    (@yugogardner)


    I have a website on my hosted URL, built with WordPress Pinnacle free thene. It is fully backed up off line to my computer using the Updraft+ plugin. The site is via an SSL https address.

    Last evening I was actually on the site updating a page when I got a message box up to say I had been logged out. Never happened before.

    I could not, and cannot log into my dashboard, every attempt is redirected to a spam site asking me to click on a link. I have not..

    My ISP suggested I reinstall files and databases from their cPanel. I did, but still couldn’t log in and attempts to access pages were redirected.

    My ISP confirmed I have been hacked and suggested I get help from WordPress. My post last night got a generic reply telling me to follow https://wordpress.org/support/article/faq-my-site-was-hacked/

    My ISP at my request have now taken the site off line, with an exception for my IP added as an exception to htaccess file.

    This is the first time it has happened to me. I only built the site in December.

    I have followed the advice in the page link, as far as I can and as far as I understand.

    I have run the Sucuti scan and it has confirmed I have been hacked by malware. From the information, I am unable to identify which file(s) are involved. The info says
    I am unable to log in to the WP Admin. That is part of the hack.

    I should add that I have low technical aptitude working with websites and web servers but can follow instructions.

    I completed a full backup on 7th April and have offline copies. I can access everything through cPanel.

    I would appreciate advice on what to do next as I really don’t know where to start and there are no responses to my request for help on the main WordPress forum.

    Thanks for reading.

    • This topic was modified 7 months ago by  Jan Dembowski. Reason: Removed malware URLs

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 20 total)
  • Hello
    First I would like to apologize for my bad english. I had the same problem today.
    For me, the solution was easy, although I’ve been looking for a long time.
    For me it was an entry in the database
    Go to your database (phpmyadmin) to the table “wp_options” and then ‘siteurl’ there was
    Change that back to your domain name. It worked out so well for me
    For safety, again with the whole database
    Search% hellofromhony%. I hope it helps you
    Kind regards
    Robin333

    @robin333

    Very Good solution for you @yugogardner.

    Avois the nulled themes and plugins

    Hey,
    Sorry to hear you got malware, I know this can feel overwhelming! But we can help get your site back up.

    Since you have a full backup from a couple of days ago I suggest wiping WordPress install on your live server and installing that backup.

    Here is a quick guide to removing WordPress from cpanel: https://www.tipsandtricks-hq.com/how-to-uninstall-and-reinstall-wordpress-245

    But I must say most hosting providers can usually help with this.

    Since you have Updraft backup you can install WordPress empty and then install the updraft plugin and use the restore option to get your backup into this new WordPress site.

    Once you get your site up again I encourage you to review some security settings on your site there is a good overview here: https://www.wpbeginner.com/wordpress-security/

    Let me know if I can help further or if there is something that is confusing.

    Ben

    NormanW

    (@yugogardner)

    Hi @robin333

    Thank you very much for your reply.

    There is NOTHING wrong with your English! It is brilliant…

    I found the wp_options and sure enough in URL and also in Home, I had the hellofromhony address. I did as you suggested and changed them back and now can access the dashboard again.

    You provided a very elegant solution. Well done.

    The question now is, how did it happen and how do we stop another attack?

    Kindest regards

    Norman

    NormanW

    (@yugogardner)

    @britner

    Thanks Ben for your reply.

    The overwhelming bit was the complete lack of support with the notable exception of this forum 🙂

    I’ve immediately changed my password, but how can this happen and how do I prevent it?

    I was using a “strong” password, and kept everything up to date. i already had some security plugins. The answer from robin333 (above) worked perfectly. He deserves a Gold Star, but I guess both he and I now want to make sure we are even more protected.

    I’ve got the page that you sent up and will read it. At a quick glance, a lot of the things I already do, but there is always more you can do!

    Your earlier response is really appreciated. Thank you

    Norman

    I searched with Google for hellofromhony and found some things there.
    Plugin “YUZO Related Posts Plugin” did you install it?
    with me it is not installed.
    then I looked via FTP for changed plugins with me was only a date of 10.4.2019 at “Yellow Pencil – Visual CSS Style Editor Plugin” changed. I disabled it and deleted it. the second plugin I deleted is called “ultimate-social-media-icons”. As I said. I am not a profi either. But you can even see if you have one of these plugins installed

    The question now is, how did it happen and how do we stop another attack?

    Hard to guess but a good place to start is reviewing your security settings and passwords. I have found that out of date WordPress/plugins/themes or poor shared hosting are the two biggest causes. But could be so many different things. Perhaps @robin333 as some insights as well.

    A note about the fix, by editing back a line in your database that doesn’t remove what was able to change your database from the beginning. I still recommend you wipe and restore to prevent anything that has currently embedded files in your server from simply changing the database again.

    NormanW

    (@yugogardner)

    @robin333

    Of the three plugins you mention, I have just one, Yellow Pencil. Wonder if @spinmedia has any installed?

    I have just installed and spent time hardening the site with Sucuti Security. It does say that it has not been tested with the latest WordPress version, but it seems to have installed and worked OK.

    It threw up just one file/date integrity problem htaccess. But my ISP changed it last night when they took the site down for me, but added the exception for my IP, so I am not certain it is correct. I’ll open it and look though.

    NormanW

    (@yugogardner)

    Thanks @britner for the advice.

    I take the point about a clean install, but will try and see if the actions I’ve taken so far work. The Sucuri scan of the whole site didn’t throw anything up, but it could have been added somewhere else of course.

    I have the backups, backed up now to a USB HDD, so i can always go back.

    Interesting I also have Yellow Pencil, the App that robin333 mentioned, but in mine the date wasn’t changed. Part of the hardening by Sucuri is to delete and reinstall all apps.

    All my addpd and WP are set to auto update as soon as there is a new version, so I am happy they were kept up to date, and I don’t allow anyone else to access or edit anything. My hosting isn’t shared either. Guess we will never know, but it has been a good wakeup call for me at least.

    NormanW

    (@yugogardner)

    @britner

    Morning Ben,

    It seems that something in Yellow Pencil plugin is the cause, where accidental or deliberate.

    What seems to be completely missing in WordPress is a way to report this.

    I realise that the plugin has now been removed from the approved list, but there must be many thousands of websites with it, and the website is still offering it as a download free or for sale.

    As a responsible website owner, I feel that I should do something, even contacting Yellow Pencil in case they are not aware there is some sort of backdoor in their software. But it is surprising that on the WordPress.org web site there isn’t a way to report this?

    Norman

    robin333

    (@robin333)

    good morning Norman
    Is your site hacked again or still? I checked my database again if data was changed (date). I have found nothing. Since I assume that the attack happened on 10.4.2019, I have a backup of 7.4 recorded. Yellow pencil removed. All passwords changed. I am curious if it is quiet now.
    I am glad that I could help some here.
    Kind regards
    Robin333

    Ps. Ifound this https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/

    • This reply was modified 7 months ago by  robin333.
    NormanW

    (@yugogardner)

    Good Morning to you Sir

    Yesterday my side was back up. I just checked and it is hacked again!!

    At least I know what to do this time. The Pinnacle admin said the best way was to completely remove and then a clean reinstall of WordPress from my backup. That is my next plan of action.

    Thanks for all your help.

    I am surprised that there is no way to report our suspicions of YellowPencil to WordPress to warn the thousands of other users. And it was a good plugin too!

    robin333

    (@robin333)

    Sorry I had forgotten to say that I instaled WordPress also and then have recorded my database. As I said I’m not a professional and have made this for a friend of mine, who has even less idea how I 🙂 taketwo-duo.com

    NormanW

    (@yugogardner)

    I’m the same, I don’t do this for a living either. But I’m learning fast…

    robin333

    (@robin333)

    These access data you get from your web host. Ask for the link to PHPMYADMIN. in the wp-config.php is your database user and your password.
    to the table “wp_options” and then ‘siteurl’ there what hellofromhony
    Change that back to your domain name.

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘Pinnacle theme hacked’ is closed to new replies.