Title: Posts have been hacked Last modified: March 14, 2017 --- # Posts have been hacked * Resolved [davidwillis](https://wordpress.org/support/users/davidwillis/) * (@davidwillis) * [9 years, 3 months ago](https://wordpress.org/support/topic/posts-have-been-hacked/) * I just updated to 4.7.3, and I am not sure what it was on before the update. The last time I updated was January. * So I have some posts that have been hacked (one post says hacked by shade twitter: @ShadeHaxor) * Anyway I have rolled back the posts, changed passwords, etc. But my question is this. The posts that were modified were not changed by a user? Here is what it says in the revisions: admin, 6 hours ago (March 13, 2017 @ 18:27:02) admin, 6 hours ago (March 13, 2017 @ 18:25:41) , 8 hours ago (March 13, 2017 @ 16:56: 36) , 3 weeks ago (February 23, 2017 @ 14:23:37) , 3 weeks ago (February 23, 2017 @ 14:23:00) , 3 weeks ago (February 23, 2017 @ 14:22:23) , 3 weeks ago ( February 23, 2017 @ 14:21:57) , 3 weeks ago (February 23, 2017 @ 14:21:50) , 3 weeks ago (February 23, 2017 @ 14:21:39) , 3 weeks ago (February 23, 2017 @ 14:21:32) , 3 weeks ago (February 23, 2017 @ 13:30:42) , 3 weeks ago (February 23, 2017 @ 13:30:01) , 3 weeks ago (February 23, 2017 @ 13:29:23) , 3 weeks ago( February 23, 2017 @ 13:29:01) , 3 weeks ago (February 23, 2017 @ 13:28:59) , 1 month ago (February 10, 2017 @ 15:39:03) , 1 month ago (February 6, 2017 @ 17:50:40) admin, 2 months ago (January 20, 2017 @ 17:03:40) admin, 2 months ago( January 20, 2017 @ 17:02:37) admin, 2 months ago (January 20, 2017 @ 17:02:00) * When I make a change you can see it says admin, but when the hacker did it, it does not say who did it. It would be nice to know how these posts were changed. As you can tell I did not even know the posts were hacked until today, even though it started on February 6. * Thanks David Viewing 3 replies - 1 through 3 (of 3 total) * [csloisel](https://wordpress.org/support/users/csloisel/) * (@csloisel) * [9 years, 3 months ago](https://wordpress.org/support/topic/posts-have-been-hacked/#post-8910240) * While it’s hard to say how exactly it happened without digging through logs and doing an entire security audit, I have a guess. WP 4.7.0 and 4.7.1 had a particularly severe vulnerability, one of the worst I’ve seen since working with WordPress. * Basically there was an unauthenticated endpoint on the new REST API stuff exposed in those versions that allowed anyone to send POST requests and update content. It was patched in 4.7.2 and you can read more about it here: [https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/](https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/) and here: [https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html](https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html) - This reply was modified 9 years, 3 months ago by [csloisel](https://wordpress.org/support/users/csloisel/). - This reply was modified 9 years, 3 months ago by [csloisel](https://wordpress.org/support/users/csloisel/). - This reply was modified 9 years, 3 months ago by [csloisel](https://wordpress.org/support/users/csloisel/). * Moderator [t-p](https://wordpress.org/support/users/t-p/) * (@t-p) * [9 years, 3 months ago](https://wordpress.org/support/topic/posts-have-been-hacked/#post-8910277) * – The [Exploit Scanner](https://wordpress.org/plugins/exploit-scanner/) plugin can help detect damage so that it can be cleaned up. Here is an another online scanner to check for exploits and malware: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/). * Other things you should do: - Change passwords for all users, especially Administrators and Editors. - If you upload files to your site via FTP, change your FTP password. - Re-install the latest version of WordPress. - Make sure all of your plugins and themes are up-to-date. - Update your [security keys](https://codex.wordpress.org/Editing_wp- config.php#Security_Keys). - See FAQ [My Site Was Hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked). * – Just cleaning out files isn’t enough. When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * Thread Starter [davidwillis](https://wordpress.org/support/users/davidwillis/) * (@davidwillis) * [9 years, 3 months ago](https://wordpress.org/support/topic/posts-have-been-hacked/#post-8910347) * Thanks csloisel and t-p. * I guess that will teach me to be lazy with my updating. That does sound like what happened. At least it was not too damaging. * I have run a sucuri scan using the free plugin, and it did not show anything, and the Explit scanner (I have the plugin installed) gave a lot of files, but I don’t know if any are bad, most are just unknown file found. * I also went through a pretty good hardening procedure when I set up my site. I have never had any problems other than I do see some login attempts (but they get blocked after 3 failed attempts). If the same ip’s gets blocked twice, I then add it to my permanent block list. * I will keep a close eye on it and hopefully the update will fix it. * Thanks again! - This reply was modified 9 years, 3 months ago by [davidwillis](https://wordpress.org/support/users/davidwillis/). Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Posts have been hacked’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 3 participants * Last reply from: [davidwillis](https://wordpress.org/support/users/davidwillis/) * Last activity: [9 years, 3 months ago](https://wordpress.org/support/topic/posts-have-been-hacked/#post-8910347) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics