You probably have a plugin which is vulnerable.
Suggest that you install “All In One WordPress Security Plugin”, it will scan for and likely find the vulnerability. The author’s website is: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
I downloaded it from the wordpress plugin site.
Please let us know what you find.
Hmm Okay. Well I only use Akismet as a plugin. But I will try that.
Also of note, whenever I try to update or install a new theme I get the following errors about update.php.
Warning: An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration. If you continue to have problems, please try the support forums. (WordPress could not establish a secure connection to WordPress.org. Please contact your server administrator.) in /wp-includes/update.php on line 119
Warning: An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration. If you continue to have problems, please try the support forums. (WordPress could not establish a secure connection to WordPress.org. Please contact your server administrator.) in /wp-includes/update.php on line 287
Warning: An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration. If you continue to have problems, please try the support forums. (WordPress could not establish a secure connection to WordPress.org. Please contact your server administrator.) in /wp-includes/update.php on line 435
I tried re-uploading a fresh copy of update.php a few times and that didn’t seem to solve it.
–
I will try the above mentioned plugin to see what it will find. I think the update.php issue may be a hint.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I have read all of what Jan posted before. And re-reviewed the links, but they did not really help too much.
The “All In One WordPress Security Plugin” that Ross posted, I really like.
Taking all the information into consideration, I did a full filesystem wipe last night including all my uploads and other files not associated with WordPress. I Then changed databases, and database user/password (to randomized names). I scanned the old database and manually went thru it, looking at anything suspicious, deleting many tables which didn’t look legit vanilla wordpress.
I installed a fresh install of wordpress install from wordpress.org and a fresh new theme. linked to the new database. I did not upload anything else, and simply just got my blog working again.
Sure enough, tonight right on schedule, the file change scanner in the “All In One WordPress Security Plugin” informed me of file changes in every .php file in wordpress.
I am thinking there is a vulnerability within wordpress itself which is being exploited. This is also what my host is suggesting.
I am thinking there is a vulnerability within wordpress itself which is being exploited. This is also what my host is suggesting.
This is the kind of “support” one gets from lazy and incompetent hosting companies. Really roadwolf, if wordpress was such an easy hack, then we would all be getting the treatment you are unfortunately experiencing.
Trying to gather more information:
What is your wordpress version ?
What is your PHP version ?
What is your mysql version ?
What is your apache version ?
All this info is available in your hosting management panel.
Which theme are you using ?
I understand that your only plugins are akismet and allinonewordpresssecurity ? Have you previously had other plugins installed ? Even if they are inactive, code in them could still get activated (hence request to view logs below).
Can you examine the server access logs ? ESPECIALLY at the time these hacks occur. See which plugin files are being directly accessed, same for theme files.
Are any of the lines strange or repetitive ?
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
This is the kind of “support” one gets from lazy and incompetent hosting companies.
*Drinks more coffee*
That’s not nice. Possibly accurate and spot on but you know. 😉
if wordpress was such an easy hack, then we would all be getting the treatment you are unfortunately experiencing.
Now THAT I can emphatically embrace. Even without the coffee. *Drinks more anyway*
@roadwolf A stock installation of just WordPress doesn’t have any vulnerabilities that are known at this time. When a WordPress security problem or even potential problem is named then 2 things happen.
- A patch is produced and WordPress blogs start getting updated automatically (minor releases number)
- A note goes out via https://wordpress.org/news/ and that shows up on your WordPress dashboard by default
Which does nothing for plugin or theme exploits or worse poor hosts. Sadly there are hosts that only provide lip service to security and patching. Not all of them but enough that your problem does occur.
I had a very very similar thing that was down to a plugin using timthumb.php which allowed a hacker to place images on the server AND bury code, giving them access. It drove me insane until after 2 weeks of head smashing I found it.
Scan your plugins and site for timthumb.php if found I believe my fix was a patch to update the security flaws within the plugin.
This is why I am very cautious when using plugins.
Hopefully this is your issue,
Good luck!
Breaking news is that there just may be a hack storm descending upon our wordpress universe.
Best advice is get everything up to date.
I use “All in one wordpress security” plugin, highly advised.
One of the things it scanns for is the notorious “timthumb” library.
Ross can you post the source so we can read up on what may or may not be coming?
Another reason why I avoid plugins as much as I can! @roadwolf do you have the Mailpoet plugin installed or have had it previously installed?
Sorry for my previous post.. It was a tad lazy on my part to post that. I didn’t mean any disrespect.
Since that post however I think I did find a deeply hidden php hack file (PHP_Nuke*), inside the root directory of my server, hidden inside cpanel files (great work hosting company!).
That being said I host several websites, and they all share that common root directory. Only my main blog was being targeted. But then again, I do sometimes post some controversial content on my blog, and wouldn’t be surprised if this was someone who wanted it to disappear.
It has been secure since I discovered and removed that file, and did another complete wipe, and install. I also changed the SQL database and deleted all the tables except my posts. Then imported my posts to the newly installed database. The “All In One WordPress Security Plugin” has been great in preventing further attacks however. It is reporting that I am getting over 1000 IP’s (likely proxies) attempting brute force ‘admin’ login hacks an hour. The login attempts have now switched to using ‘test’ as a login instead of admin. So it is someone who really wants to get in.
To answer some questions however:
“All In One WordPress Security Plugin” Plugin Version: 3.7.7
WP Version: 3.9.1
MySQL Version: 5.1.63
PHP Version: 5.2.17
Apache version 2.2.22
I am using the F2 Theme.
Blog is located at roadwolf.ca
I have not used or heard of the MailPoet plugin. The only real plugin I dealt with at one time aside from Akismet was the Jetpack plugin package.
My hacker goes by the name Moroccan Double Agent.
