Title: Security Concern – Hacked Website Last modified: August 20, 2016 --- # Security Concern – Hacked Website * [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/) * Hi, * This is going to be a long one, so please bear with me. * Over the past few weeks there have been some security issues with a website I designed and developed for a client. A little over a week ago the site was hacked into and the home page displayed ‘Hacked by Hmei7’ with animated falling snowflakes in the background. I contacted the hosting company (no help whatsoever) did a bunch of research, poked around and found that the hacker had replaced the header. php file. I didn’t notice that anything else was different or altered, but just to be safe, I changed all associated passwords and did a fresh WordPress install of the latest version, restored a clean backup of my theme etc… * For about a week everything seemed fine and dandy until this morning. I tried logging into WordPress and kept getting an ‘invalid username’ error. I instantly thought ‘oh no, here we go again’ but I didn’t want to jump to conclusions, so once again I contacted the host, researched and poked around. I checked the wp_user/ s database table via phpmyadmin and found that the username had been changed to admin (it was something else when I created it) and the password was changed to long (seemingly) random characters. Despite this, the site itself appeared to look and function as normal. * That’s the ‘short’ version of what’s happened, but I did find that there was something in common with both ‘attacks’. I had a look at the error_log and the dates that fit around the time of both incidents show numerous attempts at accessing/ changing the wp-db.php file (in wp-includes). I can’t be sure, but that makes me think that it could be the same ‘offender’. * For the time being I have uploaded a temporary maintenance page as a safety measure for site visitors. I have a feeling that it will happen again soon if I restore the site as I had previously, so I need to try and get to the bottom of it, ‘ patch’ things up (or start afresh) and do what I can to prevent this from happening in future. I’m just not sure where to start, if I am missing something or have just been awfully unlucky. Any help or advise would be much appreciated. * Thanks in advance 🙂 Viewing 12 replies - 1 through 12 (of 12 total) * Thread Starter [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117712) * Forgot to mention that I was using WordPress version 3.4 when the first incident occurred, then version 3.4.2 the second time. * [jonpedlow](https://wordpress.org/support/users/jonpedlow/) * (@jonpedlow) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117718) * Push your host to help out. * I had a similar problem once as in the problem kept reappearing, when looking deeply at everything I found it was simply the hacker had created them self a user account in my dashboard with full admin rights. * Might be a good idea to check the users of your site just in case? * Thread Starter [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117724) * Thanks for the suggestion jonpedlow. * I checked the wp_users table of the WordPress database in phpmyadmin (as explained above) and my username and password were non existent. They were overwritten/ replaced by username: admin password: _long bunch of random characters_. * As for the host, they are the least helpful hosting company I have ever dealt with. In short, they refuse to look into it or admit whether or not it’s a problem at their end. I don’t think changing hosts at this point will resolve the issue, but I am going to strongly suggest my client changes hosts asap once it is sorted. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117725) * > password: long bunch of random characters. * You do realise that the password is one-way encrypted in the database, don’t you? * Thread Starter [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117727) * [@esmi](https://wordpress.org/support/users/esmi/), I’ll rephrase that. It seems that the username and password have either been changed or have been rendered useless. ‘admin’ is a recognised username (this might always be the case, I’m not sure), but it isn’t the one I used in the initial WordPress setup. I’ve tried the password with both usernames numerous times, but kept getting error messages. There is only the one user account and I am the only person (or at least I thought I was) with the login details. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117728) * Have you reviewed [http://codex.wordpress.org/Resetting_Your_Password](http://codex.wordpress.org/Resetting_Your_Password) * Thread Starter [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117733) * Yes, I did come across [http://codex.wordpress.org/Resetting_Your_Password](http://codex.wordpress.org/Resetting_Your_Password) whilst researching the problem, although I haven’t tried changing the password yet. I’m pretty sure that regaining access won’t stop the login details (or anything else) being changed again soon, which is why I am being so adamant about finding out exactly what happened if possible. * In the meantime I had uploaded a maintenance.php page, which was later rendered useless also. I now have an index.htm temp page up instead and that seems to be doing the job for now. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117734) * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * Thread Starter [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117736) * Thanks for the info. * I’ll have a good look through the resources to see if I can turn up anything or missed something the first time around, but I am sure they are the same ones I went through the first time the site was hacked into. Admittedly, I didn’t follow them all to a T and figured it was probably best to delete everything WordPress related from the server and start afresh. Either I was very mistaken, or there’s a lot more to it than that. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117740) * There is. You need to follow all of the instructions to completely de-louse your site. * Thread Starter [medusa_g](https://wordpress.org/support/users/medusa_g/) * (@medusa_g) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117743) * I had an extensive look through the WordPress database, folders and files etc… paying particular attention to certain db tables and files mentioned in the resources above and others I have come across throughout my research. Despite this, I haven’t noticed anything strange or suspicious. I also tried the suggested site scanners( [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) and [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/)), which also haven’t turned up anything. * Something I am still not sure about is that the error_log on the server shows numerous MySQL connection errors to wp-db.php (as mentioned in my first post). I couldn’t really find any info on what the file does or is for, or if it could lead to finding out what went wrong. * My client is changing hosts very soon, so I haven’t restored the site as yet. For now I have put a HTML temp page up and deleted all WordPress files on the server). At this point, I am thinking it might be best to start afresh (clean install, restoring clean/pre-hacked local backups etc…) on the new server and follow these tips/suggestions [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress). * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117755) * > the error_log on the server shows numerous MySQL connection errors to wp-db. > php * That could just be part of the normal generation of a populated page on a WordPress site. Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Security Concern – Hacked Website’ is closed to new replies. ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * [Issues](https://wordpress.org/support/topic-tag/issues/) * [website](https://wordpress.org/support/topic-tag/website/) * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 12 replies * 3 participants * Last reply from: [esmi](https://wordpress.org/support/users/esmi/) * Last activity: [13 years, 7 months ago](https://wordpress.org/support/topic/security-concern-hacked-website/#post-3117755) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics