Plugin Author
AITpro
(@aitpro)
Assume the worst case scenario, which is your entire hosting account is compromised (all websites under your hosting account) and do the steps in this forum topic to clean up your hacked hosting account: http://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/
Note: It is very important that you do the cleanup steps in order in the forum link above for these reasons: If someone has cracked or stolen your FTP or hosting account passwords then you will end up redoing all of your cleanup again since the hacker already owns your entire hosting account.
It is also very important that all of your sites are offline while you are doing the cleanup and changing passwords AND very important that you make a backup of everything before putting your sites back online. The reason for that is you may have a plugin or theme installed that is allowing the hacker to control your entire hosting account. Example: If you have a plugin or theme with an upload form and that upload form is allowing a hacker to upload hacker files to your hosting account then BPS will not interfere or block the exploitable upload form because that form appears to be part of the normal functionality of that plugin or theme. BPS does not interere with or block the normal functionality of plugins and themes.
So if you have a good clean backup before putting your sites back online then if you do have a plugin or theme installed that is the root cause of the hack and your sites get hacked again you can quickly restore everything. If this does occur then you need to find the plugin or theme that is the source of the hack.
Also be sure to notify your web host about your website being hacked so that they can check their/your hosting server to make sure it is not the source of the hack. Example: A hacker finds an exploitable vulnerability on your host server. The hacker would be able to hack all websites on that host server by exploiting/hacking the host server itself. Your host needs to be notified so that they can rule out the possibility that the host server itself was hacked.
Plugin Author
AITpro
(@aitpro)
Also just wanted to say I feel your pain. Having your site hacked is very sucky experience mentally. Not trying to sell you anything or piss you off, but if you had had BPS Pro installed then this hack would have been prevented/stopped by BPS Pro AutoRestore|Quarantine. The wp-config.php file would have been autorestored and the wp-includes/class-wp-init.php file would have been quarantined.
Once again sorry you are going through this sucky experience. Just work through it and make sure you do all the steps in order in the forum link I posted above.
thanks for your detailed comments and the clean-up link you provided
at this point i’m deciding what to do – for me, $60 is a lot of money but i am seriously considering it
Even in the best case, WordPress security plugins have a limited ability to protect websites from being hacked. For example, if your FTP credentials are compromised then usually the best a plugin can do is to detect that an attacker is modifying files after they have been modified. In that case the attacker should also be able to modify the security plugin’s files as well, so they could change the plugin to prevent it from detecting the attackers actions. We haven’t seen them doing that on hacked websites so far, but it would be possible.
If you are lucky, the log files from when the website was hacked are still available and those can shed light on how the attacker got in and therefore what needs to be done prevent them from getting in that way again.
Plugin Author
AITpro
(@aitpro)
@white Fir Design – Yep spot on with FTP exploitation and that is what makes BPS Pro an exception to that vulnerability in all other security plugins. Even if someone renames the BPS Pro plugin folder or temporarily disables BPS Pro some other way then BPS Pro will still see the entire attack and either automatically stop it by autorestoring and quarantining hacker files once BPS Pro is re-enabled or at least let the website owner know exactly what has happened. If the hacker leaves BPS Pro disabled then that is also a dead giveaway. So the only way to beat BPS Pro AutoRestore|Quarantine is to have a WP Administrator login to a website and use the ARQ settings to do whatever they want to do. It’s game over anyway if someone has WP Administrator login capability to a website. 😉
Plugin Author
AITpro
(@aitpro)
Anyway so far so good in the last 5+ years. 😉
BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000+ websites in 5+ years have been hacked.
@aitpro – preventing a exploit is half the battle i think – my question is; could BPS Pro assist in determining the cause of the hack – for example, let’s say i have a poorly coded plug that opens the door – can BPS help me to identify this?
thanks
Plugin Author
AITpro
(@aitpro)
@atomizer – Yep, that would awesome, but unfortunately at this time BPS Pro does not do any sort of pentesting. It is possible to pentest/audit software for common flaws/vulnerabilities by launching a series of pre-defined attacks on the software to find flaws/vulnerabilities. We may do something like that in the future, but at this time we are primarily focused on the security end of things and not doing any sort of auditing or pentesting things. Kali Linux: https://www.kali.org/ is a great pentesting tool and you can customize the basic tools/features even further for whatever your needs or desires are.
Plugin Author
AITpro
(@aitpro)
Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.
Thread Start Date: 7-19-2016 to 7-20-2016
Thread Resolved/Current Date: 7-22-2016
