Title: SQL Injection – hacker created pages Last modified: August 30, 2016 --- # SQL Injection – hacker created pages * Resolved [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/) * I am using version 3.9.9 but that wasn’t in the list. * The problem I have involves SQL injection I think. I keep getting pages created on my site, viagra, UK betting, London Hotels…the usual spammy stuff. I checked logins and there were no unauthorised logins which lead me to believe they accessed the site directly through the database. I checked in phpmyadmin and they used the admin ID 0 which doesn’t exist as a user. I gave the database a random prefix as most people advise when I installed the site. * I am blacklisting IPs that have multiple failed logins, my security strength meter reads 380 so I am covering almost all my bases yet they still get in to leave these pages…Any ideas? * [https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) Viewing 15 replies - 1 through 15 (of 15 total) * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478339) * Hi, do you have any of the **Brute Force** features enabled? What Firewall features have you enabled? Do you have any other security plugin installed? * Are you running WordPress 3.9.8? * Are all your plugins and theme up to date? * Plugin Contributor [wpsolutions](https://wordpress.org/support/users/wpsolutions/) * (@wpsolutions) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478340) * They could be getting in any number of ways. For example maybe you installed a theme or plugin which was infected. * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478364) * Theme bought from Themeforest and all plugins from here (WordPress.org) * As far as Brute Force, I have login page renamed (10/10) I have login Captcha enabled (20/20) and Honeypot enabled (10/10). I have no other security plugin installed but it is weird, I have other wordpress sites and they have never been hacked, this is the only one with security on and it seems to be a magnet for attacks. I know it’s probably just coincidence but still very weird. Where can I get information on “user agents” for blacklisting? If I could block anything that wasn’t a browser or a search bot it might just plug any remaining holes in the security. * I checked the error log and found this: doesn’t exist for query SHOW FULL COLUMNS FROM `em_core_log_884` made by shutdown_action_hook, do_action(‘shutdown’), call_user_func_array, wp_ob_end_flush_all, ob_end_flush, xcalendarBufferEnd, xcalendar->bufferEnd, xcalendar->writeLog. * I know “flush all” can’t be good and I am sure a “do action shutdown” ain’t a good thing. Can you tell me what this is trying to do? * Like I say, most things in AIOWPS are set to max and still they come, there are no failed logins so they are not coming through the front door but looking at the error log their attacks are relentless. * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478366) * Oh and I am running WordPress 4.1.7 and all plugins are up to date other than the ones that came with the theme (slider, contact forms and page builder plugins) these are always difficult to update since they came with the theme. A separate license would be good but then you end up paying for everything twice. The theme was only bought and installed less than a month ago so not sure how they get to be out of date so quick. * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478367) * Here is the problem with upgrading too soon in a nutshell: * Contact Form 7 You have version 4.2 installed. Update to 4.2.2. View version 4.2.2 details. Compatibility with WordPress 4.1.7: 100% (according to its author)** Compatibility with WordPress 4.3: 60% **(6 “works” votes out of 10 total) * So I can either update WordPress or Contact Form 7 if I want them both to work… I can’t have both. I updated Contact Form 7 to the latest version on another site I run and it didn’t work at all, so I had to roll the entire site back. * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478582) * Most plugins seem to stop access for the admin area of wordpress with blacklisting etc but what if hacks are coming straight in to the SQL database? Is there any way to stop this? Is there a plugin that stops hacking at database level? * Currently I have set the SQL database so that it cannot be edited by anyone, completely blocking all but viewing the site and when we want to edit the site I simply turn it back on while we edit and off again when it has been done. Although this has stopped the site getting hacked it is by no means an ideal solution. It would be good to have a plugin that allows to completely block the database from being edited from within the WP admin area. * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478583) * Hi, can you use Sucuri to check your website. Your site might be compromised or already hacked. * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478584) * I installed the plugin for Securi when I first discovered the hack. It found nothing, no malware. I have just done a scan with the plugin and another external scan from The Securi website…both came up with “Site Clean”!? * Im stumped! All I can think is that it is injected into DB but I thought security plugins like AIOWPS stopped that * I searched Google for the exact text they put on my site (1 sentence exact match) and it is unique, it appears nowhere else on the internet so I can only assume it’s not a random attack, it was specifically aimed at our site. But how do they post without using an assigned WP user? Pages were posted by user 0 which I set to “Subscriber” after it happened the first time. * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478587) * Hi, have you spoken to your host about this issue? * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478593) * Yes, they suggested restoring from a backup but as I explained to them the backups get overwritten by new ones (backed up 3 times a week) and as we don’t know when this first got attacked (first noticed 10 Aug but it could have been earlier as the hacker’s posts weren’t visible in the admin, it was only when I was in phpmyadmin that I noticed them so it is more than likely that the issue I have now will also happen with the back ups if the. * Incidentally how do you add a post to a WP site without is showing up in the admin area? This may be a clue as to how they are managing to post. * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478597) * Hi, that might be your best option what your host has suggested. However as you mention, you don’t know when this problem occurred. You will have to make a decision and maybe bite the bullet sort of speak. * The other option you might carry out is to reinstall the current WordPress version either automatically or manually via FTP. That might fix any corrupted files if there are any. * Just my humble option. * Regards * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 8 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478599) * At the moment I have the database completely locked down and only gets unlocked for us to edit the site and then locked down again afterwards. I think the best thing is to keep it like that until we can investigate further. * It occurs to me that if the developers of AIOWPS wanted to improve the product they could take a clone of sites like ours and dissect it to discover how hackers might be circumventing their security measures * On the next iteration of AIOWPS it might be good if it could monitor and log any changes to the core WP files, the ones that wouldn’t ordinarily get changed, the ones that don’t get overwritten when WP is updated. This seems the most likely place for hackers to hide code. Failing that, what about a button that makes the database uneditable from within the Admin area rather than having to go in to cpanel? Just a thought. * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478651) * [@cliveo](https://wordpress.org/support/users/cliveo/) is your issue now resolved? Do you have the latest version installed? * Thread Starter [CliveO](https://wordpress.org/support/users/cliveo/) * (@cliveo) * [10 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478652) * It is kind of resolved. I have uninstalled All in one WP Security and I keep the database locked permanently, only unlocking it to make edits. The site hasn’t had any more unauthorised content but that’s not to say they aren’t still trying. * It’s not an ideal solution but it works. A good update for me would be if there was a way to lock the database from within the WP dashboard, that way I wouldn’t have to keep doing it through cpanel…not sure if that is even possible. * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478653) * That sounds like it is kind of resolved and it is working for you. * Since you no longer use our plugin, I am marking this support thread as resolved. * Thank you Viewing 15 replies - 1 through 15 (of 15 total) The topic ‘SQL Injection – hacker created pages’ is closed to new replies. * ![](https://ps.w.org/all-in-one-wp-security-and-firewall/assets/icon-256x256. png?rev=2798307) * [All-In-One Security (AIOS) – Security and Firewall](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/) * [Active Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/reviews/) ## Tags * [hacking](https://wordpress.org/support/topic-tag/hacking/) * [sql](https://wordpress.org/support/topic-tag/sql/) * [sql injection](https://wordpress.org/support/topic-tag/sql-injection/) * 15 replies * 3 participants * Last reply from: [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-hacker-created-pages/#post-6478653) * Status: resolved