Support » Fixing WordPress » Suspected hack on 8 WordPress installs

  • stevepharris

    (@stevepharris)


    I have multiple sites on a shared server, recently I got an email from sitelock warning me about malware on my sites. I thought this had to be a mistake and they were just trying to sell me a service. After going back and forth between them and my hosting provider i did notice the sites loading a resource from an unknown party. and after doing some digging i notice a new script in the header.php file for all the sites.

    There is only only ftp account to this server and i’m the only one who uses it. I looked at the date modified for each header file noticed nothing odd. one still showed last changed in 2014. all these sites use different themes and the script was added the same way. the same amount of a spaces between the <?php wp_head();?> and the closing </head> tag. it looks very copy and paste to me. since the script is minified and the rest of the header isn’t.

    I have since removed the script, but I am concerned they may still have some form of access to one or more of these sites. How can I harden these WordPress installs and possible figure out how this happened?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter stevepharris

    (@stevepharris)

    I would really love to figure out how it happened.

    Mark Ratledge

    (@songdogtech)

    I have multiple sites on a shared server….

    It’s really difficult to find the vector(s) on shared hosting. You need to parse the logs, but they may not have sufficient info. The attack was either direct on your site due to old versions or insecure plugins, or it was a traverse from hacked accounts on the same server.

    Best thing to do is harden WordPress and also look for a more secure host.

    Edit 3/09/16: and yes, goes without saying: follow James’ links and recommendations.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    And follow the guide initially mentioned, all of it. It covers most common vectors, because as songdogtech mentioned, it’s pretty much impossible to determine the specific vector without some very intensive in depth investigation.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Suspected hack on 8 WordPress installs’ is closed to new replies.