WordPress hacked? Redirect on wp-admin

Resolved David181
(@david181)

5 years, 5 months ago
Dear WordPress family,

today, strange things happened. First a got a wordpress email telling me, that a new user signed up for my wordpress blog. Normally not possible, I‘m not allowing registrations.

Registration infos:

– [Moderated: Password, username, email redacted ] Please do not post or givr server sensitive information (passwords, username, ftp, etc)For your safety, it’s not allowed here: https://wordpress.org/support/guidelines/

That rang the alarm bells. After visiting my site I did not see the normal mobile theme, more a cached version of it.

Futhermore, when I want to open the wp-admin, it‘s not showing up. Instead, the page is redirecting to https://www.les-cookies-de-hanitra.fr/wp-login.php.

Screenshot: https://ibb.co/hq86xq

I checked the FTP – on a first look all the files look similar – at least on a file system level.

Seems like I got hacked… Does anyone know more about that hack and how to fix it?

Thanks and best,
David
- This topic was modified 5 years, 5 months ago by t-p.

Viewing 11 replies - 1 through 11 (of 11 total)

Moderator t-p
(@t-p)

5 years, 5 months ago
Carefully follow this guide.

When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.
- This reply was modified 5 years, 5 months ago by t-p.
Thread Starter David181
(@david181)

5 years, 5 months ago

Hi,

thanks for the quick first reply. I followed all steps, but no result. All scanners don‘t report a problem. All files look fine from the first „scan“.

Does someone knows this concrete hack and how to fix it?

Thanks and best,
David

Moderator t-p
(@t-p)

5 years, 5 months ago

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

Thread Starter David181
(@david181)

5 years, 5 months ago

Thanks for the reply.
As this is a hobby project I can‘t affort any of this sides. So any help from the community is appreciated. Thanks!

Moderator t-p
(@t-p)

5 years, 5 months ago

Additional Resources:
– http://ottopress.com/2009/hacked-wordpress-backdoors/
– https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/
-https://www.wpbeginner.com/plugins/how-to-scan-your-wordpress-site-for-potentially-malicious-code/
– Hardening WordPress
– http://sitecheck.sucuri.net/scanner/
– http://www.unmaskparasites.com/
– Try Wordfwnce plugin. It comes with a malware scanner, exploit detection, and threat assessment features. You will be alerted if any signs of a security breach are detected with the instructions to fix them.
– Here is an online scanne: http://sitecheck.sucuri.net/scanner/.
– Also, Scan for “some string” using https://wordpress.org/plugins/string-locator/

Thread Starter David181
(@david181)

5 years, 5 months ago

Fixed it.
The attacker was able to change the setting for registration of new users back to „on“ with the change that new users are created as admin.

Luckily he just changed the site url which was fixable via database.

But looks like a huge backdoor somewhere in WordPress, huh? Why is there even a setting to create new users as admin? Isn‘t that a security problem for itself?

Thanks and best,
David

Moderator t-p
(@t-p)

5 years, 5 months ago

Glad u got it sorted:)

Martin
(@whocares2018)

5 years, 5 months ago

There was a security issue a few days ago in the WP GPDR plugin, allowing someone introducing a new user (admin level) in your site. You should have had an email from your site telling you so.

rollback from a previous backup, login and download the latest plugin updates.

Installing the ninja firewall will help preventing a hack again, since wordfence did NOT prevent this hack from happening…

Thread Starter David181
(@david181)

5 years, 5 months ago

Hi whocares,

thanks for your input. I reseached on that as well – and I‘m pretty sure that was the reason. After updating the plugin everything seems fine.

Still wondering why WordPress allows registration as Admin. Seems like a huge security problem.

Thanks and best,
David

wpvince
(@wpvince)

5 years ago

Have a customer that doesn’t have the WP GPDR plugin, yet the same site url hack has been done and can’t yet find the cause.

wpvince
(@wpvince)

5 years ago

My security check that identified the hack was from Easy WP SMTP plugin

Here is a report in case it helps anyone else
https://wpvulndb.com/vulnerabilities/9237

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘WordPress hacked? Redirect on wp-admin’ is closed to new replies.

WordPress hacked? Redirect on wp-admin

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics