Support » Fixing WordPress » WordPress hacked? Redirect on wp-admin

  • Resolved David181

    (@david181)


    Dear WordPress family,

    today, strange things happened. First a got a wordpress email telling me, that a new user signed up for my wordpress blog. Normally not possible, I‘m not allowing registrations.

    Registration infos:

    [Moderated: Password, username, email redacted ] Please do not post or givr server sensitive information (passwords, username, ftp, etc)For your safety, it’s not allowed here: https://wordpress.org/support/guidelines/

    That rang the alarm bells. After visiting my site I did not see the normal mobile theme, more a cached version of it.

    Futhermore, when I want to open the wp-admin, it‘s not showing up. Instead, the page is redirecting to https://www.les-cookies-de-hanitra.fr/wp-login.php.

    Screenshot: https://ibb.co/hq86xq

    I checked the FTP – on a first look all the files look similar – at least on a file system level.

    Seems like I got hacked… Does anyone know more about that hack and how to fix it?

    Thanks and best,
    David

    • This topic was modified 3 years ago by t-p.
Viewing 11 replies - 1 through 11 (of 11 total)
  • Moderator t-p

    (@t-p)

    Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    • This reply was modified 3 years ago by t-p.
    Thread Starter David181

    (@david181)

    Hi,

    thanks for the quick first reply. I followed all steps, but no result. All scanners don‘t report a problem. All files look fine from the first „scan“.

    Does someone knows this concrete hack and how to fix it?

    Thanks and best,
    David

    Moderator t-p

    (@t-p)

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    Thread Starter David181

    (@david181)

    Thanks for the reply.
    As this is a hobby project I can‘t affort any of this sides. So any help from the community is appreciated. Thanks!

    Moderator t-p

    (@t-p)

    Additional Resources:
    http://ottopress.com/2009/hacked-wordpress-backdoors/
    https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/
    -https://www.wpbeginner.com/plugins/how-to-scan-your-wordpress-site-for-potentially-malicious-code/
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    – Try Wordfwnce plugin. It comes with a malware scanner, exploit detection, and threat assessment features. You will be alerted if any signs of a security breach are detected with the instructions to fix them.
    – Here is an online scanne: http://sitecheck.sucuri.net/scanner/.
    – Also, Scan for “some string” using https://wordpress.org/plugins/string-locator/

    Thread Starter David181

    (@david181)

    Fixed it.
    The attacker was able to change the setting for registration of new users back to „on“ with the change that new users are created as admin.

    Luckily he just changed the site url which was fixable via database.

    But looks like a huge backdoor somewhere in WordPress, huh? Why is there even a setting to create new users as admin? Isn‘t that a security problem for itself?

    Thanks and best,
    David

    Moderator t-p

    (@t-p)

    Glad u got it sorted:)

    whocares2018

    (@whocares2018)

    There was a security issue a few days ago in the WP GPDR plugin, allowing someone introducing a new user (admin level) in your site. You should have had an email from your site telling you so.

    rollback from a previous backup, login and download the latest plugin updates.

    Installing the ninja firewall will help preventing a hack again, since wordfence did NOT prevent this hack from happening…

    Thread Starter David181

    (@david181)

    Hi whocares,

    thanks for your input. I reseached on that as well – and I‘m pretty sure that was the reason. After updating the plugin everything seems fine.

    Still wondering why WordPress allows registration as Admin. Seems like a huge security problem.

    Thanks and best,
    David

    Have a customer that doesn’t have the WP GPDR plugin, yet the same site url hack has been done and can’t yet find the cause.

    My security check that identified the hack was from Easy WP SMTP plugin

    Here is a report in case it helps anyone else
    https://wpvulndb.com/vulnerabilities/9237

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘WordPress hacked? Redirect on wp-admin’ is closed to new replies.