Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Wordpress site hacked. Help?

tobefirst ⚽️

tobefirst ⚽️

macrumors 601
Original poster
Jan 24, 2005
4,612
2,335
St. Louis, MO
The other day, my wordpress site was hacked.

Even though I have it set so no new users can be created, someone was able to create a new administrator and mess some things up. As soon as I got the email a new user was created, I went in and deleted that user. However, my user count (just above the list) shows 3 users while displaying only 2. So, I'm not sure if the other user actually got deleted, or if it is still there and just being cleverly hidden.

The second problem is that now (some of) my links now open new tabs to different sites.

Ugh.

So, I went in to my hosting and reinstalled everything to 2 days before I got that email stating there was a new user. Unfortunately, the issues above persist.

How do I go about fixing this and making sure the site gets back to secure? Would it be advisable to nuke the whole Wordpress installation and start over?

If you want to, or are able to, take a look at the code on my site, you can find the site here: soupmagazine.net.

Thanks for any and all help. Let me know what info I can provide to you to help you help me. I appreciate it.

(also, the site running slow is a known issue and something I need to address when I find the time.)
 
Any chance your account has a password that someone can guess if they know you, or they have access to your email and can reset it through the "forgot Password" option?

I would think that you probably have addressed that, but in case you haven't I'd start there.
 
@TheAppleFairy Good point. The password is something perhaps my wife could guess, but not anyone else, really. I have since changed the password to my account to make it more secure and would not be something she would guess before giving up. :) And, I do trust her. That's good, right? :)

I went to https://sitecheck.sucuri.net/results/soupmagazine.net and it lists a bunch of javascript stuff that is harmful. So, I assume that is what is happening. Now I need to know how to fix it.

Thanks for the response. Let me know what else I can do to help you help me.
 
tobefirst said:
@TheAppleFairy Good point. The password is something perhaps my wife could guess, but not anyone else, really. I have since changed the password to my account to make it more secure and would not be something she would guess before giving up. :) And, I do trust her. That's good, right? :)

I went to https://sitecheck.sucuri.net/results/soupmagazine.net and it lists a bunch of javascript stuff that is harmful. So, I assume that is what is happening. Now I need to know how to fix it.

Thanks for the response. Let me know what else I can do to help you help me.
Click to expand...


Yeah I just went to your site and I clicked on the contact me and I got some pop-ups saying congratulations you won.

I am not web expert, hopefully someone can help you here. I figured I'd state what I thought was obvious anyway.

Good luck.
 
tobefirst said:
@TheAppleFairy

I went to https://sitecheck.sucuri.net/results/soupmagazine.net and it lists a bunch of javascript stuff that is harmful. So, I assume that is what is happening. Now I need to know how to fix it.

Thanks for the response. Let me know what else I can do to help you help me.
Click to expand...

Do you have FTP(or simular) access to the web server? I have compared your index and contact page against a local wordpress installation in my home. The first three lines in both of your pages contain some JavaScript that mine doesn't. Those lines might be the infected code. I have checked the code in a VM, so I will need to transfer it to my host before I can check the code against the mallware code.

Looks like you have to open your web pages in a text editor and then remove the javascript to remove the virus. You should also check all your other pages for the virus. Also check any file ending with .js. Then reupload the fixed files. Make sure that you have backup off all sitedata you need (and databases).

The safest way to be sure that the virus is gone is to reinstall everything, but that might not be so simple.
 
  • Like
Reactions: TheAppleFairy
Superspeed500 said:
Do you have FTP(or simular) access to the web server? I have compared your index and contact page against a local wordpress installation in my home. The first three lines in both of your pages contain some JavaScript that mine doesn't. Those lines might be the infected code. I have checked the code in a VM, so I will need to transfer it to my host before I can check the code against the mallware code.

Looks like you have to open your web pages in a text editor and then remove the javascript to remove the virus. You should also check all your other pages for the virus. Also check any file ending with .js. Then reupload the fixed files. Make sure that you have backup off all sitedata you need (and databases).

The safest way to be sure that the virus is gone is to reinstall everything, but that might not be so simple.
Click to expand...
Thanks for looking. I do have FTP access and think I can handle what you're talking about. I'll give it a shot.

It may be that I just nuke it. I've been meaning to update it anyway.

Appreciate the response and if there's anything else you or anyone else notices, or can help with (point me in the right direction), I very much appreciate it.
 
I make Duplicator (free plugin) backups of my sites on a semi-regular basis and download them locally
They allow for a good way to nuke completely and restore your site to a past good install
Has saved my ass on more than one occasion

You can also use your PHPMyAdmin on your server host to access your database
There you can do some more in depth looking at users/passwords, etc.
Especially if you get caught being unable to login to your Admin
https://www.fixrunner.com/cannot-login-wordpress-admin-area/
 
One option is to delete the bulk of your WordPress files in your FTP but keep the wp-content and wp-config files, and replace with fresh WP files from WordPress.

Also when it's fixed get yourself setup with the right file permissions, and install ithemes security. Excellent plugin.

If it doesn't work I recommend siteguarding.com to clean the site - they are awesome!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back