Jump to content

I think my Wordpress site was hacked....


Andrea

Recommended Posts

I got an email form my host, letting me know my site's been temporarily taken down due to suspicious activity.  Apparently, 3 files are affected:

/wp-content/wpspl-load-compat.php

/wp-includes/wpspl-load-compat.php

/wp-includes/wpn-sops.ph

Nothing comes up when I google those file names, and since I still haven't learned PHP, I also don't really know what's going on - but mention of backdoors and such really makes me wonder. And entering a mentioned url - packetstormsecurity.org and seeing Putin.....

I'm just not clear if I can just delete the entire file - below is what's in the compat file inside the includes folder - or do I need to just clean something.

And after that? As far as I know,  I'm running the latest WP version and my password should be pretty solid, too. 

I got an error message trying to include the content into <> - maybe because it's so large, and it was also too large to attach the file, so here it is:

PHP Code in Notepad Doc

Link to comment
Share on other sites

Hi I clicked the link but it redirects me to the 404 page.

Here is a list of the stock wordpress file https://core.trac.wordpress.org/browser/trunk/src.

The files from wp-includes, I am pretty sure you can just delete them. Your site content and theme are stored in wp-content.

If you don't have experience with WP developement, I recommend that you install this plugin and run a full scan https://ro.wordpress.org/plugins/wordfence/.

If you still want to upload the code to this forum just upload the files to your Google Drive, make them public and put the link in this thread, so that we can take a look.

Link to comment
Share on other sites

Thanks, Anadar. I'll look into it.

I did delete the three offending files, and things seem to work fine. That tells me that the entire files were somehow added to my server, instead of the hackers adding malicious code to an existing file.

I was not able to upload the txt file (no idea why that would not work), so you guys can see what they put there, but I was able to PDF it and that uploaded.

Anybody have any insights what this was supposed to do?

Infected File (pdf format)

 

Link to comment
Share on other sites

I would recommend you a good plugin for improving WP Security, something that would prevent malicious code from being uploaded to the server, but I don't know any free ones, that impresesssed me.

If you work with Wordpress a lot I recommend that you get a WPMU Dev subscription, they have a lot of great plugins. For security https://premium.wpmudev.org/project/wp-defender/ .

Link to comment
Share on other sites

I'm not a WordPress user but I found some interesting articles about your issue.

The main advice was to delete unused/archived/old themes. And the concern about security vulnerability in poorly coded plugins.

Seems that themes, plugins are located in wp-content directory, which you mentioned.

Are you going to reinstall your site? Can you backup all your posts/comments and upload the content with a fresh install?

The articles i read are

"How to Find a Backdoor in a Hacked WordPress Site and Fix It"

"Beginner’s Guide to WordPress File and Directory Structure"

Link to comment
Share on other sites

In the future you might try renaming them before deleting the files. If nothing breaks you can then delete them.

Sorry for the delay, I was on vacation (at home) for 12 days and refused to touch a computer.

You will want to check if you are using any of these plug-ins:

Another idea luv, would be to check if your credentials for the wordpress site come up as being compromised. If not listed here, you are still rather secure:  

Have I been pwned? https://haveibeenpwned.com/

Link to comment
Share on other sites

On 1/2/2018 at 9:58 AM, MNS45 said:

I'm not a WordPress user but I found some interesting articles about your issue.

The main advice was to delete unused/archived/old themes. And the concern about security vulnerability in poorly coded plugins.

Seems that themes, plugins are located in wp-content directory, which you mentioned.

Are you going to reinstall your site? Can you backup all your posts/comments and upload the content with a fresh install?

The articles i read are

"How to Find a Backdoor in a Hacked WordPress Site and Fix It"

"Beginner’s Guide to WordPress File and Directory Structure"

Thanks - it seems that deleting the three bad files did the trick, but I will read the articles you pointed out.

 

Link to comment
Share on other sites

  • 3 months later...

Follow these WordPress security best practices:

  1. Always update WordPress core, themes, and plugins right away.
  2. Back your site up daily; either via your host or one of the many trusted WordPress backup plugins such as VaultPress, BackupBuddy, BackWPup, BlogVault, etc.
  3. Never use the default “admin” username.
  4. Create a unique and difficult password that contains upper-case and lower-case letters, numbers and symbols.
  5. Secure your wp-config.php file.
  6. Hide your username.
  7. Limit login attempts.
  8. Disable file editing in the dashboard by adding the following to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true);
  9. Always use SFTP when logging in to your site via an FTP client or your hosting panel.
  10. Or, if you’re up for some advanced DIY security, check out this definitive guide to WordPress security.
Link to comment
Share on other sites

  • 9 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...