Jump to content


wordpress blog hacked


  • Please log in to reply
7 replies to this topic

#1 goneunderground

goneunderground

    Advanced Member

  • Active members
  • PipPipPip
  • 507 posts
  • Gender:Female
  • Location:Preston
  • Interests:Moodle, Hot Potatoes, MFL, geography, HotPotatoes and...did I say Moodle?

Posted 30 March 2008 - 08:27 PM

Any ideas how this happened? Most perturbing. I run a wordpress blog for a local councillor - hosted on his own domain - and got alerted the other day that it 'didn't look right' Went to check and in short, my header . php file had been replaced with one with messages about credit cards etc.. I put the original file back and it is ok again but... how on earth can anyone have got into my ftp or into the site admin to do this? Only I have the ftp details and only two other totally reliable people have logins to write posts - nobody else is allowed to register. How else can this have happened?

#2 Andrew Field

Andrew Field

    Administrator

  • Root Admin
  • PipPipPip
  • 1,541 posts

Posted 31 March 2008 - 12:31 PM

Blimey - sorry to hear this.  Would be interesting to find out more.

From time to time there are reported security issues with Wordpress and this is why any blog (and indeed forum software) needs to be kept up to date.  Where / how do you host Wordpress?  It could be an issue with your hosting - i.e. someone has got into another site on the shared server and has then got access to yours.

Two things to consider really - the security of the Wordpress installation itself (i.e. is it up to date) and (more realistically) the security of your webhost.

#3 goneunderground

goneunderground

    Advanced Member

  • Active members
  • PipPipPip
  • 507 posts
  • Gender:Female
  • Location:Preston
  • Interests:Moodle, Hot Potatoes, MFL, geography, HotPotatoes and...did I say Moodle?

Posted 31 March 2008 - 05:32 PM

Well, first of all - no- it is not up to date - partly because I am ever so slightly afraid of messing it up in the upgrade - but now I think an upgrade is far more urgent. So that is job number one. It is hosted by Lycos - the first host I ever got five/six years ago - don't use them for later sites but they have generally been ok. My first priority will be to upgrade. Still a mystery though.

#4 Andrew Field

Andrew Field

    Administrator

  • Root Admin
  • PipPipPip
  • 1,541 posts

Posted 31 March 2008 - 05:50 PM

View Postgoneunderground, on Mar 31 2008, 05:32 PM, said:

Well, first of all - no- it is not up to date - partly because I am ever so slightly afraid of messing it up in the upgrade - but now I think an upgrade is far more urgent. So that is job number one. It is hosted by Lycos - the first host I ever got five/six years ago - don't use them for later sites but they have generally been ok. My first priority will be to upgrade. Still a mystery though.

I would think it is more likely an issue with the Lycos hosting.  With most standard webhosting, many sites are hosted all on one server.  It just needs one of the sites to become compromised - perhaps one is running an out of date mail script etc. - and then a hacker can gain access to all the sites on that server.  It is very unlikely that it was just you you were hacked here.  It is also unlikely it was a targetted attack.  Instead, someone probably got access to the server and did a 'find and replace' on any files it found vulnerable.

I would get in touch with Lycos to see what they say - they can at least tell you when the site was compromised.  If you get a telling off from them for not keeping Wordpress up to date, just move the whole thing elsewhere.  Also, as you know, decent hosts will assist you in all areas here - helping you upgrade, backing files up and so on.  If yours doesn't, move on ;)

#5 goneunderground

goneunderground

    Advanced Member

  • Active members
  • PipPipPip
  • 507 posts
  • Gender:Female
  • Location:Preston
  • Interests:Moodle, Hot Potatoes, MFL, geography, HotPotatoes and...did I say Moodle?

Posted 02 April 2008 - 09:21 PM

well it's funny you should say that because a day after this happened the site was down for a fair while ( an extremely rare occurence) -couldn't even get onto webmail or the control panel or ftp - and when eventually I did there was a message to all customers apologising for sites being down and saying there had been major issues  -not explaining why though - maybe there is a connection? Either way, I am monitoring the situation!

#6 Andrew Field

Andrew Field

    Administrator

  • Root Admin
  • PipPipPip
  • 1,541 posts

Posted 02 April 2008 - 11:36 PM

How extensive was the damage?  I've looked into the issue a little further today because I found that one of my posts at http://www.flashict.net - the blog that I've got but don't update enough - had been hacked too.  It looks like there are a range of issues with older versions of Wordpress.

If it was just a number of posts that were vandalised - go into those posts and look at the non-html editing window.  Delete any of the spammer links. Then upgrade to the latest version of Wordpress.

I did this last night, as well as updating the theme a little ;)

If it is more major, I would suggest that it is a webhosting issue.  I didn't have the very latest version of Wordpress installed, but it was a relatively new one.  However, I was still hit in a minor way.  My issue was not using the latest version of Wordpress.  The school blog, which I've also got running on my dedicated server wasn't affected at all.

So - thanks for bringing this to my attention - even if it wasn't the same issue.  I think my one was due to the theme I was using and the out of date installation.  Both together made my site vulnerable.

#7 Jonathon

Jonathon

    Member

  • Active members
  • PipPip
  • 18 posts

Posted 03 April 2008 - 02:51 PM

I don't really know a lot about the wordpress blogs, etc. but there seems to be a lot of this hacking stuff going on.

A few months ago the webhost company that I host all of my websites on, Freeola, updated all of their passwords for all of their customers on both ftp and email settings. They didn't notify anyone that they were going to be upgrading the passwords, which is what they told us later, they just changed all of the passwords to random passwords. When they did this switch it just made my email and my Dad's email get upset as it couldn't connect, so we put it down to the fact that their email servers had gone down (Which has happened over the past 5 years of using them). The next day my dad couldn't get on the webmail or anything so he went onto their website. On there site there was a notice for all customers telling them that there passwords had been changed.

After getting all of the email settings up and running again on our computers, we recieved an email on the day of the update from Freeola telling everybody that there was a security update. This was completly pointless as nobody cold recieve emails and find out about the upgrade.

So i don't know what security reasons caused this or anything else, but after reading what you said in this topic i am assuming that this was probably the cause.

#8 duncwilson

duncwilson

    Newbie

  • Members
  • Pip
  • 1 posts
  • Gender:Male

Posted 14 May 2011 - 04:34 PM

OK - a few tips regarding wordpress - awesome software but open source and used all over the web so a major target for hackers.

1) the default username is "admin" - make sure you change this
2) make sure you turn off directory indexing otherwise users can navigate through folders and find all sorts of interesting stuff
3) make sure you update as soon as an update is available - there is an auto update plugin available but you need to run a "cron" job
4) don't install too many plugins - these are contributions and lots are full of security holes
5) keep a backup - always keep a backup
6) if you do get hacked check the logs to find out how and close this hole.

I set up my own site for report card comments and used wordpress. It was hacked within a week - I checked the logs and found that there was an exploit for a plugin I had installed.

If your site is hacked do not take it personally - you have not been targeted - it is probably just a bot created by a hacker - it scours the web looking for out of date sites etc that it can get into.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users