• Resolved gs42

    (@gs42)


    Hi All,

    My client’s website has been hacked. Part of the hack involved changing the admin name and locking me out (using the AIOWS plugin and its IP block against me… ironic!)

    No big deal — I went into PHPMyAdmin and changed the username to something new. Then, I went to the login page, failed the login (because there wasn’t a user_authorization_key or whatever it’s called), and clicked on “Forgot Password”. I’ve used this method before when locked out, and it works well.

    …except that this time, it didn’t. I tried log in in about 10 times, and every time I have to go through the “Deceptive Site Ahead” page and accept the risk. By the time I get to the reset page, it says, “Your password reset link appears to be invalid. Please request a new link below.”

    I suspect the “Deceptive Site Ahead” passthrough is triggering something, but of course I’m not sure.

    The bottom line is, I can’t get into the dashboard now. Any ideas?

    BTW, I have cleared the site (I hope) of all malicious code. I submitted a notification to Google stating as such through the “report a detection problem” link. Apparently, it takes 1-3 days to take effect…

    Thanks!

    ~Graham

Viewing 8 replies - 1 through 8 (of 8 total)
  • Do you have shell access? If yes, you can use WP CLI to create a new administrator user with it.

    If you have access through the Client’s Hosting Control panel, use the File Mgr. feature and rename ‘wp-content/plugins’ dir. to ‘wp-content/plugins1’. That will disable all plugins.

    If still no access then use phpMyAdmin or FTP as per this article:

    Resetting Your Password

    Remember also that you can use phpMyAdmin to change the eMail address of any Admin in the database and do the Forgotten Password again.

    Thread Starter gs42

    (@gs42)

    Hi RoseHosting,

    Thanks for the quick response!

    I tried that — first time I’ve ever ventured into SSH — but it wouldn’t let me enter the password.

    What I did instead was upload a backup of the DB through PHPMyAdmin — that reset the login fine. (The site isn’t updated often, so this wasn’t a problem…)

    Thanks again for your help — much appreciated!

    ~Graham

    Thread Starter gs42

    (@gs42)

    Hi Website Rob,

    We must have been replying at the same time. I tried disabling all the plugins exactly as you described (I use an “x” instead of a “1”, but…) and did all the Password Reset things. None of those worked.

    Replacing the DB with a backup solved the problem.

    Thanks for replying — much appreciated!

    ~Graham

    Good to hear problem solved. Now though you should focus on beefing up security to prevent a further hack.

    Thread Starter gs42

    (@gs42)

    That’s the thing Rob — all the sites that were hacked (there were more than just one — that was the worst) have either WordFence or AIOWS plugins. There are indications that it was a server attack, not a pure WordPress attack. I’m still trying to track that all down.

    But yes, security is paramount. I just finished changing passwords, etc. I’ll be monitoring…!

    Thanks,

    ~Graham

    Graham, this is where you smile or cry depending upon the documentation you’ve created. Although I’m sure you have your reasons for thinking it may be a server attack, now it the time to see what security measures and plugins are shared among all the accounts you are responsible for.

    Security plugins are good to have but your .htaccess file is king. That is always the first file to focus on for security. If you go to https://webpagetest.org/ you can see the security rating of the site. It is very accurate and if you click on the Grade Letter, it takes one to another site explaining why that grade was given and what to do to improve it.

    All the best.

    Thread Starter gs42

    (@gs42)

    Ha – I’ve learned to cry and laugh at the same time. I’m certainly no cybersecurity expert, but I’ve dealt with my share of hacks over the years. Very stressful!

    Thanks for the link. I’ll take a look at that!

    ~Graham

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Invalid Reset Link Due to Deceptive Site Ahead Warning?’ is closed to new replies.