Developer & Malware

  • We hired a developer to create a WP site and obviously the wrong one, I’ll get back to that later. More importantly, when our site was launched last month -we immediately noticed that there were ‘antabuse’ drug links found on a Ryte.com report when we ran a report from the Yoast plugin that the developer installed. We provided the report asap and the developer discounted the problem and told us that the report results were false/ambiguous and we need to disregard the findings & trust them as the experts. Today, the problem has now escalated and we received warnings from GoDaddy that there are ‘viagra’ links associated to our new site. We are hosting with GoDaddy and have had another WP site for almost 7 years with no issues like these. We contacted GoDaddy and put in a ticket to ‘clean’ this malware from our site.

    Anyone have any input and/or what else we must do?
    Thanks in advance for your advice/help.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    Apparently your site was hacked. Assuming it gets cleaned up properly, afterwards go into both WP and your hosting account and change all passwords. Even if you’ve done this before, do it again. Change the salts in wp-config.php to force anyone currently logged in to need to log in again. Which they cannot do if they don’t have the new passwords. You must use good strong passwords. Be sure WP, your theme, and all plugins are all updated to the latest version. You don’t really need to do anything else, but you can implement some of the measures in Hardening WordPress if you like.

    To be fair, getting hacked may not necessarily be the fault of your developer, though it could be. Clearly ignoring the report results was bad advice.

    This topic does not belong in Developing WordPress. I’m moving it to Fixing WordPress. We know that determining the right forum is not always clear, so no worries there.

    Thread Starter ReelKeeper

    (@reelkeeper)

    Thank you for responding @bcworkz and helping with placing us in the correct forum.

    I agree that the site got hacked (it happens) but while it was being built/developed? Then, for us to inform the developer right away (a few days after delivery/launch) and provide the reports that a layman person received by clicking on a simple link in the dashboard on the (Yoast/Ryte) plugin that the developer installed. I’m sure you can understand why we’re so frustrated.

    The hack obviously got worse as the hosting company alerted us today and when I contacted the developer, the developer sent back an email that it’s ONLY a ‘sales pitch’ by the hosting company. If this was a private developer I got off some 3rd party website or freelancer site, I guess it would be more on me but this is a business/developer with a presence on the internet as a WP Developer with a large portfolio.

    We updated the plugins & changed the PW’s (strong) but would you be kind and step me through:

    “Change the salts in wp-config.php to force anyone currently logged in to need to log in again.”

    Thank you very much, in advance.

    Moderator bcworkz

    (@bcworkz)

    Oh sure, it’s very frustrating, I get that. If a site is publicly accessible, it can be hacked. While it is being developed, a site can be more susceptible to hacks because not all security measure may be in place yet.

    It is a common scam for nefarious “security consultants” to falsely claim a security breach and offer to resolve it for a “modest fee”. While GoDaddy might try to push upgrades you don’t really need, I think it’s very unlikely they would flat out claim to have found pharmaceutical malware if it did not actually exist.

    Changing salts might be a bit belts and braces, but better safe than sorry. Especially after the effort to change passwords and get the site cleaned. Download the wp-config.php file from the server using FTP or your hosting account’s file manager. Make a backup copy. Open the downloaded file with a plain text or coding editor (not a word processor!). There will be a comment reading “* Authentication Unique Keys and Salts”. A bit below this is a series of define(); function calls, usually with a bunch of random characters. Replace this block of 8 define() calls with the one randomly generated at https://api.www.ads-software.com/secret-key/1.1/salt/.

    Save the modified file, then upload back to the server. Now anyone that had remained logged in since the last couple weeks or so will be automatically logged out. The login cookie credentials must in part match some of these salts. Change the salts and the old login cookie instantly becomes invalid.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Developer & Malware’ is closed to new replies.

Tags