Entire WordPress site files deleted

”?All we’re about 2 years out of date.” So, yes, it’s not unlikely that you were hacked and bad stuff was done. Before trying to fix anything, be sure to change all passwords associated with the site, including those you use for FTP and hosting control panel access. You should then restore the old, pre-hack site, update everything, and change all WP related passwords, too.

Thanks Steven and yes all of that has been undertaken. As forum moderator, have you ever been made aware of any vulnerabilities in WordPress or a plugin that has allowed someone to delete the entire website files?

It’s not possible within WordPress to delete all of the WordPress files, so if that happened, it was done by someone with access either to your hosting account or the server itself.

Thanks James that is what I thought, however, the IT company that looks after the hosting are pointing to the problem being with WordPress and the plugins rather than someone accessing the hosting. I personally can’t see how someone could delete the whole website just through WordPress unless someone can tell me otherwise.

• This reply was modified 12 months ago by cannon303.
• This reply was modified 12 months ago by cannon303.

I suppose it’s possible that a vulnerability in a plugin maybe did that, we don’t have an encyclopedic knowledge of all plugin vulnerabilities, but even if it was a vulnerability executed by a plugin file, that file would have remained.

If your hosting provider isn’t willing to provide logs showing what happened, they’re probably trying to hide something, or worse yet not even monitoring, so I’d recommend taking the opportunity to switch hosting providers too. We have some recommendations at https://www.ads-software.com/hosting/

This could very well be a human error. If the IT company is using the same hosting to host other projects, it is possible that someone deleted your website by mistake, and uploaded a different website in its place.

Depending on your hosting provider, you may still have server level backups available. Sometimes these are stored under the same cPanel account. You can try to check under (cPanel) File Manager > /home/<username>/.backups or similar named directory.

Thanks Ashutosh but let’s just say, judging by its content, the website that was uploaded wasn’t the kind of website the IT company would look after. And I have a backup but nice to know that nobody seems to think the activity stems from a vulnerability in WordPress.

While a single plugin/theme vulnerability may not directly enable deletion of a website, it can pose a significant security risk. Consider the scenario where such a vulnerability grants an attacker full administrator access. This attacker could then:

1. Install a file manager plugin: This provides a convenient interface for uploading malicious files.
2. Upload web shells, PHP file manager scripts, or databases: Files like adminer.php grant direct access and control over the website and database.

Therefore, even seemingly indirect vulnerabilities can be exploited for website deletion. Reviewing the access_log (typically located in /user/home/logs/ on cPanel servers) is crucial to identify such malicious activities. The access log file should be there unless someone deletes it. You have the cPanel login log too under /user/home/.lastlogin to determine any unknown login into your cPanel account.

• This reply was modified 11 months, 4 weeks ago by Tuhin Ahmed.

Thanks Tuhin unfortunately there was very little information in the logs and last login IP was the IT company. Do you know of any file manager plugins that could delete the website?

• This reply was modified 11 months, 4 weeks ago by cannon303.

While a file manager plugin itself cannot directly delete the entire file system, it can facilitate the upload of malicious PHP scripts that can perform such actions. For instance, a single PHP script like “Tiny File Manager” can be uploaded through a file manager plugin and subsequently employed to delete website files and upload new content.

A thorough examination of the access log file is essential for accurately identifying the root cause and scope of any potential security breach. The information in the recent month’s access log holds the key to understanding the nature of the compromise. However, effectively interpreting this data requires a comprehensive understanding of log file analysis techniques and recognizing patterns indicative of malicious activity.

Thanks Tuhin. The IT company have closed access to me for their cPanel logs so I cannot see anything now anyway.

Maybe it’s too much to ask..
If you don’t have access to the /home/username/logs directory, How do you check /home/user/.lastlogin file?
Is your website managed and hosted by an IT company rather than a traditional web hosting provider?

• This reply was modified 11 months, 4 weeks ago by Tuhin Ahmed.

Hi Tuhin a really big thanks for your question. It has helped me jog my memory. The first time I logged into cPanel I didn’t look at the logs at this time because I was preoccupied with fixing the site. I did however make a note of the IP address in Last Login field in the main area of cPanel. The next time I logged in was to check the logs and there was very little information. The last login field this time was the IT company.

I just checked out that original IP that I made a not of and it’s based in S?o Paulo so I guess that proves someone gained access to cPanel.

It’s not possible for a vulnerability in WordPress to allow access to cPanel is there?

That’s correct, cPanel is its own locked system.

There are WordPress plugins that can access files on the server, so a WordPress vulnarbility could access the server (depending on some super-specific circumstances), but there’s no way for WordPress to access cPanel, WHM, Plesk, or any other hosting account management panel.

Hi @cannon303

While exploiting a WordPress vulnerability to gain cPanel access is statistically improbable, I’m still interested in understanding your cPanel configuration. To clarify, could you confirm if the cPanel login page offers a password reset link? Additionally, is there a file named “/home/username/.contact” present? If so, does it contain your email address?