Hacked: mirrored site

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Thanks…that link brought me here. It is very obvious that my site has been mirror/hacked, they not only announced my site was hacked, but posted on their Facebook page (amazing they have a FB page, isn’t it?), the web address of my site as a “hacked”, and the address to the mirror.

I am thinking this may have had nothing to do with using WordPress at all. And I suspect that only my hosting company can take the measures to prevent in the future.

Hmmmm…

Beat me too it! A good plugin I use is this which hides the fact you use WordPress by changing commonly used techniques by hackers etc.

Works like a charm out of the box! It has cut my spam down by around 80% or so roughly by my measure of things and protected my site alot more.

In the words of Homer Simpson anyone can come up with statistics to prove anything Kent, 40% of all people know that lol!

Anyway check it out and it leaves your WP install as it is so to speak so you can continue as normal however hackers are less aware that your sites WP.

The plugin can be found here

Lots of sites get hacked by robots scanning for security floors as it was. Most WordPress novices leaves settings pretty default and this is commonly what they look for. Using something like this would help and save alot of time instead of adding various plugins in mass amounts.

Now it won’t be 100% or perfect but would help alot! I am not affiliated with CodeCanyon or the author just a happy customer of the plugin itself!

Hope it helps,

Gaz

I’m not a sure a ($22) plugin which obfuscates WordPress would really work in this case, these type of attacks general don’t care what you’re using and have nothing to do with WordPress.

Definitely bring your hosting provider in on this, they should be able to help. On the short list of things I’d look for, a file called “index.html” (which would supersede WordPress’s index.php in order of load) or additions to your .htaccess file.

I’ll add my two cents : precisely, speaking about money.

If christmas period is your biggest sales moment and your site is no good at the moment;

– do you have a recent backup
– can you consider the possibility of moving to a different web host
– do you know someone competent (as in : really competent, not your cousin who’s good with PCs and stuff), maybe even hire someone for 50-100€ as it’d cost me for a two-hour quick op.

Questions in random order, not necessarily linked to each other

Question 2 :
You may have been hacked because of a poorly protected email account (bad password), you may have lost a text file with your passwords, you may have other websites on your hosting account and it’s one of the others that propagated the infection, or even your web host may suck big time and may have allowed the hosting accounts of others to propagate infection into your home.
See, that’s a lot of possibilities. If you have a backup, and you can restore it all to another web hosting account at another company (I have a soft spot for hostgator and their responsive live chat support, but I don’t own shares), you’ll have ruled out infections propagated by other websites of yours or other hosting accounts.

Question 3 : if your hundred of monthly visitors mean LOTS of money (no idea), then hiring a professional would be a really worthy investment, he could hopefully find how the hack took place and give you better advice than any of us.

Some good suggestions in there to possibly prevent a hack NEXT time, but for this time, do you have a backup? That’s the first place to start it seems.

Great tips by sabinooo. I would agree with the suggestion that if you have a recent backup and can redirect your domain to a new host, you could just setup your site in a new location (with different passwords ofcourse).

Thanks for all the help. Hostgator had promised to help: that their security group would look at the breach, and restore my web site within 24-72 hours. After a week!!! they did nothing. I had uploaded my own index.html, in the meantime, I restored the older WP web site.

I think that I will be not only moving to a new host, but replacing the WP site with a NON-WP site.

It is highly doubtful my password was hacked, as it is not easy to figure out. I guess there might have been a security hole, and/or PHP injection.

Sadly WP will not be my future site foundation.

WordPress really had nothing to do with this hack. Anyone who gains access to a server can replace your index file, which is probably what has been done here.

It’s the host to blame, not WordPress.

Not only that, to elaborate on James’ answer.

A hacker will ALWAYS leave behind some sort of control tower, a file falsely looking innocent and genuine, but allowing to re-take control, re-steal credentials etcetera.

Reinstall wordpress aaaaaaaaaaall you like, you’ll get hacked again and again if you don’t clean everything up and only restore what you know you can absolutely trust.

And even now anything can have been the cause of the successful hack.
A compromised email account (OK, who’ll confess having used short simple words you can find in a dictionary, when you created your first email accounts ? Guilty as charged.)
A compromised forum account.
Another website you were also hosting.
Another website by someone on the same machine or virtual machine as you.
Or there’s malware on your PC. If you were letting filezilla store your passwords for you, and some malware on your PC automatically copied and transferred the file where this f*cken program stores, in bloody plain text, all your passwords : that’s so easy any script kiddy can do that, it doesn’t require knowing to code a keylogger and stuff. I knew an idiot who made his USB key automatically try to fetch that location when he’d plug that key into a PC, he was finding it funny. Or that was thunderbird and/or firefox as long as you didn’t introduce a master password (a feature filezilla is rejecting stubbornly.), the same goes for Chrome although it’s a bit more tricky to implement.
Also, your wordpress theme, if you’re using a warez/nulled theme you were asking for it. Speaking about themes, did you remove your old themes that you just installed for testing, even today some websites fall because of a forgotten unpatched timthumb vulnerability.
The list of entry points could be virtually endless. (And I got hacked throught practically all of them over the years, huhu.)

So, Gomissimo, blaming wordpress may relieve your distress, and it DOES matter, but that’s only giving you a false impression of being in control again, it’s not helping you for real.
Mark my words : start from a blank state, if that’s important, for a business. New host.
Newly reinstalled wordpress.
Only restore (as in : not installed from www.ads-software.com) the very fundamentals. But what about image folders from wp-content/upload ? Ask a program like xnview to batch convert a local (on your hard disk) copy of them all (select their parent folder, control-U, change compression options, go), if there’s a false image (I’ve seen it a number of times, a gif/png/jpg extension and it’s actually php) the program will stop the operation and tell you. And what about your database ? Well, wouldn’t hurt to search for rot-13 and eval( as those strings are only exceptionally rarely legitimately present in a database. Also once you reinstalled everything, check if all the users are legit. Then you gotta restore your theme… as downloaded from www.ads-software.com or your theme vendor of course, not your current theme, or – once again – you are asking for it.
If you have programs like Beyond Compare, and regular backups of your site’s files, you can use binary comparison on different date backup folders to see if there isn’t a new file appearing without a convincing reason and, while looking at the file’s code, it’s likely this isn’t a wordpress file (bless that CMS with their source code so easily recognizable), wheee congrats you may have found one of the control towers of the hacker, now you may perhaps hope to find in your logs if there’s a mention of the IPs that accessed that file, and if those IPs accessed other files on your hosting with potentially weird stuff in the URL…
And did we mention changing EVERY PASSWORD YOU USE at some point ? And also scanning your PC with various antiviruses, malwarebytes, spybot, and the worthy Detekt tool ? Yeah, do that.

Only then you’ll know you’re safe. And that still won’t allow you to blame wordpress.
But it’s your business, not mine. Still, a business ought to be handled with professionalism, security paranoia and – to be blunt – less groundless accusations.
Sorry for the long rant, I spent an afternoon on a parent’s broken blog, for unsurprisingly similar reasons -_-