I think I was hacked?

  • Resolved HopefulGJL

    (@hopefulgjl)


    13 years, 2 months ago

    Hello,

    I have not been on my site very much because of having a lot of other things to do. I did, however, notice on Google Analytics that I had a sudden unexpected spike in visitors to my site earlier this month. So today I logged in to my site, and happened to glance at my users page. There was an unidentified user and email address present. My passwords were fairly complex, but I have since deleted all users except for two I know I created and changed both of those passwords to even stronger passwords.

    Does this mean that someone hacked me?

    If so, how can I tell if they’ve done anything?
    When I review all the posts and pages, the last edited dates do not show anything recent (as expected). I haven’t looked at all of the pages on the site itself, but the edit dates I would assume indicates that those aspects of the site have not been altered in any way?

    Is there any way to know when that unidentified user added itself? I have no idea how long that has been there, and it would be really good to know.

    I did a little bit of looking around on this site, and found this article:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    I haven’t read everything there, but there was a section which directed me to here:
    https://codex.www.ads-software.com/Editing_wp-config.php#Security_Keys

    Do I need to change the keys? If so, how, as I don’t have a config.php page?

    Or, is it best I have my hosting company erase everything and then restore my back-up? As far as I can tell, my current back-up was made after I last modified any pages or posts.
    Will that for sure invalidate their access, assuming they weren’t there then? (I go back to my earlier question of whether or not it’s possible to know how long they’ve been there.)

    Is there any way to delete the “admin” user and have a username that I create be the primary admin? Or, is that still not possible?

    I really don’t know much about this sort-of thing, so any detailed information would be greatly appreciated. Thanks in advance!

Viewing 7 replies - 1 through 7 (of 7 total)

  • If you have unidentified admin users in your WordPress it’s very likely you’ve been hacked. Unfortunately it’s quite difficult to restore a hacked site. I’d do the following:

    1. add a new user with Administrator privileges e.g. hopefulglj

    2. delete your old admin user account. WordPress will as you who you want to attribute admin’s posts to.Select the user you created in Step 1

    3. Install a brand new theme and activate it temporarily.

    4. Delete your themes and plugins to ensure that any hacked files are also deleted.

    5. Reinstall your theme and any plugins you may need

    6. Install and run the Exploit Scanner plugin

    If you need professional help, consider [moderated – no advertising please] Good luck

    Thread Starter HopefulGJL

    (@hopefulgjl)

    Thank-you very kindly for your information.

    Would having my hosting company delete everything and then restore everything from a back-up prior to that user being there be sufficient?

    The file with the keys is wp-config.php and it can be edited with an FTP client or using your host provided file manager…If you provide a site link, it can be scanned at Securi….also, what role did this new user have?

    Don’t allow subscribers to have any role above ‘subscriber‘ unless you personally know them and fully trust them.

    And, unless it is pertinent to your site, don’t even allow subscribers. Just uncheck anyone can register at Membership in general settings.

    And last, make sure your email is checked, you should get an email at the email address assigned to the admin on a new user.

    HopefulGJL yes it may work to restore everything to an earlier backup but you should also take steps to sort out the cause of the problem and secure your site (don’t use admin username, secure your wp-config.php file, etc).

    Again if you need help, my company will take care of these things for you. https://clickwp.com/wordpress-support

    Note to mods: I’m just giving HopefulGJL a professional alternative, and I’m disclosing that it’s my own company. I see others recommending Sucuri, what’s the difference with that?

    Thread Starter HopefulGJL

    (@hopefulgjl)

    Thank-you both very, very much.

    My hosting company scanned my site for me at no charge and didn’t find anything malicious. I did have them delete everything and then restore it all from my backup (which was also no cost) just to be on the safe side. It has gone back to long before (months before) that unidentified user was present.

    I also did uncheck ‘anyone can subscribe’ as suggested, and every new user is, by default, at the subscriber level.

    The only piece of this I do not have resolved is how to delete the admin account. There is no option to delete that currently. Since that is sort-of a separate topic, I will start a new thread if I do not find the answer through searches first.

    Thank-you both so much for your valuable information.

    @blogjunkie

    Note to mods: I’m just giving HopefulGJL a professional alternative, and I’m disclosing that it’s my own company. I see others recommending Sucuri, what’s the difference with that?

    Ahhhh, the Sucuri scan is free and trolling for business here is a conflict of interest. If you can’t understand that I can recommend a couple of books on ethics.

    Just an FYI that Securi is listed in the Codex (at bottom under Other Resources).

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘I think I was hacked?’ is closed to new replies.