Received Notice from Google that My Site Has Been Hacked

Thank you Jan. I will work my way through the links you gave.

My problem still remains the same. I am getting about 25 bogus posts (posting as administrator) every night. These are POSTS not comments. All the pages on my site are displaying correctly. There are no redirects, etc., Just the bogus posts. I have changed the administrator login password and the username and password for the MySQL database. But the posts are still showing up.

I appreciate those who are posting here to help. I have looked at some of the links, and they are verbose and do not address my issue. Does anyone reading this have a suggestion for how bogus administrator posts are still happening, even after the username and password changes I have made? This has to ring a bell for someone.

Thanks for any further help.

It looks like you are back to Jan’s links:

Your site is hacked. You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

You might also ask your host for any thoughts or resources they might have for spotting late-night intruders…

My problem still remains the same. I am getting about 25 bogus posts (posting as administrator) every night. These are POSTS not comments.

That’s pretty clear. Just viewing your cached pages is evidence of hacking/unauthorized posts and a ridiculous number of spam tags.

This has to ring a bell for someone.

It think it probably rings a bell for most of us, chaplaindoug. The problem is, this isn’t a situation where someone is going to be able to say to you; “just go cut the red wire, and the clock will stop ticking.”

Does anyone reading this have a suggestion for how bogus administrator posts are still happening.

I can say with some certainty, that those of us who have tried to point you in the right direction so far, have a long list of ideas about how it could have happened.

Judging by the rest of the domains sitting on your IP address I’m just making a guess that you are probably running your own server instead of relying on shared hosting. If that’s accurate, then server, server application, and server security issues shouldn’t be ruled out. If it’s a managed server (as in you pay someone to do it for you) you should get them involved. Server logs can be a pretty powerful source of information. Has anyone looked at any of your server logs yet?

You’re doing yourself a disservice by dismissing the information (verbose or not) in the resources we’ve already shared with you. A lot of “how could this be happening” issues are discussed here for starters; https://codex.www.ads-software.com/Hardening_WordPress.

Another thought is to completely delete any FTP-access account/s you might have at cPanel and change your cPanel password, then *only* ever use either cPanel’s File Manager or FileZilla and SFTP from now on (like any security-conscious host will allow). Also change your passwords for any e-mail accounts at your server if you have ever used “Post via E-mail”.

Lee:

Thank you for replying. My site is not FTP accessible. The site is updated (as far as the root directories) securely from within our secure network. I have never used “cPanel” and do not know what it is.

Finally, I have never used “Post via E-Mail.” However, where in my self-hosted site would I find if this is set up or functional?

Thanks again if you can answer the above.

P.S. Went a night without spam “administrator” posts after I followed some of the tips given.

1. Changed login password to cryptic.
2. Changed MySQL passwords and username to cryptic.
3. Deleted and rebuilt my plugins folder.

It was after item 3 that they stopped coming in. But not holding my breathe. Will continue to monitor and report.

I have never used “Post via E-Mail.” However, where in my self-hosted site would I find if this is set up or functional?

Dashboard > Settings > Writing. I have never used that myself, but my understanding is that it can be a convenient, remote gateway for posting if you have your server mail.mysite.com and port entered there as well as the credentials for an external e-mail account set up for pop.

3. Deleted and rebuilt my plugins folder.

It was after item 3 that they stopped coming in.

You might or might not already have your own version of something like either of these in that folder to block malicious php activity:

# Permissions: 0404
## harden /wp-content/plugins/
# ref: https://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/
# note: Do not use in ~/wp-content if TimThumb or similar scripts are desired.
# note: blocks Plugins Garbage Collector from scanning ~/wp-content/plugins/
## Whitelist all .php requests from /wp-content/plugins/????? (if ever needed)
#SetEnvIf Request_URI "/wp-content/plugins/filefolder/(.*).php$" whitelist
## Whitelist one specific request.php file from /wp-content/plugins/????? (if ever needed)
#SetEnvIf Request_URI "/wp-content/plugins/filefolder/file.php$" whitelist
<FilesMatch "\.(php)$">
Order Deny,Allow
#Allow from env=whitelist
Deny from all
</FilesMatch>

<?php
// index.php
// in -/wp-content/ -/plugins/ -/themes/ -/uploads/
// Permissions: 0404 //
exit;?>

Thanks Lee. I do not have the post by email set up at all. So that was not a vulnerability. But now I know where to find it. Thank you for helping me.

That Chaplain badge and ‘Minister/IT Guy’ could easily get you more attention from me than you can stand! ??

Lee:

“You might or might not already have your own version of something like either of these in that folder to block malicious php activity:”

Where in the plugins folder would I place these and in what file name?

Just an observation if I may, to try and help keep the focus of your efforts in a positive direction..

A good portion of the code recommended above (or just used as an example, as the case may be) is intended for use in an .htaccess file. Your site is running on Microsoft IIS 7.5 web server, not Apache.

IIS doesn’t take advantage of the .htaccess file extension or Apache directives, so that specific code will effectively do nothing.

Where in the plugins folder would I place these and in what file name?

Like Clayton has mentioned, the .htaccess is of no direct use to you but I posted it while assuming your servers use some kind of version of their own for doing that same kind of denial against any php request.

Not to be confused with the index.php in “root” that triggers WordPress, the smaller file is an index.php (WordPress “Silence Is Golden”) file I have in various places such as at /plugins/index.php that pulls the white curtain whenever an index.php is requested in a place where we simply do not wish to have anyone snooping around even if only just to see what might be there, such as this: https://www.noname8.net/index.php .

CAUGHT MY HACKER TONIGHT! Have a question.

I spent time “cleaning” up our web site trying to remove the “hack” and prevent future hacks. I then monitored the site to see if any more bogus posts came in. NOTHING for two days. Then randomly checking tonight I caught the hacker logged in under another login (one that was set up at the request of my boss to allow a company that wants to take over my job to “evaluate” the web site). Whether this hacker was from that company or was someone who figured out their password (which could have been the case as it was not too complex), I do not know or may never know. HOWEVER, I noticed something that puzzles me:

1. There was a bogus post in edit mode (I saw that it was locked and being edited by the login).
2. It showed that the bogus post was locked by the login in question (it was not the administrative login), but showed the author to be “administrator.”
3. The login in question was only given “editor” role.
4. So how could this person or entity make their post appear to have come from “administrator” rather than themselves???

I see now how an editor can attribute a post to whomever they desire. It looks like this had to be a person logging in and doing this (versus a program or entity) as they would have to take the manual step to attribute the post NOT to themselves but to another user. Am I correct in this analysis? Or is there a way for a program or entity to login and make a post attributed to someone else?