Site hacked today

  • Resolved pattycake22

    (@pattycake22)


    1 year, 8 months ago

    This wordpress site was just hacked – I had Wordfence, Sucur, and File Change monitor plugins installed. The admin password to the site was a “generated” password – long, upper, lower, characters, etc. I did not get any unauthorized notification of a successful login on either of the two security plugins. I have completely wiped the site except for zipped files to restore the site once the hack has been revealed.
    I had a backup that was made yesterday so I am able to recover the site but have not yet done so because I need to find out how they were able to get in – they completely erased almost all original content and replaced it with infected files.

    All plugins and themes were up-to-date
    How can I tell how they were able to bypass WordFence and completely nuke/infect my site?

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi @pattycake22

    Thanks for reaching out!

    Having multiple security plugins at the same time can actually work against each other with different conflicts and make your site weaker.

    Wordfence protects against a vast variety of web attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are new (commonly referred to as “zero days”) and no one has written a signature for it yet . The same goes for servers. 

    Regarding how they gained entry, here are some possible scenarios:

    1. Are there other sites hosted on the same hosting account? If so, they could have been infected and spread the infection to this site
    2. You may be using a plugin or theme with a vulnerability that is so severe that we cannot protect against it
    3. Your wp-config.php file is readable to the hacker, either directly via your account, via a vulnerable plugin or via another hacked site on the same server
    4. The hosting accounts on the server are not properly isolated on the server so the hacker has access to your database via another user’s database
    5. The server software has vulnerabilities that allow the hacker to get root access
    6. You were actually hacked many months ago, but the backdoor was not activated until now
    7. You have a compromised hosting account (Change your password immediately)
    8. You have  a compromised FTP/SSH account (Remove any accounts you don’t need and change the passwords on the ones you do)

    As you can see, there are many ways that your site could be compromised. We can only protect you from attacks directly on your website.

    I hope this helps to clarify.

    Thanks,

    Joshua

    Thread Starter pattycake22

    (@pattycake22)

    >Having multiple security plugins at the same time can actually work against each other with different conflicts and make your site weaker.

    I like Sucuri’s alert system better – they notify of both failed and successful logins. The reason Wordfence might not be alerting could be because Sucuri is grabbing them before Wordfence. I’ll disable Sucuri and see if it alerts as well as Sucuri. Thanks for the reply.

    btw: the hack was due to a hacked cpanel access and then using File Manager to upload the malware – not via the site itself so my confidence in Wordfence is again renewed. All cpanel passwords have been changed to those that are generated by the system – no more simple passwords.

    We can consider this post as “solved, resolved, and closed”… until next time ??

    • This reply was modified 1 year, 8 months ago by pattycake22.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Site hacked today’ is closed to new replies.

Tags