SQL Injection – hacker created pages

Hi, do you have any of the Brute Force features enabled? What Firewall features have you enabled? Do you have any other security plugin installed?

Are you running WordPress 3.9.8?

Are all your plugins and theme up to date?

They could be getting in any number of ways.
For example maybe you installed a theme or plugin which was infected.

Theme bought from Themeforest and all plugins from here (www.ads-software.com)

As far as Brute Force, I have login page renamed (10/10) I have login Captcha enabled (20/20) and Honeypot enabled (10/10). I have no other security plugin installed but it is weird, I have other wordpress sites and they have never been hacked, this is the only one with security on and it seems to be a magnet for attacks. I know it’s probably just coincidence but still very weird. Where can I get information on “user agents” for blacklisting? If I could block anything that wasn’t a browser or a search bot it might just plug any remaining holes in the security.

I checked the error log and found this:
doesn’t exist for query SHOW FULL COLUMNS FROM em_core_log_884 made by shutdown_action_hook, do_action(‘shutdown’), call_user_func_array, wp_ob_end_flush_all, ob_end_flush, xcalendarBufferEnd, xcalendar->bufferEnd, xcalendar->writeLog.

I know “flush all” can’t be good and I am sure a “do action shutdown” ain’t a good thing. Can you tell me what this is trying to do?

Like I say, most things in AIOWPS are set to max and still they come, there are no failed logins so they are not coming through the front door but looking at the error log their attacks are relentless.

Oh and I am running WordPress 4.1.7 and all plugins are up to date other than the ones that came with the theme (slider, contact forms and page builder plugins) these are always difficult to update since they came with the theme. A separate license would be good but then you end up paying for everything twice. The theme was only bought and installed less than a month ago so not sure how they get to be out of date so quick.

Here is the problem with upgrading too soon in a nutshell:

Contact Form 7
You have version 4.2 installed. Update to 4.2.2. View version 4.2.2 details.
Compatibility with WordPress 4.1.7: 100% (according to its author)
Compatibility with WordPress 4.3: 60% (6 “works” votes out of 10 total)

So I can either update WordPress or Contact Form 7 if I want them both to work…I can’t have both. I updated Contact Form 7 to the latest version on another site I run and it didn’t work at all, so I had to roll the entire site back.

Most plugins seem to stop access for the admin area of wordpress with blacklisting etc but what if hacks are coming straight in to the SQL database? Is there any way to stop this? Is there a plugin that stops hacking at database level?

Currently I have set the SQL database so that it cannot be edited by anyone, completely blocking all but viewing the site and when we want to edit the site I simply turn it back on while we edit and off again when it has been done. Although this has stopped the site getting hacked it is by no means an ideal solution. It would be good to have a plugin that allows to completely block the database from being edited from within the WP admin area.

Hi, can you use Sucuri to check your website. Your site might be compromised or already hacked.

I installed the plugin for Securi when I first discovered the hack. It found nothing, no malware. I have just done a scan with the plugin and another external scan from The Securi website…both came up with “Site Clean”!?

Im stumped! All I can think is that it is injected into DB but I thought security plugins like AIOWPS stopped that

I searched Google for the exact text they put on my site (1 sentence exact match) and it is unique, it appears nowhere else on the internet so I can only assume it’s not a random attack, it was specifically aimed at our site. But how do they post without using an assigned WP user? Pages were posted by user 0 which I set to “Subscriber” after it happened the first time.

Hi, have you spoken to your host about this issue?

Yes, they suggested restoring from a backup but as I explained to them the backups get overwritten by new ones (backed up 3 times a week) and as we don’t know when this first got attacked (first noticed 10 Aug but it could have been earlier as the hacker’s posts weren’t visible in the admin, it was only when I was in phpmyadmin that I noticed them so it is more than likely that the issue I have now will also happen with the back ups if the.

Incidentally how do you add a post to a WP site without is showing up in the admin area? This may be a clue as to how they are managing to post.

Hi, that might be your best option what your host has suggested. However as you mention, you don’t know when this problem occurred. You will have to make a decision and maybe bite the bullet sort of speak.

The other option you might carry out is to reinstall the current WordPress version either automatically or manually via FTP. That might fix any corrupted files if there are any.

Just my humble option.

Regards

At the moment I have the database completely locked down and only gets unlocked for us to edit the site and then locked down again afterwards. I think the best thing is to keep it like that until we can investigate further.

It occurs to me that if the developers of AIOWPS wanted to improve the product they could take a clone of sites like ours and dissect it to discover how hackers might be circumventing their security measures

On the next iteration of AIOWPS it might be good if it could monitor and log any changes to the core WP files, the ones that wouldn’t ordinarily get changed, the ones that don’t get overwritten when WP is updated. This seems the most likely place for hackers to hide code. Failing that, what about a button that makes the database uneditable from within the Admin area rather than having to go in to cpanel? Just a thought.

@cliveo is your issue now resolved? Do you have the latest version installed?

It is kind of resolved. I have uninstalled All in one WP Security and I keep the database locked permanently, only unlocking it to make edits. The site hasn’t had any more unauthorised content but that’s not to say they aren’t still trying.

It’s not an ideal solution but it works. A good update for me would be if there was a way to lock the database from within the WP dashboard, that way I wouldn’t have to keep doing it through cpanel…not sure if that is even possible.

That sounds like it is kind of resolved and it is working for you.

Since you no longer use our plugin, I am marking this support thread as resolved.

Thank you