WordPress hacked? Redirect on wp-admin

Carefully follow this guide.

When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

• This reply was modified 6 years, 4 months ago by t-p.

Hi,

thanks for the quick first reply. I followed all steps, but no result. All scanners don‘t report a problem. All files look fine from the first ?scan“.

Does someone knows this concrete hack and how to fix it?

Thanks and best,
David

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

Thanks for the reply.
As this is a hobby project I can‘t affort any of this sides. So any help from the community is appreciated. Thanks!

Additional Resources:
– https://ottopress.com/2009/hacked-wordpress-backdoors/
– https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/
-https://www.wpbeginner.com/plugins/how-to-scan-your-wordpress-site-for-potentially-malicious-code/
– Hardening WordPress
– https://sitecheck.sucuri.net/scanner/
– https://www.unmaskparasites.com/
– Try Wordfwnce plugin. It comes with a malware scanner, exploit detection, and threat assessment features. You will be alerted if any signs of a security breach are detected with the instructions to fix them.
– Here is an online scanne: https://sitecheck.sucuri.net/scanner/.
– Also, Scan for “some string” using https://www.ads-software.com/plugins/string-locator/

Fixed it.
The attacker was able to change the setting for registration of new users back to ?on“ with the change that new users are created as admin.

Luckily he just changed the site url which was fixable via database.

But looks like a huge backdoor somewhere in WordPress, huh? Why is there even a setting to create new users as admin? Isn‘t that a security problem for itself?

Thanks and best,
David

Glad u got it sorted:)

There was a security issue a few days ago in the WP GPDR plugin, allowing someone introducing a new user (admin level) in your site. You should have had an email from your site telling you so.

rollback from a previous backup, login and download the latest plugin updates.

Installing the ninja firewall will help preventing a hack again, since wordfence did NOT prevent this hack from happening…

Hi whocares,

thanks for your input. I reseached on that as well – and I‘m pretty sure that was the reason. After updating the plugin everything seems fine.

Still wondering why WordPress allows registration as Admin. Seems like a huge security problem.

Thanks and best,
David

Have a customer that doesn’t have the WP GPDR plugin, yet the same site url hack has been done and can’t yet find the cause.

My security check that identified the hack was from Easy WP SMTP plugin

Here is a report in case it helps anyone else
https://wpvulndb.com/vulnerabilities/9237