WP Was Reset and My Whole Database Was Scrubbed

  • I have been working on a new install of my client’s website in a subdirectory /newsite. We’ve spent the past few months customizing a premium theme and uploading content.

    I was waiting on more content when I received an email from my client asking why the new site was gone. After checking, I found that /newsite was nothing more than a new install of WP with the 2015 theme and all of my content was gone.

    I discovered an email that just looked like the other notifications of updates which said the site had been reset (see text pasted below). I did not request this. Why/how did www.ads-software.com reset my site? What is going on? And if I just start anew will this happen again?

    And in answer to a logical question: no, I didn’t back up the database. I will be starting all over (lesson painfully learned).

    Your WordPress site has been successfully reset, and can be accessed at:

    https://matanda.com/newsite

    You can log in to the administrator account with the following information:

    Username: admin
    Password: previously specified password
    Log in here: https://matanda.com/newsite/wp-login.php

    We hope you enjoy your new site. Thanks!

    –The WordPress Team

    Home

Viewing 11 replies - 1 through 11 (of 11 total)

  • Did the client do it by mistake and not telling you?

    Any sign that the site might have been hacked?

    You contact your web host and ask them for a backup, unless your the web host and you need to start making daily/weekly/monthly backups.

    Thread Starter suitsjen

    (@suitsjen)

    HostPuma: Thanks for your response.

    I can’t imagine how the client could have done it. He never accesses through his cPanel or messes with ftp or files other than through the WP admin panel. Is there even a way to “reset” the install of WP from the admin panel?

    How would I know if the site had been hacked? Can you refer me to an post, or person who could help me check that out?

    Host company is not helpful and doesn’t keep any backups.

    As for me doing backups – I know. Lesson learned. This is pretty painful. There was a lot of work in this site.

    Jason King

    (@jasoncharlesstuartking)

    I googled “Your WordPress site has been successfully reset, and can be accessed at:” and found https://searchcode.com/codesearch/view/50025341/

    Looks like this plugin – WordPress Reset – has been used to delete the website? It contains those exact words.

    See https://www.ads-software.com/plugins/wordpress-reset/

    Of course, someone with admin permissions would have had to install and run it. Why? Is it possible that someone (client) was tinkering and misunderstood what “reset” meant? Seems unlikely.

    See if you can get hold of the PHP log for the website to see when this happened and maybe get a few clues.

    Thread Starter suitsjen

    (@suitsjen)

    Thanks for the info Jason AND for the process of how you found it. Very helpful. My client wouldn’t have done it, but I did hire a developer to install WP and the theme in that directory. I can’t imagine he’d be so malicious. Yeesh. I’ll see if I can see the PHP log.

    Jason King

    (@jasoncharlesstuartking)

    Ouch. Please post back here, I want to know who dunnit.

    There could be a legitimate reason for installing it… can’t think of one though. You paid your developer didn’t you?!

    If you’d set up Google Analytics or anything else third party that tracks visits, see if you can get data from them. What was the last visit? Can you figure out the IP number or the region of the last visitor to that site?

    Thread Starter suitsjen

    (@suitsjen)

    Just got this from the hosting company:

    Checking the cPanel access logs shows that there was one cPanel access between the 26th of June and the 10th of August. The server logs contain no FTP information for the dates you specified, none at all on the server for that matter.

    I note that Softaculous has one installation recorded, but automatic backup was not used.

    Which MySql Database is your newsite configured to use?

    Apparently, there are 4 databases, and I assume one is for the original site, but is there a reason there would be 3 others? I have no idea which is which. I’m out of my area here.

    I hired a developer to create a new install of WP and theme in a subdirectory so I could work on it. He didn’t work out, but he was paid in full (extra, in fact). I really don’t like to jump to conclusions, but …

    Thread Starter suitsjen

    (@suitsjen)

    Another bit of evidence. The email (pasted in initial post above) that confirmed the reset was sent at Wed, Aug 5, 2015 at 4:42 AM. I was not awake that late on that night.

    Jason King

    (@jasoncharlesstuartking)

    The FTP log probably wouldn’t show anything if the plugin was uploaded via the admin dashboard.

    But what about the PHP log? That’s more likely to give clues. You might be able to access it via cPanel or via FTP.

    Web stats? Might record ip numbers.

    Four databases? Login to cPanel and use phpMyAdmin to see what’s in each of them.

    Jason King

    (@jasoncharlesstuartking)

    What timezone is your developer in?

    Thread Starter suitsjen

    (@suitsjen)

    Thanks so much for the direction on this, Jason. I’ll go see what I can find.

    The developer is in the Central time zone. My client and I are also in the Central time zone. I hired him on Elance. He has done a few minor jobs for me. One other had a strange problem, a similar situation on a, but I didn’t lose much there so I didn’t look at it as closely.

    Contact the developer and ask him if he has a backup for the website.

    Good developers never touch a website before creating a backup for it and I know it might sound off, but start looking for a new hosting provider that does offer backups.

    The damage is done, so its down to getting a backup or you have to add the content manually from scratch.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘WP Was Reset and My Whole Database Was Scrubbed’ is closed to new replies.