te_taipo

When I try to log into my site to edit in WP, I get a warnning that I need to change my password because it was found in a data breach.

The trick here is to convince you to post your admin password into a form that the attack probably has access to in order to reset it. Best ignore all of those warnings, and follow the cleanup instructions from t-p, in “this guide”.

Then comes the hard part, determining how it was in the first place that an attacker was able to add files to your website.

This is not something anyone here can determine without a lot more information from you.

Likely suspects are:
– via a WordPress plugin
– via a WordPress theme
– via an attack on your hosts webserver

Less likely suspects:
– via an error in WordPress core code
– via malware on your own devices

Important Points:
1) Cleaning up you website files and database whether manually yourself or via a professional service, in of itself does not necessarily mean you have discovered the means in which the attacker was able to leverage their attack. Therefore your website is still prone to a repeat attack.
2) No plugin can save your website from being exploited by an attack on your hosts webserver. Some security plugins can however detect the addition of non-sanctioned files – and prepended or appended code to your WordPress core files, and remove them, but nevertheless the vulnerability that makes this attack possible, remains, and could likely eventually bypass any attempts of plugins to act as antivirus.

Looks like you are using the Google Apps login plugin?

• This reply was modified 6 years, 10 months ago by te_taipo.

2. Malware plugin;
3. Firewall plugin;
5. Use strong passwords and enable login protection to prevent brute force attacks.

Malware:
Most vulnerabilities are *introduced* by adding insecure plugins and /or themes. Be careful what plugins/themes you use. Check security forums to see if they have been reported as insecure, and if so, were they fixed.

If you want to avoid an attack from a server side exploit, best practice is to use a VPS rather than a shared website environment.

Very rarely vulnerabilities are found in WordPress themselves which are usually quickly fixed but nevertheless do occur.

Firewall
Few security plugins that offer little real world defense against faulty coding in themes, plugins and even the core WordPress coding errors – that open your website up for attack. Do your due diligence and don’t just install the most popular security plugins, many of them merely block last years attack vectors.

Passwords:
Use a password manager. You will need the following passwords:
– FTP
– MYSQL Database
– Admin login
– Editor login

These should all be different passwords. When you use a password manager this is easy to do.

• This reply was modified 6 years, 10 months ago by te_taipo.
• This reply was modified 6 years, 10 months ago by te_taipo.

A quick look at popcash and it appears to be quite insecure (css issues). FTP into your website and manually delete the plugins that you believe are the cause and any extra files that should not be there. In fact you can just reupload the entire wordpress fileset overwriting the files on your site to sort out any issues where wordpress files have had extra malicious code added to them.

Once your site has been exploited in such a manner, attackers regularly return via automated exploitation mechanisms. So in your case you should look at my plugin Pareto Security. It will prevent re-exploitation.

Kia ora @lunarayven

Can you please list the themes and plugins you have installed (even if they are not activated),

Thanks

There may be a setting in your web hosts control panel that allows you to view logs, else ask them to show you how to do that.

Yes, if you have not shut the security hole, they usually come right back and reinstall themselves.

Try https://markoceans.com/?q=user

If you can imagine, you have removed/overwritten the damage an attacker was able to cause via some weakness in your website. Removing the damage as you have done, may not have removed the weakness that allowed the attack to take place in the first place.

Finding the cause of attacks is not easy. It may mean looking back through log files to find the attack itself, therefore giving you the file the attacker used to exploit your site.

In many cases this is usually a plugin that has a security vulnerability in it, in rare cases it is a security vulnerability in WordPress itself, and in other instances the attack will have been leveraged at the webserver itself rather than at the website code/files.

Was the script something that was uploaded to your wordpress files? If so you will need to determine how this happened to prevent a repeat.

This does look like a hosting issue to me.

If the attack is a POST request on the index.php page.

Once you have cleaned up the site, if you cannot find the attack code being used, then the injected code will most likely be in that file. If not, then it could well be caused by a misconfigured webserver that is allowing directory traversal from another web repository.

If you cannot find the shell code being used to add files, it may be the case that the actual webserver itself has been attacked.

The original error is about IPv6. To check that your server was compiled with IPv6 support, load a page up into your site with following code:
<?php phpinfo(); ?>

Load the page and check if *IPv6 Support* is set to “disabled”, if so, that is the cause of the error.

That’s a new warning that will probably disappear when you re-enable plugins.

Looks like an IPv6 error. Check with your host to make sure it is enabled/compiled with PHP.