vtolbert

Thank you so much. I read that you don’t consult. I would be a lot calmer about this work if I had the backup of a consultant. I have emailed 2 I found on the www.ads-software.com list but neither has responded. Do you know of a good consultant who would have time for an unknown amount of work on this job?

I followed your link and found this note toward the bottom:
User Access
By design, all users who are added to your network will have subscriber access to all sites on your network.
Stupid question, I’m sure, but what does that mean?

Kinda weird and confusing!
Thanks.

I think it’s clean. I’ll keep looking and working on that to be sure. I totally replaced the WordPress files. None of the other files had been altered recently. I don’t see anything that has been added.

What I mean by “a password is requested” is when you click that you’ve lost your password and enter your username or email address. You then get an email with a link to reset your password, but that link just leads you back to the page you just left (where you’re to enter your username or email to retrieve your password. Eventually your new password is sent to your address.

Thanks!

Are you talking about this part:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

I wondered about that.

This link (below) says to define a Secret Key. I’m not sure exactly where to put it in the wp-config.php. Any help would be appreciated.
https://ocaoimh.ie/did-your-wordpress-site-get-hacked/

If you’ve been hacked

1. Upgrade to the latest version of WordPress.
2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

define(‘SECRET_KEY’, ‘1234567890′ );

Thank you so much!

Thanks for all that info!
I will certainly protect the wp-includes folder with an index.

I got info from another source I respect that said the stuff below. I only have 2 plugins active: Akismet and Thesis OpenHook. Openhook is not an image upload program. However, I did try to go to the site for that plugin and developer and get an internal service error. Also tried his email address and got it returned. Anyone heard from Rick Beckman? Doubt it all has anything to do with that, but it is all odd.
—
Based on where the compromised files were, most likely you have an insecure plugin installed in that copy of wordpress (assuming wordpress was at a later 2.8.x version or 2.9.x which should be secure). It’s not likely they got into anything via the password, these types of attacks are always through either vulnerable core versions of wordpress, or more likely, the plugins. Once they find a plugin that allows them to upload their own file to the server, they make that file a php file they they can then access directly to run further commands from so just by getting that one file onto the server, they no longer need wordpress to help them, they can do whatever they want after that using their file. Obviously plugins that involve uploading are typically the culprit, such as image or video posting plugins where the user can upload their own file; typically its a lack of security by the plugin programmer who maybe doesn’t check enough to make sure the file that has been uploaded really is an image and not a php script or something else.

Thanks, Gangleri. Will do.

Talked to the host. He got logged in by changing the password (FTP) and I’m now able to log in too. Neither of us can find the folder and document that is sited in the email warning. Is this a bonafide group that is sending the warning? When I key in part of the address they site I do get a “this is blocked” message.

Thanks!
How do I prevent this in the future?

Uh, don’t know whether to mark this topic resolved or not since Turpin still has some questions.

Thanks so much for the info, henkholland. I had written my most excellent host: https://www.hostasaurus.com, and they made some adjustments for me so that it works fine now. For some reason the uploads are going into the 12/09 folder rather than the 1/10, but they are getting uploaded and displaying fine.

Hope you get your problems resolved turpin!

Thanks again to both.

Thanks! Sorry to be so clueless, but what settings do I change in the dashboard? I made sure my permissions were like yours and have sent a query to my host.