WordPress Sites Hacked

[Snooks]

Well it may be coincidental but in 2 days ive had 4 sites hacked, all on the WP platform.

To the best of my knowledge all were latest updates and had a security plugin to ensure correcting settings and all of that stuff. Luckily most are mini site / parking pages but still, its all time and money.

I dont like WP at all but given im so damn hopeless in coding and struggle with html, its the only thing i can use, otherwise i have to pay the web guys a fortune.

I gotta learn Joomla....its supposed to be the easiest and not too bad for a site

This is the splash page on my sites, this one being www(dot)wii.net(dot)au

 

[thrown]

I use http://sucuri.net/ to monitor and fix any hacks. Saves you hours of your time. They are cheap and efficient...

 

[Snooks]

Will check it out further but that link showed the site as being clean

Its 8.30pm and i have a 2am start so off to bed...if i can sleep

Damn.

 

[payattention]

Joomla is even worse...

What plugins are you using? Are you using a free theme or pirated one? They are easily modified to provide backdoors.

 

[Ash]

There was a TimThumb weakness announced a couple of weeks ago that could have been exploited. Many WP themes use this plugin for image cropping - resizing.

 

[joe]

There was a TimThumb weakness announced a couple of weeks ago that could have been exploited. Many WP themes use this plugin for image cropping - resizing.

crap... thanks for the heads-up

 

[Data Glasses]

The same has happened to me and i was advised to 'wordpress firewall 2' so far another twenty reported attempts with each one referring to a gif on the site, the plugin also tells where the ip address and on one page it had a contact to the host, i sent an email stating to expect legal action .... now i am only being attacked from one other destination, also everytime you add content go to tools and export it to your computer

 

[FirstPageResults]

I can see that you're not running the current version of WP by looking at the admin login.

This person has defaced thousands of websites.. I checked a few randomly and they all were running older versions of WP.

 

[Honan]

I can see that you're not running the current version of WP by looking at the admin login.

This person has defaced thousands of websites.. I checked a few randomly and they all were running older versions of WP.

Wow!.
FirstPageResults certainly has an eye for detail
I learnt to update WP the hard way. Like Snooks one of my sites was defaced
It cost me $10 to get the host to do a roll back
Then the hard part for me was to update the WP without going live
It is easy for those who know how.
Firstly I changed the DNS to a parking company's
Then I got the host to roll the site back to before it was hacked
Then I changed the host file on my PC so that the domain resolved to the host, only for me, not for anyone else
See http://en.wikipedia.org/wiki/Hosts_(file)
Then I updated WP in the admin panel
Bfore updating WP I disabled the plugins and put them back one by one after the update , updating the plugins as well
Then I changed the DNS back to the host
And removed the IP I had inserted in the host file
Site is now better than ever
I might sell a domain name for $10 to recover the cost

 

[johno69]

I learnt to update WP the hard way.

That's a lot of overkill doing it that way.

Why not just ask the host to "Roll back" as you mentioned, then update?

No need to go changing dns etc.

 

[Snooks]

I got hit by the Tim Thumb thing last week. That was using a premium Woo Theme and i hadnt heard about the issue....that occasion the site returned 301 errors for all.

My Host has just advised via the logs how entry was gained and in all honesty, probably my fault. My user name was Admin, apparently i need to have one name but show a different name and he has told me how to do this.....the logs show repeat attack and eventually the password cracked.

Regards the latest version on WP, im sure it was but i guess it may have been overlooked and i will check this out immediately. Thanks for the tip

 

[FirstPageResults]

By looking at the CSS file in the source, you can see the version number (date) that relates to each major release. Also the layout slightly changed when that update came out

Your site is running:

3.1: 20110121
/wp-admin/css/login.css?ver=20110121

The latest major release is 3.2 (released in July):

3.2: 20110610
/wp-admin/css/login.css?ver=20110610

Atleast in this case they just defaced your site rather than serving up a hidden iframe with some malware. These sorts of attacks are easily automated, so it's cruical when using open source applications like Wordpress, OS Commerce etc to update ASAP.

 

[Snooks]

Thanks for the info First Page Sadly, as im said, im probably guilty of being lazy becauyse that shows it hasnt been updated. That site is one that i have auto content on and is just sitting around as eventually i wanted to sell the name.

But since coming here ive learnt the name probably isnt worth what i thought it would be lol As such i havent been paying attention to it.

 

[Honan]

That's a lot of overkill doing it that way.

Why not just ask the host to "Roll back" as you mentioned, then update?

No need to go changing dns etc.

Oh ok
Thanks Johno
I had been informed that I ran the risk of being auto-hacked the moment the rolled back site went live with an old version of WP
I guess I was misinformed and wasted my time isolating plugins, changing DNS and the host file before updating