Unfortunately one of my clients' websites got hacked but it is something a bit different from the regular Pharma hacks I have seen before so I thought to share it here and see if anyone has any ideas or faced this before. Basically the hack was to redirect the website to a Japanese website through some fake URLs (well I mean around 1200 URLs) it made on the site. This was done by adding base64 code to the index.php on the root of the site and a password GET on 404 page code. But what was different was that it created a file called amaps.xml and through the code replaced the actual sitemap with this, so Google crawled this fake sitemap (which only had the fake URLs) and that is how we saw the hack. Visually there was no difference but it was redirecting bots to the other website. Another thing was this guy/girl/bot did not have access to server and this was all done through WordPress admin area which is super annoying because in only one site we had "editor" open in the admin area. Although we deleted and restored everything but the index.php was changed again and that made me go all out, take entire thing down, restore to couple of months back including all database and lose a lot of updates but kill that sob. Anyway, it was an interesting encounter and I was curious to know if you guys had any experience like this before.
Nothing that unusual (except maybe the subtlety used) - what has happened is probably a vulnerable plugin, or a bad password for the admin-area. Improve security, demand that passwords are secure, and make sure that all plugins are updated and kept safe as possible (reduce amount to those absolutely needed). If someone got into your admin-area, security was bad. That's the gist of it. Yes, Wordpress can be vulnerable, but the latest versions, with proper security set up, aren't much more vulnerable than any other site with an admin-area.
Agreed, security was missing and client had their passwords stolen and never told us anything. The plugin was Akismet which I love but well this should not have happenned. What was interesting was the way they crippled search results of the website with the site map, still Google, Yahoo, Bing and eve Yandex are crawling the old links and eating up bandwidth.
Plugins are really iffy sometimes because it opens your site up with additional attack vectors. One of my sites got hacked by some sort of ISIS/or whatever group related site. That's pretty smart though, what that person did. Not sure if Google can detect cloaking?
Yes we did encounter similar things. Once you are hacked you need to clean everything because first rule of a hackers is create backdoors. Backdoors can be inside files, hiden, or in database. So you need to check all and if the site is big this is extremely hard job to do.
Yeah the first Eval was in an 404 page which was blissfully convenient to access. Found out something else, that the xmlrpc.php is also a good gateway once they have access to the site. Personally I did not know much about it (I'm not a developer) but apparently that was also another point of entry to manually add code into posts and pages.
There are planty of plugins that are uploaded by hackers and no-one check them for security issues. The best way is to rename the wp-login.php and rename it when you want to login. Mod_security with comodo rules can help in this case.
Funny you mention that, I was using itheme security plugin, quite a good one in this case. Changed all the login pages and suddenly the attempts changed to 404 pages. It is funny to see failed attempt but quite a bit. In this case he/she/it is still hitting the pages for about 110 times a day. I suspect a bot.
Plenty of people scanning for older versions of wordpress. https://github.com/sparklemotion/mechanize is a good tool to start building your own automated scannner
Not easy to clean up a site at all. Good thing you had backups to fall back on. There are numerous entry points for injecting exploit code including xmlrpc.php and wp-login.php, so protection on your website needs to be automated as much as possible. Have you got a web application firewall or any other kind of security services in place? You can still see how attacks are being attempted against your site except that all these attempts are being blocked. That's my favorite part.
Thanks, yeah I now have Sucuri on all websites or iThemeSecurity on most of Wordpress ones. Very helpful and it shows the points of attack as well as vulnerabilities which helps tremendously. I like when I changed the login page and it suddenly changed from failed login to 404 attempts, that was satisfying.
I've also experienced this hack. In january I removed code insertions from php files, and now there showed up a sitemaps.xml file with 8000 redirects and Google Search Console verification file (which made an account for Google Search Console and submitted a sitemap). I have removed that. Have you noticed any changes in your database? Mine looks OK, but I don't want any further surpise. I have installed iThemes Security as well All in one WP security and Antivirus. But If there is something left in my files I could still have problems.