A few days ago I discovered one of my blogs was down. The pages were blank except for an error message. I started looking and I found that a large bit of code had been added to the beginning of the following files: /index.php /wp-config.php /wp-settings.php /wp-content/index.php /wp-includes/functions.php /wp-includes/functions.wp-styles.php /wp-includes/functions.wp-scripts.php /wp-includes/query.php /wp-includes/wp-db.php /wp-content/themes/###/functions.php /wp-content/themes/###/index.php I have searched all over and havent found much at all about this. I edited out the code and the site seems to be working for now. I have also found out about the same exact thing happening to a few other people's WP blogs. On WP.orgs forum someone said it was also happening to OSCommerce sites and now I am suspecting that it is happening to some MyBB scripted forums. (Though I found nothing about the issue on their forum). So, is anyone having problems similar to this with WP, OSC, MyBB or other script?
I have not personally encountered this sort of problem, but adding lines of code into pages is something that some hackers do. The worst kind is when they add things like links and such to your themes and make them blend in- this is what you have to really be careful of because it could hurt you with search engines. To be safe, I would download a fresh copy of Wordpress and reupload a fresh wp-admin, wp-includes folder, and fresh root files (except for wp-config.) I would also go into wp-content and reupload any plugins and themes (if they have not been customized because reuploading with the original files will make you lose custom additions.) If you have custom additions just go into the theme folder and go into each file separately and just make sure nothing suspicious is in there.
It would be good to know how the hack was done and what needs to be done to avoid it in the future. Editing files, re-uploading etc is fine but then what if it happens again? What amazes me is that I can hardly find a word mentioned about this problem anywhere. I found two discussions in the wordpress.org forum. I couldnt find anything about it here at DP or at a couple other webmaster forums. There isnt even anything mentioned on MyBB's support forum. I know that I am not the only one who has seen this happen. I worked on a MyBB script a bit for a friend and found the same hack there and as I have said before someone in the WP forum said it had also happened to an OSCommerce site - so it isnt limited to WordPress. The purpose of this thread is to get togeher some info for myself and others who may face this problem.
Well a few things that you can do to generally improve security are: -make sure your directories are not visible -keep Wordpress up to date -take out the version number of WP from your meta -limit access to certain files and folders like wp-admin by ip Your particular case is most probably being done through mysql injection hacks and the above security measures should help it. You may also want to check your plugins because they could be opening up holes for hackers as well.
I have had it happen as well. A few weeks ago, one of my blogs mysteriously had some links added in the sidebar, but were hidden, so you didn't know it unless you were editing the file. I sent emails to all of the owners of the sites, and one actually wrote back saying that she had some services performed by someone she contracted from an online forum, and they promised her a whole bunch of back links with their service, she of course did not give up a name, or from which forum (I didn't have the link in my sig anywhere), but I did report it to my hosting company as well as the hosting companies of each site. After I removed the links, I did some of the measures that were suggested above and haven't had a problem since. Just shows how unscrupulous some service providers are, and dealing with the wrong one can land you in hot water, and how desperate and lazy some webmasters are...anything to beat the system instead of actually doing the work. Ever since, Any site that I put in my sig, or post up for review, I am constantly looking for signs that they have been screwed with...that's just the way some people operate..unscrupulous.
i think there is a vulnurability or bugs in your blog ! try to backup your database and re install it
Hey guys thanks for the advice on beefing up security - hopefully you'll have better luck in the future, but thanks again for sharing your misfortune.
Interesting discussion. First time hearing about these incidents. I appreciate the heads ups. What is the most optimal way of preventing hackers from accessing your blogs and web sites?
That's not it. With all the updates in Word Press, if you update at every one, your blog is always backed up and reinstalled.
I had this happen to a brand new WP install with only 1 plugin installed - All in one SEO Something that a lot of people dont seem to be noticing is that this thing is affecting OSC and MyBB sites too - so how could it be caused by a WP plugin? That just doesnt seem logical to me.
It is not that it is caused by a WP plugin- that was simply a possibility. This sort of thing happens when you have holes in your system whether it is the backend software or your host. Mysql injections are not a rare thing sadly and a lot of people suffer from them. Look at my tips above to improve your hosting security as well.
this has to do with.. Wordpress Plugin fMoblog Plugin Home: http://www.fahlstad.se/wp-plugins/fmoblog/ The plug-in has a security hole. witch allows ANYONE to see user names with md5 passwords. all they have to do is crack the md5 and they get access to your blog. If you have this plugin, id advise you to remove it.
How much can the coding affect you in terms of SEO? Maybe I'm ignorant to the matter but I was under the assumption that the Engines just indexed content?
Nope, nothing to do with it What are you talking about? --------------------------------------- I had two more blogs hit by this hack (one mine and the other a friend's). More info: two of the 3 blogs had Contact form wp-gbcf plugin in which files wp-gbcf_focus.js and index.php had the added code One blog had Ad Minister plugin and files ad-minister-functions.php and ad-minister-settings.php were altered.
This can cause lot of problems for how your site ranks in the SERP's and more so what words it ranks for. Because what the hackers will do is like what "hmansfield" said, they will plant hundreds of links hidden in the blog... And those links are usually of sites like viagra and pharma type shit, and pretty soon your page will start ranking for viagra even if your site is about crocodiles. I had a friend/client site this keep happing on! The hack would put hundred of spam type links in the footer of wordpress and phpld sites on his server. We tried a lot of things, changing blog passwords, permissions, updating wp and such but what finally seamed to help was to change the whole cpanel/ftp passwords. I am still not sure exactly how the hack was doing it and like "kentuckyslone" I would sure like to know. But about 70% thinking the hack somehow got in through the ftp or cpanel. But still not sure? I know one thing I would like to chop the hands off the bastards that do this shit, it gets old going through hundreds of files when or if this starts happening. Boulder