Bastards hacked my WP site
- Started
- Last post
- 24 Responses
- Vinney2
How on earth do I get rid of the weird "payday loan" link on the top right of my site?
I've updated and changed my WP password and now I am stuck with this balls.
http://www.adobetrainingtoronto.…
Anyone?
- prophetone0
you likely have a header.php file in your theme somewhere... look for:
<a href="http://danielleamatuch.com/?www-payday-loans-with-saving-account">www payday loans with saving account</a>
and remove it.
- slappy0
You can always download all your site files and then just run a sitewide search for "payday" using something like dreamweaver or similar.
- prophetone0
also ensure you are running the latest WP v4.1
- Vinney20
Not in the header.php, but thanks for the suggestion anyway - worth a go.
How do I download my site files?
- scarabin0
locate "mach_kernel" on your hard drive and delete it
- dbloc0
how did you upload the site, or is it wordpress.com?
- ukit20
There might be a script that injects the HTML. Check the index.php file.
If that doesn't work, try reuploading the theme (assuming you have a backup). And if that doesn't work, reinstall WordPress.
- prophetone0
it's gotta be a common header.php or nav.php type file in your theme . . . or a tainted nav plugin
- not at all - many other ways this could happen.fadein11
- well yeah, but is startprophetone
- prophetone0
find your theme folder via ftp, d/l that motha shut yo mouth, so you have a folder on your desktop with all theme php files in therr, then, scan em with text search app and search for offending keywords i.e: payday.
open offending php files in a text editor, remove code above, and overwrite corresponding live php file(s). check to make sure that site hasn't melted.
- sem0
It could be a "dodgy" plugin you installed. Sometimes "free" plugins come with horrible little extra's that you don't want and keep coming back until you remove said plugin.
- detritus0
flush the database.
If they've injected some SQL nastiness in there, it doesn't matter how many times you clean the front-end code, your own database will inject it straight back again whenever it can.
- if it's not a big site with oodles of content, just export it all and eyeball it in a text editor, look out for dense code.detritus
- the ..er.. database, that is, obv.detritus
- usually, there is a "back door user" left in the db.renderedred
- or just revert to a backup lol - 1 minute - problem gone.fadein11
- fadein110
revert to backup - nearly all hosts take a daily/weekly/monthly backup - quickest fix. The check all plugins are upto date along with Wordpress and then change all passwords.
- detritus0
..or, if you do, keep the sodding thing updated.
I agree with you though — I had a similar problem on a client's site last year, because they insisted on having a WP blog on there, and insisted on letting it fall into disrepair.
= Poisoned Database, which fucked up other applications sharing it.
Bunch of fucker.
- moldero0
Ithemes security plugin = pricey but worth it
& hide your theme info, your theme info gives hackers a place to start when looking into vulnerabilities.
- fadein110
Wordpress is only attacked because it is so popular - security-wise it is pretty robust now. Dumb ass comment blaming it on Wpress - any site is vulnerable.
- plash0
Easiest way i can think to assets if any credentials have been compromised is to log into your web server (via sftp) and check for last modified files by date.
looks like you're running apache so 'date created' might show newly added files since this might just be a php injection. if you do find something (a file added) this will indicate if a password was breached.
2nd step is to log into your mysqladmin and check for records that have been modified within a date specified. this will show if any database records have been modified, (if a positive is found then it's time to change that password and hash). Note that you'll find a lot of updated records in the data base, so put on that deerhunter and pull out a magnifying glass, you'll want to audit with prejudice; needle in the hay stack here.
lastly log into your wordpress admin and again aduit for records changed.
These are the fist steps to find our if your passwords have been compromised. if you find a file that has been uploaded without consent, then that points to a compromise..
if you find a db record, look into the cell and find the info it holds. you can do a string search for 'payday' throughout the entire database.
anyway, some pointers.
- mg330
I could go on and on about Wordpress security after suffering some serious hacks to both my WP sites and my CPanel account over the summer last year. Really frustrating time. Forced me to really dig into key Wordpress security problems, change plugins, schedule regular backups, etc.
Please don't for a second think that a hack is unique to Wordpress. Every site, every platform has vulnerabilities. Reduce them or eliminate them and you'll be fine.
- dbloc0
do you have ftp access?