1) Where is my Ticket? 2) What happened to my site? 3) Where are the blog pages?

I had a massive problem with this site today, and spent quite a bit of time on chat with Patrick Freitas about it, and have been anticipating a response, but there is NO TICKET here for anyone to respond to. I don't understand.

Someone was able to access my client's site and actually place content on it, putting links to the official store of the San Diego Padres on the home page, as well as hijacking the blog and replacing the content with content from some other sports clothing site. This is NOT GOOD, obviously. Patrick fixed the problem in the short run, but I am very very concerned about this. I have never seen anything like this happen when I was at any other hosting. This same site turned up with malware last week, and that was supposedly all removed; now this. I really need to know what's going on.

Everything appeared to be fixed earlier. Now, a new problem. All the blog pages for this site appear to be blank. The titles appear on the posts list, but clicking on them, either in edit mode or on the front end, delivers a blank page. What is happening here?

  • Adam Czajczyk

    Hello mary

    I hope you're well today and thank you for reaching out to us.

    I believe that the ticket you're referring to is this one

    https://premium.wpmudev.org/forums/topic/the-site-got-infected-again

    as it was created after the live support chat. Please note that such tickets are first created internally and then are being open on support forum shortly after that (but there is a slight delay), not in "real time". I also understand that the description of the issue there might have been "oversimplified" but there's no need to edit them as in such cases we do have insights to the chat sessions where there are also additional information provided by the chat agent.

    That being said, please accept my apologies for the trouble. We're already looking into it, checking your site to fix it and identify what happened. Please keep an eye on this ticket and we'll update you here as soon as possible with more information.

    Kind regards,
    Adam

  • Konstantinos Xenos

    Hi mary ,

    I've taken a look at your installation and I can report these findings:

    The issue doesn't come from the Hosting environment and these types of attacks come solely from the website itself that is prone to injections. The code that I've found is common to WordPress injections done mostly via plugins and secondly from themes.

    I see that you are using LayerSlider 6.7.6 . This version was released on 22 May 2018 and the latest release is 6.8.1. Keeping the plugins updated means that they are less likely to be prone to attacks ( ref: https://layerslider.kreaturamedia.com/release-log/ ). In general it's best to keep all themes + plugins always updated to latest as they are constantly improving security.

    The specific malware was most likely designed to take access into your website and do "automated" processes like adding / removing posts at it's free will as you mentioned that it actually happened.

    There were also injected files inside the /wp-includes/ folder and code in all of your "header.php" files from all your themes as they have been compromised also.

    I've cleaned the installation for now but please do note:

    1] I can't be certain if you'll find issues again until all plugins/themes are updated to latest.
    2] The best way of resolving this permanently is to revert to a backup on which you are 100% certain that it was not yet compromised and update all themes/plugins to their latest versions.
    3] I also see from the chat that you had with us on mentioning that you are not using TinyMCE. TinyMCE is used by WordPress core itself on both the Classic Editor & Gutenberg, if it had a vulnerability it would have already been patched by the WP Core team and a security update would've been delivered, so most likely this comes from a theme/plugin that you're using.

    As for the posts that you mention, I can't do anything about that if the injected code has already altered the content, the best way to resolve it again is to revert to an older backup when the site was not yet injected + altered.

    Again these are common attacks towards WordPress installations via injecting plugins + themes that are prone to attacks like these.

    Tell me if I can help any further.

    Regards,
    Konstantinos

  • mary

    How do I get the blog content back from the backups you have been making? Do I just I revert to an earlier version, and if I do, how can I be sure the version I am reverting to does not have the malware?

    Please don't misunderstand, I am not saying the hosting environment itself is responsible for the malware. What I am concerned about is that, with all the bells and whistles of Defender, it feels as if I may have had better security elsewhere. Maintaining these websites is not my primary job, and as a result there have always been one or two plugins that needed updating, but no malware has ever gotten in that way before.

  • Konstantinos Xenos

    mary ,

    If you restore any of the backups, everything regarding the installation will be restored as well ( that means settings, media etc - not only posts ). As for it not having malware that would require checking each time for any suspicious code within the installation itself.

    Unfortunately there's no other way to identify when the issue started, the code might've been there even before migrating but was dormant for any number of reasons resulting on not being identified.

    For example some of these malicious scripts run "only" if you edit a specific post that they have decided. If you never edit that post then they won't show up & start working.

    Defender will scan the WordPress core files and report any results to you as well for any suspicious extra code as seen on the screenshot on my last post. It won't "automatically" run any action though as the code itself might be a false/positive as we say and it could've been added by you or one of your developers.

    I won't misunderstand anything that you say don't worry about that, we're here to help as much as possible after all and feedback like yours is always welcome & taken under consideration as we try to evolve our products always.

    Attacks like these are very well known within the WordPress community and as I've mentioned ( not trying to point any fingers myself but it's a good example in this case ) by using plugins that haven't been updated for almost 1 year means that there are way more chances to get infected than by having everything updated.

    Regards,
    Konstantinos

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.