A little freaked out right now for a site I haven't updated

Hey Guys

A little freaked out right now for a site I haven’t updated in a long time TaiwanHipHop.com. I logged into it so I can update the plugins and what not and noticed under my “Who’s been online” plugin that some new Admin user from Poland was on my site

I am freaked out because he was listed as a “Admin” and his username is “AlexEditor” But here is where I am really confused, sign ups are NOT allowed on this site.

How did someone become an admin on my wordpress site if registration is disabled? How did he do this but more importantly what could he have done on my site?

It does not appear that he edited or added any posts or pages. Can some senior WordPress people that have experience with this, enlighten me? Thanks!

PS. Needless to say I changed that user’s password right away and I am now blocking Poland from accessing the site.

Mike

  • PC
    • WPMU DEV Initiate

    Hey there Mike,

    Greetings and thanks for posting on the forums.

    That is the biggest and most important reason of keeping your WordPress sites up to date with the latest versions of plugins and WordPress itself so that if there are any security vulnerabilities, they can be removed.

    So, having said that, if you do not see any suspicious activity, you should be fine but precautionary measures should include :

    Changing the passwords of the main admin account(s)

    Changing the db password

    Apart from that, you should consider taking regular backups of the site and also using something like : http://wordpress.org/plugins/wordfence/ to provide a solid security to your WordPress site.

    Cheers, PC

  • PC
    • WPMU DEV Initiate

    Hey there Mike

    Sorry for the delay here.

    That is only possible if your site / database is not protected enough to avoid someone from getting in (there are a lot of ways to penetrate into a site) and creating accounts.

    Changing passwords and strengthening security is the only way to deal with this at this moment.

    Cheers, PC

  • faydra_deon
    • WordPress Warrior

    @thinktaiwan:

    It sounds like you were hacked through your hosting company. It’s possible someone found out your username and password, logged in like they were you and made their own Admin account.

    You may want to use the BruteProtect plugin to help deter that behavior: http://wordpress.org/plugins/bruteprotect/

    If that person shouldn’t be a user on your site, then you shouldn’t just change the password. You need to delete that account.

    You also need to FTP into your server files and find out which files have been changed.

    I actually just did this for a former client who didn’t keep her site updated. She’s on 1and1 Hosting.

    What I did was opened the wp-config.php file and found a script that was added to the top of her file. I deleted her config file and recreated it.

    I then deleted all the single PHP pages of the WordPress core files and added them back from a fresh download of WordPress. I then deleted both the wp-admin and wp-include folders and added them back from the fresh WordPress download.

    I couldn’t just delete her wp-content file, because her upload folder was in there, so I deleted everything but the uploads folder and added everything back from the fresh WordPress download.

    Then I went into the themes and plugins folders and found that the index.php files that were in both those folders were entirely too large. They should only be about 30kb. They were both over 12,000kb. When I opened them both, they had that same script as was in the wp-config file. I deleted those index.php files and added them back from the fresh WordPress download.

    I also created another admin account for her, moved all the posts onto that account and deleted the other admin account she’d been using.

    This information may or may not help, but I thought I’d share it with you, because this is what I normally do when someone gets hacked at the server level.

    Faydra…

    Also, replacing the core WordPress files will make sure that that person isn’t running a site secretly off your WordPress site.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.