HELP! MY WORDPRESS MY/BUDDY PRESS WAS HACKED

I woke up today to find my first post of my blog had been hacked. I have since regained access to my blog/mu/buddypress install but I have lost "super admin" level access. Can some one please help me regain access. I currently only use wpmudev themes and plugins so I am not sure how this happened.

Justin

  • Timothy
    • Chief Pigeon

    When you say hacked, what exactly was done, changed, etc?

    What has your host said?

    What do they see in the access logs? And how access was gained?

    You'd be best restoring your backup.

    You might want to ask your host to run a security scan and audit as well.

    If you don't have a backup then usually when this happens I would remove all files except wp-config.php and maybe media uploads.

    I would then painfully go through them all checking for issues and changes.

    You would then upload a fresh set of WordPress, Theme and plugin files. Make another backup before you do though, just incase you do need to check something or go back for any reason at all.

    With regards to tracking that down, you would need to hire an expert to run a code audit and that can start getting expensive. Just because your code is changed doesn't mean it was code that was the issue. It could have also been a server level vulnerability or social engineering is getting popular as well.

    Let me know how you get on and what your host says.

    Take care.

  • justin_medved
    • Flash Drive

    Tim,

    Thanks so much for your time!

    To answer your first question:

    1) They broke into my site and replaced the most recent post with a post for a middle east terrorist organization. They also locked me out of my account and now I cannot restore network admin privileges.

    Here is what my host said:

    "There are plenty of ways for the hackers to breach your application. However our experience shows that usually they are using some custom modules/templates which allows them to execute malicious scripts from your account. These scripts are shell scripts which are providing the hackers with access to all of the files of your application.

    Basically once the shell script is uploaded or created via some of your custom modules or templates it is the key point from which the hackers are abusing your account. After the damage is done the hackers are deleting the shell scripts from the server leaving only the hacked files related to your application. This is making their scripts hard to be tracked and to be reviewed.

    The access logs for your account will show the access for your files, however since the malicious scripts are gone already we cannot track from where they have been uploaded/created. Maybe the experts you are in connection with might be able to provide you with such information. "

    I don't believe I was doing any back-up.

    Can I have your advice on

    1) The best way to back-up a mu/buddy press site? Is there a way you recommend?

    2) Since I am using themes and plug-ins from wpmudev.org are there any security plugins that your recommend or endorse

    Thanks SO much for your help.

  • hpidriver
    • The Crimson Coder

    What sort of hosting do you have? If you have it included in your plan, Cpanel can be used to schedule backups of your entire site.
    You could also manually back up your sql database containing the WP install via SSH access, and then copy your files over to your local machine via FTP.

  • Timothy
    • Chief Pigeon

    Hey again.

    1. I always backup at the server level, if it's shared hosting then you can do it within cPanel.

    Good thing about a cPanel backup is you got your mail and dns setup in addition to the site and DB should you need to move to another host or account.

    I personally take daily backups of my servers. I then take a backup of the backups.

    I hear about Bulletproof all the time which Foodfriendfinder mentioned.

    Take care.

  • hpidriver
    • The Crimson Coder

    @justin_medved This link will explain every option you have when backing up through cPanel - http://docs.cpanel.net/twiki/bin/view/11_30/WHMDocs/ConfigBackup
    as Timothy has mentioned, doing daily backups is probably the best way to keep any future damage from hackers to a minimum. If possible, save these backups to a different machine than the same server that is hosting your site.

    There are also preventative measures you can take to further secure your WP install from malicious users. Some quick tips here - http://www.labnol.org/internet/improve-wordpress-security/24639/

    hope this all helps!

  • Timothy
    • Chief Pigeon

    Hey again.

    Just to add, if you do ever look for another host, then a WP Engine are pretty cool:

    http://wpengine.com/

    They are super keen on security, the downside to that is not all plugins and themes will work for various reasons. no need for caching plugins either, they use something called varnish which makes sites pretty quick.

    We actually had an issue with MarketPress on there servers, they added a filter to their servers so it would work, so they can be flexible as well where there is value to the customer.

    They are also one of the more pricier and restrictive (for good reason) hosts.

    Just thought I'd throw that out there. :slight_smile:

    Take care.

  • in-mn
    • The Crimson Coder

    i kept getting hacked, and i have no idea what part is the flaw, but i just blocked non US/CA traffic in the firewall. Did a clean install of plugins, and swept out the uploads folder of any site i know wasnt a paying customer on multisite.

    0 problems since blocking those countries.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.