Please help! Site hacked...

Please help. No technical skills here!

We have a regular wp site with 2 plugins - wishlist member and a contact form (si-contact-form). I'm paralyzed cuz it's not backed up. Google says malware.

I found a file called gh.html and deleted it.

Any advice or anyone want to help? thanks!

  • Jonathan


    Firstly. here is a topic full of links -

    Malware can be uploaded to your site very easily. Especially when the hacker knows of a vulnerability and can exploit it. File permissions need to be set as tight as possible along with a whole bunch of stuff that we get lazy with.
    Wordpress has a great article on hardening wordpress: Recommend you give that a read.

    As for google. Unfortunately - they take there time before removing that warning message. You can get them to browse on over quicker using webmaster tools and there step by step list (which you have already done) so you just have to wait it out. Its like a rugby player who gets sent to the blood bin: got to make sure the blood has stopped flowing :wink: This keeps other players safe (your members safe)

    And you just gota gota gota back it up - okay. had a great tutorial on using dropbox to backup your wordpress site - this is perfect. And to start out with it won't cost you a thing.

  • Me

    No problem Gina... thanks!

    Update for your entertainment: We have 41 separate wp installs on a server. All 41 sites are hacked. I am traumatized! Hosting company is handling everything so we are backed up from one week ago but obviously we need to consolidate and secure our sites... help!

    We will lose an entire beautiful shopping cart install built with marketpress and product theme. I wish marketpress had a feature that allowed me to import all my products via csv file like big commerce, 1shoppingcart (both non wp software) vs. adding each single product (we have over 100 products). I have been searching for a solution like marketpress for years to have a shop that works in wp so I am so happy with it other than that!

    Never underestimate the evil in the world!

  • Jonathan

    I wish marketpress had a feature that allowed me to import all my products

    Like gina said use the built in wordpress export / import tool .- very easy. go to tools export and choose what to export.
    default is all content (This will contain all of your posts, pages, comments, custom fields, terms, navigation menus and custom posts)
    And marketpress uses custom posts :wink: Gotta love that.

    So you can either export it all, or you can export individual custom posts (products / purchases etc)

    To Import, go tools > import > wordpress and select your exported file.

    Images are a bit of an issue to import you can select to fetch them (download) from original location (if that location exists), if not then - I can't remember, but you could possible copy image folder wp-content/uploads/ back to original position and it should work? Could someone confirm?

    As for protecting: You have firstly got to find out how they are getting in. I can hack wishlist member :o( and have been able to access protected content without an account - which is why I haven't used it for awhile. And because they encrypt there code, I couldn't patch it. I used to decrypt it - but it is such a hassle, and time waster. [note: they may have patched it since then?]

    And I haven't used si-contact-form - but contact forms are known for exploitation. code injection etc etc.

    And then a freshly installed wordpress isn't the safest either. Which is why they show you how to harden it. But very few folks do.

  • aecnu

    Greetings :slight_smile:

    your host can help alot by blocking the rifraf that are hacking sites.

    Being Global Network Administrator for an International Company I have personally been responsible for the order of blocking countries that seem to do nothing but hack sites - Primarily Turkey, Nigeria, India, All of Asia including China, and Russia.

    After being in the Internet Business exclusively since 1998, I can honestly testify to the fact that none of these countries have ever netted us a dime though that have caused great grief before we firewalled them off about two years ago.

    Then almost all of the crap stopped instantly.

    One great WP tip - lock down your config php file with .htaccess using:

    <files wp-config.php>
    order allow,deny
    deny from all

    works like a charm :slight_smile:

    Joe :slight_smile:

  • Me

    Thanks everyone for your input... it's been most helpful!

    I have backed up/restored everything to before the hack. Moved 41 sites to VPS. Changed all passwords. Have not even begun to figure out how to install WPMS and consolidate!

    Do any of you recommend I use a security plugin? If so which ones?

    Jonathan, regarding wishlist (which you mentioned you can hack)... I am using them on 4 different video classroom training sites because they integrate with my shopping cart (1shoppingcart) and Optimize Press - the theme used to structure the lessons. I am open to switching to wpmu membership plugin but haven't figured it all out yet!

    In the short term is it possible to tighten security on wishlist member?

    aecnu thanks for the recommendations on htaccess additions to block countries... do you happen to have the exact code to block specific countries mentioned (Primarily Turkey, Nigeria, India, All of Asia including China, and Russia)? I got the impression that the code you provided would block ALL countries - "deny from all." But then again, what do I know!

    I'm sure my questions may be ridiculous to you experts, but I am in way over my head! I really appreciate all your support and guidance! Thank you!


  • aecnu

    Greetings Jodi :slight_smile:

    The code I offered for the .htaccess file blocks everyone from looking at the wp-config.php file only, but which contains all the information they need to hack your site - most importantly the database info which using data base injection they can do almost anything they want i.e. ,malware, keyloggers, etc.

    The firewall is Dedicated Server Guard and is primarily used on Dedicated Servers or that users that have a VPS with true "root" access :slight_smile:

    The tens of thousands of lines of IP's blocked and accepted in the firewall is what makes it deadly effective :slight_smile:

    Joe :slight_smile:

  • Philip John

    I'd recommend you use WordPress Firewall for starters

    In the past couple of weeks I've received hundreds of e-mails from the plugin to tell me it's blocked directory traversal attacks trying to capitalise on the TimThumb exploit.

    It detects all sorts of similar attempts to hack your site and blocks them. You get the IP address too, which enables you to add a simple "Deny from [ip address]" line to your .htaccess to stop 'em for good!


  • Me

    Wow! Thanks for this suggestion Phil.

    Almost as immediately as I installed it, it revealed a brut force injection attack from Pakistan...
    Offending IP: [ Get IP location ]

    It appears to be trying to hijack many of my plugins. I have deleted the ones listed. Might be a dumb question but can they attempt to inject into a plugin that is deactivated... I'm assuming yes.

    This has sucked one week out of my life so far and I don't feel I've scratched the surface of resolving it but I will continue to press on to defeat the enemies of my sites! :slight_smile:

    Anyone have a decent, safe audio plugin for mp3?


  • Philip John

    Unless there is an actually vulnerability in that plugin it shouldn't matter. However, even if there is, WordPress Firewall should block it.

    It works on the assumption that certain types of requests are attempting to exploit known or as yet unknown holes.

    So, for the plugins that are being targeted, it's worth posting on the .org forums tagging both the original plugin and firewall and asking whether there is an exploit in that plugin or not.


  • Jonathan


    Sorry for the late reply, been away for the week...

    Jonathan, regarding wishlist (which you mentioned you can hack)... I am using them on 4 different video classroom training sites because they integrate with my shopping cart (1shoppingcart) and Optimize Press - the theme used to structure the lessons. I am open to switching to wpmu membership plugin but haven't figured it all out yet!
    In the short term is it possible to tighten security on wishlist member?

    I haven't used wishlist for awhile... but I see that a few of the vulnerabilities that I could exploit have been patched. I can still ... scratch that ... (there is no 100% safe plugin with regards to this)

    And Yes you can add additional barriers, but at what cost to your innocent loyal paying members. shrugs. Personally, the best bet is to follow both @aecnu and @phil's advice. I especially like the blocking ip's by country. Some countries are just not worth the additional sales you may/may not get from them.

    I am not a pro, but I believe security starts with your hosting (server, firewalls etc etc) If you can pretty much lock down everything there you are ahead of the pack. But this is a skill which a few have, and the rest of us (me included) wish I had.

    Here is a older post on securing ubuntu installs, which highlights what I mean about securing the server first...

    But that is another topic in itself, and very much advanced and does not apply to the average person and is a different topic best left for the professionals :wink:

    The harding wordpress link is a great foundation. The firewall plugin of Phils is super dupa cool and should block most attacks as phil mentions (even if the plugin has a vulnerablity)

    Sorry again for the late reply...

  • Me


    Thank you. I have retained some professional assistance because it has been non-stop! Firewall 2 is working like a charm. I have one site that I have not even touched for over 2 years that an IP in Latvia has been persistently sending bots 3 or 4 times a day for the last 5 days trying to get at the wp-admin. I blocked the first IP so now it's coming from another IP but still Latvia. I don't know why they are so determined to get at this site... This site was on a different hosting company than all of my other hacks so my issues continue! Fun stuff!

    All of my attempted hits that Firewall has blocked (daily on multiple domains) have been on the wp-admin folder with the exception of one, which went for the plugins. I have changed all of my admin usernames to something other than admin!

    Question - Do your phone technical support people usually know wordpress? I have found my provider to be most helpful but they do not seem to know much about wordpress. Should I be seeking a different hosting provider?

    Thanks everyone for sharing your wisdom! You've all been great!

  • aecnu

    Greetings Jodi :slight_smile:

    as of today our Primary Hosting Servers Firewall - Dedicated Server Guard - has exactly 12580 lines of blocking code.

    Yes a lot has to do with your host and they obviously do not have a firewall on their servers considering that Pakistan is getting through.

    If possibly interested in a Host Cure that will stop them dead in their tracks and that deals with WP and WPMU, send me a message aecnucom(at) and I will send you some links :slight_smile:

    Joe :slight_smile:

  • Philip John

    I have found my provider to be most helpful but they do not seem to know much about wordpress.

    That's not uncommon and I wouldn't expect them too. Their core business is obviously server admin and WordPress is a CMS so very different worlds. Of course it's nice for them to have an understanding but I wouldn't expect anything beyond that.

    Might be worth blocking all of Latvia then :wink:


  • Jonathan


    You can restrict access to the wp-admin folder for everyone except your IP. You can do this by placing a .htaccess file in the wp-admin folder containing the following lines:

    Order Deny,Allow
    Deny from all
    Allow from <Your IP>

    You can see what is your IP at this URL:

    I do this a lot with exception (I don't restrict my ssh login to ip) I've woken up on to many mornings to find my isp has changed my ip. (trust me, ssh ip restriction is bullet proof, but you don't want to be locked out, trying to hack into a hack proofed site - lol) So if that happens now, I can just log in via ssh and change the .htaccess file(s) ip to new ip.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.