Website hacked regulary with WP Defender installed

Hello,

only with this website (berndaupperle.de) I have a security problem. All plugins and themes are always up to date. I additionally turned on 2-step-authentification for better security.

But after a while new spam blog posts appear on the blog created by the user “Bernd Aupperle” (account of my customer). When checking WP Defender on the site it says “WordPress <= 4.9.4 – Application Denial of Service (DoS) (unpatched)”. But in fact wordpress has been updated to 4.9.4.

I don’t understand how the hacker can write blog posts even with 2-step-authentification turned on.

My questions:

1. How can I make my wordpress site safe against these spam blog posts?

2. Why does Defender say that I haven’t updated wordpress?

Thanks in advance for any support!

Kind regards,

Thomas

  • Predrag Dubajic
    • Support

    Hi Thomas,

    Hope you’re doing well.

    1. How can I make my wordpress site safe against these spam blog posts?

    Are these blog posts showing your admin account as post owner or is it some different account being used?

    Is that account verified admin/editor/authort and is 2FA enabled for that account?

    Would you mind allowing support access so we can have a closer look at your Defender settings?

    To enable support access you can follow this guide here:

    https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-5

    2. Why does Defender say that I haven’t updated wordpress?

    This is a security report for a known issue in WordPress, Defender is not saying that you don’t have latest version rather than pointing out that the current version you use has this issue.

    Unfortunately until this is resolved from WP’s end it will be report as a vulnerability in Defender.

    Best regards,

    Predrag

  • Thomas
    • Flash Drive

    Hi Predrag,

    thank you for your response.

    Are these blog posts showing your admin account as post owner or is it some different account being used?

    Is that account verified admin/editor/authort and is 2FA enabled for that account?

    The blog posts are being postet with the admin account and 2fa enabled.

    Would you mind allowing support access so we can have a closer look at your Defender settings?

    Yes, just granted access.

    Thank you so far!

    Kind regards,

    Thomas

  • Predrag Dubajic
    • Support

    Hi Thomas,

    Thanks for granting access, I was checking your site and was looking at the Defender logs, looks like the IP that logged in and created those posts is 69.30.202.178, do you by any chance know if that IP is related to you or any of your other site admins?

    What’s strange is that the login log and all the posts are in the same minute, with Login action actually being the last one, meaning it was added to logs after the posts were created.

    I have forwarded this to plugin developer to investigate further because I’m pretty confused about what happened to honest.

    We will need to wait for him to shed some light on this.

    Best regards,

    Predrag

  • Predrag Dubajic
    • Support

    Hi Thomas,

    Our developers are still investigating this, however for better results it would help them if we could get server logs from your site.

    Could you ask your hosting provider to give you the server logs and provide those to us by uploading them to any file sharing service, like dropbox or google drive, and send us the download link by using our contact form https://premium.wpmudev.org/contact/#i-have-a-different-question and the template below:

    Subject: “Attn: Predrag Dubajic

    – Logs download URL

    – Link back to this thread for reference

    – Any other relevant urls/info

    P.S. Plese make sure that the logs include the time when those spam posts were added.

    Best regards,

    Predrag

  • Predrag Dubajic
    • Support

    Hi Thomas,

    Thanks for sending those in, I had our developers check these logs and the weird thing is that they are not showing the IPs from the Defender logs anywhere in relation to the site in question.

    Could you provide us with FTP or cPanel login details as they would like to you investigate this further and do some additional tracking to try and figure out where this is coming from?

    I will answer on your previous contact form submission in a minute so you can send us the login details as a response to that.

    Best regards,

    Predrag

  • Predrag Dubajic
    • Support

    Hi Thomas,

    I just talked with the dev about this and he’s working on a similar report to this, it seems that the issue is that the “hack” is not going through the login section and that’s why 2FA is not fired up to protect your site.

    He will compare the results from that report with the results from your site and either him or one of our other staff members will get back to you with more info about this.

    Best regards,

    Predrag

  • Predrag Dubajic
    • Support

    Hi Thomas,

    It seems like there are some traces of SQL injection, but in order to investigate it further our devs would like to access your site again, however, the login details seem to be changed in the meantime.

    I will send you an email about this in a minute so could you please respond there with the new login details?

    Best regards,

    Predrag

  • Adam Czajczyk
    • Support Gorilla

    Hello Thomas

    I apologize for the delayed answer.

    Our devs are still investigating this and it would be good if you could hold on a bit more with deleting those posts as they might include some “clues/evidence” on how that happened exactly. However, I think you can safely set them e.g. to “drafts” so the weren’t visible anywhere on site (apart from back-end).

    Kind regards,

    Adam

  • Predrag Dubajic
    • Support

    Hi Thomas,

    I just got back from the developer about this and after checking your installation everything seems to be in order there and the core files are clean, there’s no malicious code anywhere.

    It seems that the posts are created due to the security issue on some other sites on that server and the posts are not actually created by someone being logged-in as admin but rather caused by malicious code somewhere else, and that’s why 2FA can’t prevent it from happening.

    I’m afraid that this is something your hosting provider needs to investigate further and check all the sites that are hosted on that server and clean up any suspicious code.

    Let us know if you have any followup questions about this.

    Best regards,

    Predrag

  • Thomas
    • Flash Drive

    Hello,

    it’s me again. After your last reply I applied a “quota” to the folder of the wordpress installation. That way there is no coming in or out of or to this folder. Now the website was hacked again! (spamposts in the blog)

    For me that means that the hack doesn’t come from another website but was performed directly on this specific website.

    Is there really no way to find out how that happens here?

    Greets,

    Thomas

    Thomas

  • Predrag Dubajic
    • Support

    Hi Thomas,

    Sorry to hear that you’re still having this issue :slight_frown:

    As I mentioned above Defender developers checked the WordPress files and they are clean, but if the issue is still happening when your folder is “locked” it’s possible that you have something in your theme or plugins folder causing this.

    What you could do is download the clean version of theme and plugins that you are using, then download the ones from your site and use file comparison tools to see if there’s anything in your files that’s not the same as the clean version.

    You can try winmerge.org for Windows or TextWrangler for Mac to compare entire folders and differences in files.

    Best regards,

    Predrag

  • Thomas
    • Flash Drive

    Hello Predrag,

    thank you for your reply.

    I installed the wordfence plugin and it reported:

    The Plugin “Quick Page/Post Redirect Plugin” appears to be abandoned (updated April 24, 2016, tested to WP 4.3.16).

    I instantly removed the plugin. I will try your hint, too.

    PS: I’d appreciate a function in Defender like wordfence has where it warns users if a plugin hasn’t been updated for a long time ot the the author has changed or anything else which could be a security problem.

    Greets,

    Thomas

  • Predrag Dubajic
    • Support

    Hi Thomas,

    Indeed that plugin hasn’t been updated for over 2 years, but wordpress.org has strict review rules, especially when it comes to security so I would suggest checking your other plugin files as well.

    We looking into further improvements to Defender file scan to help more in cases where the code has been tampered with.

    Best regards,

    Predrag

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.