Wordpress Sites Hacked - Looking for a Solution

I recently had several WP sites hacked - the hackers splash screen is attached.

The hacks were across several sites from WP3.7 to WP3.5 and I could not find a pattern of plugins. A malware check showed several 404.php theme pages were compromised, and one of the sites was running BulletProof Security.

As I have several sites, (100+), is there a fairly easily managed solution to prevent hackers from gaining access?

Thanks for your advice!

  • Jack Kitterhing
    • Code Norris

    Hi there @kenivey

    I hope you are well today and sorry to hear of the issues you've had with your site.

    Always make sure you use strong passwords across your sites and make them all different if this isn't a multisite network.

    A combination of numbers, letters and characters.

    Never search for a free theme on Google, always use wordpress.org or other reputable theme sellers and marketplaces such as themeforest for example.

    Keep all sites up to date with the latest WordPress releases and plugin releases, small updates are often security patches and it's vital to update :slight_smile:

    Check your permissions on your files and make sure that they aren't writable by everyone, for example, never use 777 permissions, even for brief testing.

    We also have a article here you may find interesting https://premium.wpmudev.org/blog/wordpress-security-tackling-backdoors-pharma-hacks-and-redirects/

    Thank you!

    Kind Regards
    Jack.

  • Imperative Ideas
    • HummingBird

    @kenivey I typically bounce various hack tools, starting with wp-scan and getting deeper from there, off of my own sites. A good Linux distribution to keep around is Backbox.

    In terms of general security, you should re-numerate any administrative user 1-10 as a random 7+ number string (trivial with a MySQL query). You should never post to your blog as an administrative user as posting users are obvious targets, especially on small sites with few authors. You should also block user enumeration through htaccess.

    Additionally, Better WP Security includes excellent tools for doing things like renaming your content directory (easy to do manually anyhow) and obfuscating your administrative directory (harder to do because you create a new admin login url, assign a nonce key, then require that nonce in order to access wp-login.php; and further require being logged in to access the wp-admin directory.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.