WPMU security issue..Has my site been hacked???

Hi,
I run a network that is growing fast. I have already dealt with robot signups and disabled them (At least I think so.)

Due to a server issue, I disabled the new registration portion of my wpmu site. But, it still seems like I am getting sign up notices. Is the server just catching up or have I been hacked?

  • Ryan
    • Design Lord, Child of Thor

    THe server issue was due to loading. This site has seen so many new signups I had to go to a higher capacity server.

    I have been wondering if all the new signups were given some sort of admin. The original issue I started having was that all the accounts looked like the admin account. All the sites had the same categories end everything. THey could see all the posts.
    I have been trying to correct that issue while moving to a larger server.

  • PC
    • WPMU DEV Initiate

    Hiya,

    Greetings and thanks for posting on the forums.

    New signups are coming on the main site ? or they are being registered as new subsites on your network ?

    What about the users that are being added to the site ? Did you check their roles on your main site ? What is their role ?

    Please advise.

    Cheers
    PC
    Sales &Support

  • lol
    • The Incredible Code Injector

    Hi,

    This site has seen so many new signups I had to go to a higher capacity server

    So, you are a happy man!

    Have you already try to change (and strengthen) the admin password ?

    Is it done ?

    Have you limited the default role of new registered members?

    Anyway, it is essential to change the password of the administrator (in case it was hacked), and remove admin quality to those who should not have...

  • Ryan
    • Design Lord, Child of Thor

    Happy? No. Frustrated and angry! YES! This issue is related in some way to another issue that is causing me stress as I am not making any money on this and I can't seem to get anyone to see the problems!

    What would it take for me to move wpmu into its own domain?

  • lol
    • The Incredible Code Injector

    Hi Ryan,
    I understand, my joke wasn't to make you angry.
    Can you answer to my (and PC) questions ?

    Without more details it's difficult to immagine what really happens.

    Your server run which System OS ?

  • Ryan
    • Design Lord, Child of Thor

    Take a look at the login below:

    ***********Moderated login details***********

    Each of the new membes are supposed to be clean subsite (similar to that of a new wp blog install).

    Instead I get what you see in the account above. It is listing all the game posts, categories etc. Not a admin lookalike. This looks like it is mirroring the arcade admin.
    This was not the intent!

    At last count, I have over 1300 members (subsites). And all look like this.

    Look at the draft post inside the account above. Note how this resembles a game entry page (as though I was posting a game).

    None of this is whaI I had intended for the wpmu. The goal was something like blogger.com (I.E. clean blog sites).

    This is what is making me angry as it is useless to me as is.

    Please tell me this makes sense. I really need to get this issue dealt with.

  • Ryan
    • Design Lord, Child of Thor

    It seems my worst fears have been confirmed. The reponse from the arcade theme vendor has led me to believe that the arcade plugin is viewing the new signups as admins.

    So now the issue is how do I seperate the wpmu database from the arcade database and create a new domain and wpmu site for it.

  • PC
    • WPMU DEV Initiate

    Hey Ryan,

    Thanks for your posts.

    First of all I have moderated the login details. They should not be posted in the forums.

    The reponse from the arcade theme vendor has led me to believe that the arcade plugin is viewing the new signups as admins.

    Unfortunately I have no experience with what arcade plugin does. I tried to login to the site, but that is a pretty limited access and I can't see most of the menu items so I can't see what is going on in there.

    Please advise.

    Cheers
    PC
    Sales &Support

  • Ryan
    • Design Lord, Child of Thor

    Let me apologize. This issue has been a major frustration. As it stands I have managed to halt any new sign ups pending this site's move to a new server. There has been a delay as the server software cannot handle the database transfer.

    The vendor did not say it in so many words, but their reply has led me to believe that the issue is related to the arcade plugin itself.

    I have been left with the idea of creating a new domain and wpmu site and attempting to migrate the database to it. I need to know if this is possible. THe goal is to migrate the wpmu portion and leave the rest in the arcade site.

    I started another thread elated to just that issue. One response I had was to use a multinetwork plug in. BUT, the question that I have voiced is this: What effects will this plugin have on other plugins being installed?

  • PC
    • WPMU DEV Initiate

    Hello Ryan,

    Thanks for posting back.

    I have been left with the idea of creating a new domain and wpmu site and attempting to migrate the database to it. I need to know if this is possible. THe goal is to migrate the wpmu portion and leave the rest in the arcade site.

    Well, if you want to move your site to a different domain, you can follow the guide here : http://www.totalcomputersusa.com/2012/11/moving-wordpress-multisite-to-a-new-domainserver/ however as you already have sites on your multisite, the link to all of them will also change if you move the site to a different domain.

    Also, I am not sure on how this arcade plugin has set things up on your site. is it in different database ? if not and you don't want to move the data from this plugin to the new site, you can simply drop those tables from the database.

    If you want to move your site to a different hosting (make sure you choose a host optimized for WordPress) then you can follow here : http://codex.wordpress.org/Moving_WordPress

    It will make it easy for you to move over. Take backups so that you don't break anything and if its broken, you can easily restore.

    I started another thread elated to just that issue. One response I had was to use a multinetwork plug in. BUT, the question that I have voiced is this: What effects will this plugin have on other plugins being installed?

    Creating multiple threads for related issues if fine however if the issue is same and different version are being discussed, then it becomes confusing for you as well as the staff dealing with the issue as everyone has a different way of approaching things.

    My opinion : If you are using a plugin which does not have any support, "Stop using it" You will more likely face more problems in future. Avoid plugins with no support.

    Cheers, PC

  • Ryan
    • Design Lord, Child of Thor

    I'm not sure any of the multisites are being used for the reasons I have tried to explain before: Their posts are being forced into a game formatted page that is from the Arcade script and they are being forced into the categories listed in the arcade script,. Based on what I have seen,and he above reasons, I am not sure that any of them are being used

    As for support, the vendor acknowledged that what they had seen was "beyond them" as they had never experienced the fusion of wpmu and their script.

    One idea that was mentioned was using the multi network plugin. I questioned whether or not this plug in would have any effect on other plugins that were added to the network after all of this was settled.

    Finally, the idea of setting up and using a new script and site was not an easy one to make, BUT given all of the issues I have seen so far, I considered it the best solution.

    As for sorting the tables,.....I'm not even sure I would know what I am doing.

  • Ryan
    • Design Lord, Child of Thor

    Finally, I do apologize for the multiple threads I created. I went into a panic mode once this started. I have been out of work and no unemployment insurance. I had been looking at this as my income source (not an unrealistic expectation given the amount of activity I was seeing).

    When this issue surfaced, I panicked.

    Again my apologies?

    What would be the fastest and most efficient way to deal with this issue?

  • PC
    • WPMU DEV Initiate

    Hello Ryan,

    No issues with the multiple threads. I can understand that when we consider something as urgent, we take all the measures which we think can expedite the issue.

    The fastest way to solve this issue is first understanding what is going on. I am not able to visualize what is going on with your site.

    What is the link to your arcade plugin ? What does it do ?

    Do you think its really required for your network ?

    Can you let me know if that plugin is not being used, your network will work fine ?

    Do you have paid clients at the moment ?

    Please advise.

    Cheers
    PC
    Sales &Support

  • Ryan
    • Design Lord, Child of Thor

    Here is the plug in link:

    http://myarcadeplugin.com/

    This is the ,main part of the site. I was trying to build everything up around it.
    I had added buddypress, (attempted added chat), attempted adding classifieds,

    ********Login details Moderated***********

    Note the link above. This is a sample of what all the other wpmu members see and it is useless to them. If you will look around, you will note that this mirrors admin in every respect, including all posts, all the categories that were created in super admin etc.. Let me stop here and say that this was NOT what was intended.

    Note that there is a draft post in this account mentioned above. View that post. You will see that it is viewed in a page format from the arcade pro script. NOT a regular wp blog post. compare this draft to an arcade page inside the site itself. Let me reiterate that none of this was what was intended.

    When I added wpmu, it was to give members a place to blog. I had intended it to be an addition to the chat and twitter like addons. Each member was to have a blank wp blog (no categories, no posts,nothing and certainly NOT a mini admin account). Each one was intended to be like a brand new wp blog site with nothing in it., no prior posts, no forced categories, nothing (like a brand new wp install.)

    I explored every effort to correct this, I went back in and made sure the permissions were correct. But nothing has happened and I have 100's of useless accounts.

    In one of the other threads, the idea was proposed to use something called
    multi network plug in, but there was no guarantee that this would work. I also questioned if this approach would have negative effects on any other plugins added.

    The vendor has said that they have never seen anything like this and do not know what to do.

    Finally, the discussion came up in sorting the wpmu database from the arcade database and setting it up under a new domain. But, so far, that discussion has been inconclusive.

    If it comes down to it (and the accounts cannot be salvaged), I will sacrifice the old accounts and just get wpmu off my game site.

    I do have another domain set up and waiting. I want to create a social networking site using the plugins I have seen here. BUT, I need to move quickly on this.

  • Ryan
    • Design Lord, Child of Thor

    No paid clients as yet.

    THe wpmu script should not harm the rest of the site if it is removed.

    Please let's move forward on all of this.

    While I am waiting, can someone tell me if wpmu requires a regular wp blog site first? Pls. send instructions on how to set it up from the very beginning.

  • PC
    • WPMU DEV Initiate

    Hello Ryan,

    Thanks for posting back.

    I hope you are not habitual of posting the login details on the open forums. I also said that previously that you should not post the login details here. If we need them, we ask for them.

    If someone comes across the post and looks at them, they can cause harm and we would not be able to do anything about it.

    I have moderated the details as of now.

    Note the link above. This is a sample of what all the other wpmu members see and it is useless to them. If you will look around, you will note that this mirrors admin in every respect, including all posts, all the categories that were created in super admin etc.. Let me stop here and say that this was NOT what was intended.

    \

    Perhaps you have made custom changes to the user roles so the user role which people are getting when they create a new account is messed up and is allowing people to create new posts while they are not supposed to.

    Kindly check if you have made any changes there.

    Note that there is a draft post in this account mentioned above. View that post. You will see that it is viewed in a page format from the arcade pro script. NOT a regular wp blog post. compare this draft to an arcade page inside the site itself. Let me reiterate that none of this was what was intended.

    Sorry you lost me here. I could not understand what it means. Can you kindly share the direct links so that I can understand better.

    When I added wpmu, it was to give members a place to blog. I had intended it to be an addition to the chat and twitter like addons. Each member was to have a blank wp blog (no categories, no posts,nothing and certainly NOT a mini admin account). Each one was intended to be like a brand new wp blog site with nothing in it., no prior posts, no forced categories, nothing (like a brand new wp install.)

    So its simple. You should Enable WordPress multisite, and allow registrations and sites to be created. What is the issue in it. Please note that when a person will signup for a website, he/she will have full admin rights (apart from installing and removing plugins and themes) on the subsite they create.

    Here are the manuals : https://premium.wpmudev.org/manuals/wordpress/

    Finally, the discussion came up in sorting the wpmu database from the arcade database and setting it up under a new domain.

    Well separating databases is something I can't help you with. Its something you'd need to do with the help of your other vendor which supplies the arcade plugin.

    If it comes down to it (and the accounts cannot be salvaged), I will sacrifice the old accounts and just get wpmu off my game site.

    I do have another domain set up and waiting. I want to create a social networking site using the plugins I have seen here. BUT, I need to move quickly on this.

    To be true, according to me. You should keep your WPMU And Arcade site separate. You know why ?

    As a user, how many game sites would you visit to create a free or a paid blog ?

    Simply create a new WordPress site, activate WordPress Multisite on it and get going.

    https://premium.wpmudev.org/manuals/wordpress-multisite/

    Cheers, PC

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.