Wordpress Hacked

Hi there- I could probably post this on Wordpress but I find lots of those threads get lost and plus I always find answers through Sitepoint :slight_smile:

I’m in a bit of a pickle. I have an account at bluehost on which I host about 10 of my friends’ websites. One of them told me that when they visit their website through a search engine, they’re redirected to some spam site. I thought it was just their browser, but it’s actually happening on each of the sites on that server. Who knows how long this has been going on, none of them actively monitor analytics.

My problem now is that I don’t know anything about security (chmod .htaccess). Everything that I’ve found goes into great detail about changing your permissions, passwords, fresh installs.

Does anyone have any suggestions here? Re-doing all of the 10 sites would be a goddamn nightmare… I know the site sucuri.net can fix it pretty quickly, how do they do it?? I might just have to run that, but it will be an expensive option…

Sorry for the vague details, I just don’t know what to provide here. Most of the php files have a base_64 decode in them which seems strange…

  • Are you running the latest stable version of wordpress?
  • Had you installed and/or enabled any plugins around the time the redirects started?
  • Check any access logs (ftp, etc) for anything that sticks out, IPs you don’t recognise, access when you know that neither you or anyone else who is supposed to have access was online.
  • Run anti-virus and anti malware/spyware scans both locally on any computer you use to work on the site and on the server.
  • Change your ftp password

I think it was a timthumb.php security issue in one of the older versions. I didn’t update right away, and once I did- the damage was already done. Same with the other suggestions, I’ve since changed FTP passwords and run antivirus- but the affected files are still on my server.

I think I’m in for a long night…

Found a great article for anyone who finds this in the future:

Your Wordpress installation or one of its plugins could have been hacked. Or the server could have been hacked or maybe your hosting account hacked. There are lots of ways you could have been hacked. Of course, Wordpress is probably the most probable source of the security breach.

Delete all of your files and start fresh. Those hackers like to put multiple backdoors in all over the place just in case one of them is discovered so they can get back into your account.

I don’t know what kind of output validation Wordpress does. You might want to check your posts table in your database for any rogue scripts or iframes.

  1. Always update to new version of Wordpress. Because it’s open source, that mean old version will very very bad and not safe.
  2. If you got hacked –> deleted all, install new . Run restore SQL DB only, the upload folder, only keep *.jpg *.gif *.png , picture are safe, another files ext, will danger. Maybe shell file.