Turkish hackers keep hitting with my site

thompsdc

Active Member
Joined
Jul 29, 2008
Messages
81
Reaction score
0
Location
Johannesburg
So I designed a wordpress (v3.9.2) website for my brothers business. The other day when I am trying to show them how to edit the content of the site, neither of us could log in. I thought that I had forgotten my password so I reset my password and when the reset email that came through stated my username as being 'byb'.

This made me think that there was a bug in the version of wordpress that had messed up the usernames making them all 'byb', so I just copied the user table data from my local copy of the site to the server and we carried on.

The next day, I checked the site just to be sure, and was greeted with this screen:

hackers.jpg

My host is Axxess so I called them to report that we were hacked. They restored the site from the previous days backup and advised me to upgrade my cms. I am now running the latest wordpress (4.0.0)

Today I was notified that no one could log in to edit the site, and upon further investigation I found that all the usernames and passwords have been changed again...

wp_users.jpg

The picture above shows the live site data for my username, and the bottom one shows my local dev database version.

I have emailed Axxess to ask for more assistance, but I would like to know if anyone else has this issue?
 
I have three wordpress sites that get bruteforced on an almost daily basis.

A couple of things I do to try and keep them out;

1. Change the username of the admin user to something other than 'admin' / 'administrator' / $domainname_admin.

2. Use a plugin called wordfence - it has some very useful security features. Definitely check the IP lock out, email alert features.

3. Check the logs on wordfence weekly and see who and what the hackers are trying (and smile at their futile attempts). If they are using the same IP to launch their attacks, block it. If they are trying a valid username, change the username.

Since your site has been compromised already, you can be pretty sure that they have left a backdoor, you could identify it and remove it, or do a clean sweep and restore your site.

Once you're back up and running, do a vulnerability scan of your site, it could be that you have left your site open to some more advanced techniques of hacking. A few tools to accomplish this; https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

Good luck!
 
Urgh its such a pain in the derrière.

Thanks for the info, its really helpful. I was thinking they probably left in a backdoor, its such a pain the ass. I really feel like

Hopefully its just a weakness with Wordpress, otherwise I might just write my own php site instead.
 
I would scrap that whole VM and remake it if its possible. I would also check plugins installed to see if they any are vulnerable.

Also I have seen people store their wordpress/ phpmyadmin sql backups on the public facing side. Just check everything relating to the site, see what google has indexed about the site.
 
Last edited:
As mentioned I would start with the plugins. Google and research each plugin for vunerabilites.
 
Well you were hacked, you changed the usernames and passwords, then got hacked again, so axxess restored your site to the original hacked state. You really got to be sharp with your wordpress security. Dont use hacked themes!
 
I have no plugins installed and I wrote the theme myself so I think my next step is to kill the site and re-upload all the files from my pc from scratch.
 
Top
Sign up to the MyBroadband newsletter