Websites Hacked - Not at Wealthy Affiliate

96
19.6K followers
Updated

I have around 30 websites on my hosting account these include my son's, my grandson's and a few clients. I've been using HostGator for my hosting since 2002 when I created my first website and because I have so many sites I haven't moved the hosting to WA.

I have Wordfence security plugin installed on all the sites so they are monitored very closely for security breaches. And Wordfence has protected my sites from thousands of brute-force attacks by hackers. I haven't had a single website compromised since I started using Wordfence. Until now!

So I got an email from Wordfence via one of my sites

Critical Problems - File appears to be malicious - wp-config.php

In case you're not familiar with wp-config.php it's one of the core WordPress files. It contains information about the database, including the name, host, username, and password. Without wp-config.php the website does not run.

So I log in to the website and found 3357 issues to fix. All php files and all compromised by a Backdoor:PHP infection.

Some of the files that had been introduced were not even WordPress core, theme or plugin files. Just new files with malicious script and called index.php to make them look like regular files.

Because I am so security conscious I back up all my sites regularly. I use Tools > Export, WP Clone plugin and FTP to back up. Is having 3 backups paranoid? Not in this scenario. I didn't need Tools > Export but I sure did need WP Clone and FTP. The wp-config file is in the root directory and not part of the WordPress installation. So WP Clone didn't back it up but the FTP backup did.

So my first step was to restore the site using WP Clone's backup. Then I ran the Wordfence scan again. WP Clone fixed the WordPress files but the new files which had been introduced were still there and the wp-config was still corrupt. But now I had a lot less issues to deal with.

Next on my list was the plugins. I deactivated and delete all the infected plugins. Then I deleted all the themes except the active theme. Even Twenty-Fourteen had been corrupted.

I ran the Wordfence scan again.

Then I deleted or restored the remaining 100+ files and uploaded the backup copy of the wp-config file to replace the corrupted one.

I ran the Wordfence scan again.

YAY!

Rinse and repeat

By the time I got to the 10th website I knew what I was doing.

The wp-config files had a lot of gobble-de-gook at the top with the original text underneath.

I've wasted 3 days fixing up 21 hacked websites

None of my clients websites were hacked and the newer websites were also unscathed. There were two things that the hacked sites had in common; a plugin which was no longer needed and hadn't been updated for 4 years and some of the older WordPress themes.

What I've learned

  • Back up, back up, back up.
  • Deactivate and delete unnecessary plugins.
  • Delete all themes except the active theme and the latest WordPress theme (Twenty-Sixteen).
  • Don't use plugins that haven't been updated recently.
  • Don't use themes that haven't been updated recently.
  • Make sure you keep your plugins, themes and WordPress up to date.

Did I mention back up?

30 Second Daily Backups

Full Backup With a Plugin

Using Filezilla FTP to Backup Your Website

Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training

Recent Comments

82

SOOOO sorry you had to go thru this Marion. But thank you for taking the time to pass along this extremely valuable information

Steve

Sorry to hear that Marion! Do you think sites hosted here at WA are much more protected? I know site backup is essential, but do you think this kind of thing could happen if a website is hosted in WA?

It's my understanding that WA has a lot of security in place, much more than external hosting. But keep backing up anyway.

Yes, Maam!!

Oh Marion, I don't understand half of it but that has been a lot of work!!! and what on earth is the fun of hacking all these websites? But you did it!!, Marion

Hi Marion, what an aweful mess. At least you are now on top of things. Irv.

Thanks Marion. All the best

thanks for the information

Not a good one, sorry for all the mess but the luckiest part is that you have all the technical knowledge to deal with everything. Will take your advise in case. Thank you.

So apart from that, how was your weekend? :-)

Good to hear you got it fixed quickly.

I had my main site hacked a few years ago. Since then nothing, touch wood. It's amazing how security conscious sorting this stuff out and getting it fixed makes you.

LOL. Did I mention backing up?

I'm so sorry this happened to you Marion. It is a good thing that you had the knowledge to correct the problem though.

Tom

Great info Marion, thank you :)

See more comments

Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training