Now what baffles me is according to logs they all them seem to have logged-in directly to WordPress as if they know the password (since it’s only one login attempt in line 16 above). This is true even for sites only up one day ago and the passwords are not simple ABCs. It is also … Read more
My (managed) dedicated server, with several sites (not all of which use WP) has been hacked. OK, it happens. Not the end of the world. Today, I find permissions changed to 200 – which I suspect might have been done by my service provider (although I’ve not received notification, nor yet an answer to my … Read more
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That’s not good. So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to ‘de-hack’ it. … Read more
Hi @Syom: Often hackers get access because you use the name “admin” for your administrator and you have an easy to hack password. Or because you don’t update your software and they leverage some of the security holes that have been found and patched. Here’s a set of slides that go indepth to explaining how … Read more
I’ve read that dumping the database as text and searching in it is a good way to go. You can search with phpmyadmin, but it’s limited. Depends on the size of the database and a good text editor, but you can delete post/page revisions before dumping the database to bring it down in size. Or … Read more
I won’t repeat any of the good advice in Squish’s answer. You should also read this article on WordPress security. I’m just going to cover the specifics of what I learned from my episode. My attack is a kind of black hat SEO known as “hideMeYa”: http://siteolytics.com/black-hat-seo-technique-demystified/ Basically, the attacker slips a bunch of hidden … Read more
About Hacked sites: First of all, let’s be clear about issues related to hacking: If your site was genuinely hacked, then in short of completely erasing all the files and then reinstalling the server (not just WordPress) with new passwords, updating all files and identifying and removing previous loop holes that caused the site to … Read more
< and > are encoded as +ADw- and +AD4- in UTF-7. Now imagine the following: Someone sends +ADw-script+AD4-alert(+ACI-Hello+ACI-)+ADw-/script+AD4- as comment text. It will pass all sanitation unescaped. The database expects and treats all incoming data as UTF-8. Since all UTF-7 streams are valid UTF-8 too, this will never result in a SQL error, and mysql_real_escape … Read more
Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit. Other things to consider: Change WordPress admin user passwords – done Change Hosting account user password Change FTP passwords Change MySQL db user password – done Change the db table prefix Update your wp-config nonces/salt Check your directory/file … Read more