Site Hacked for the fourth time


#1

I’m getting aggravated about this. My footer of my site has once again had a code injection done on it. What is wrong DH? Is there really a problem keeping the box secure?


#2

…it might be possible that you have some insecure things in your site, especially if this has already happened.

some things to check:
file permissions
strong ftp passwords
everything updated in WordPress
you dont have the Admin account enabled.


#3

I agree, the insecurity is most likely not a problem with “keeping the box secure”. It’s far more likely that the site owner has unknowingly introduced a back door by installing an insecure theme or plugin.

I had a local customer that I did other work for call me once and ask me for my thoughts about something very similar regarding a personal website they were maintaining. I suggested it might be a weakness with a WP theme or plugin and the response was “oh no it can’t be, We paid a lot of money to have that done professionally.” In the end-- that was the problem.


#4

You’re running WordPress, so here’s the most frustrating thing about it when you’re hacked: If you don’t clean up every last inch of it right, those Damn Dirty Hackers come back over and over again.

Generally speaking, they get in because of a vulnerability in one of your themes or plugins, OR they’ve got your password. DH servers are pretty secure and so is core WordPress (nothing is 100% in life, it’s a moving target and we’re constantly working to make WP and DH tougher). The problem with plugins and themes is they’re not as rigorously peer reviewed. Speaking as a plugin review volunteer for WordPress.org, most of the insecurities are never reported :frowning:

I’ve been maintaining this wiki page for how to clean up a WP hack: http://wiki.dreamhost.com/WordPress_Hacks

The tl;dr is that you’re going to delete all the WP files except for your uploaded content and your config file, change your passwords, THEN reinstall all the files. I would recommend reading the page if you’ve never tried that before, but it is exactly the steps I go through when I clean up someone’s hacked site.


#5

admin has been renamed in the database. When WP installs it throws one account named admin you can’t change the name of (by UI means).
The problem is wp-content/themes/k2/footer.php in the site. Every other day it seems like it’s file permissions are changed to 777 while a blob of SEO junk is thrown in. This makes it quite obvious that it isn’t a flaw in Wordpress. When I see it I change it to 644 and delete the offending section. I’m thinking of just modifying the theme so footer.php isn’t used.

Is there a way to access FTP records for the site so I can see where the offending attack is coming from?