Get exclusive CAP network offers from top brands

View CAP Offers

Website hacked? What to do?

[bsa_pro_ad_space id=2]
  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #831990
    wbprofits
    Member

    Sucuri SiteCheck – Free Website Malware Scanner

    sucuri is a site scanner for malware
    Usually a coder can remover it . sucuri will also for a for a yearly fee

    #831991
    voodooman
    Member

    First off change your password immediately then make sure you have upgraded WordPress to the latest version and the same with all your plugins and your theme. If you are using a free theme and plugins that havn’t been updated by their authors for a long time they to may contain vulnerabilities.

    Use the WordPress security plugin called “Wordfence”. It will scan your site file by file and hopefully detect the intrusion. If the intruder has hacked into your database then you will need some expert help.

    If you view the Pages Not Found tab in your Wordfence admin area you will see how these hackers randomly search the internet for WordPress sites that have certain themes and plugins that obviously have vulnerabilities.

    #831996
    MissM
    Member

    I have found the bad script on my Header file, I am just not sure from where to where to delete it? Can someone help me with this? I can PM you the Header text.

    #831997
    MissM
    Member

    ……….

    #831999
    Darpan.b
    Member

    @byebyebaby 249703 wrote:

    I have found the bad script on my Header file, I am just not sure from where to where to delete it? Can someone help me with this? I can PM you the Header text.

    Did you find some help?

    I send you a PM.

    #832026
    Anonymous
    Inactive

    You might want to change the default admin username to something else. This way, the hacker needs to guess the username and the password.

    #832028
    MissM
    Member

    I did ;-) But thanks…

    #832031
    cuddlypaws
    Member

    Then you should work on to make your website safe now. There are many steps you can do to prevent further easy attacks. Set the right file permissions to (eg. index/config files 444), htaccess for admin folders, exclude libwww-perl visits, change all passwords etc etc…


    Casino Reviews

    #832033
    Anonymous
    Inactive

    I know this hack, it’s the same one rmeeuwsen had.

    PM me your cpanel login details and I’ll clean it for you.

    #832046
    gokken
    Member

    Hi bbb,

    Install the following security plugins, after you’ve cleaned your site up:

    Here are couple of other which are good to have:

    Also change your Admin login name from “admin” to something else. You can do this via your database (easy if you have CPanel). Also change your password too. 15 alpha/numerical/special characters is what I use.

    In addition I suggest hardening your WordPress with some tricked up htaccess commands. If you need these let me know ;)

    #832054
    MissM
    Member

    Thanks Dave, but do those plugins not slow down my website a lot?

    #832065
    gokken
    Member

    @byebyebaby 249779 wrote:

    but do those plugins not slow down my website a lot?

    Every plugin will degrade performance a little.

    However given you’ve already been hacked, I’d be more concerned about taking steps to stop being hacked again and less concerned about a few seconds of extra load time, which can be reduced by implementing gzip compression for example.

    This is not html!
    Add it to your first line in your .htacess file.

    [HTML]
    # BEGIN Compress text files

    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript application/x-httpd-php

    # END Compress text files

    # BEGIN Expire headers

    ExpiresActive On
    ExpiresDefault “access plus 5 seconds”
    ExpiresByType image/x-icon “access plus 2592000 seconds”
    ExpiresByType image/jpeg “access plus 2592000 seconds”
    ExpiresByType image/png “access plus 2592000 seconds”
    ExpiresByType image/gif “access plus 2592000 seconds”
    ExpiresByType application/x-shockwave-flash “access plus 2592000 seconds”
    ExpiresByType text/css “access plus 6048000 seconds”
    ExpiresByType text/javascript “access plus 2160000 seconds”
    ExpiresByType application/javascript “access plus 2160000 seconds”
    ExpiresByType application/x-javascript “access plus 2160000 seconds”
    ExpiresByType text/html “access plus 600 seconds”
    ExpiresByType application/xhtml+xml “access plus 600 seconds”

    # END Expire headers

    # BEGIN Cache-Control Headers

    Header set Cache-Control “public”

    Header set Cache-Control “public”

    Header set Cache-Control “private”

    Header set Cache-Control “private, must-revalidate”

    # END Cache-Control Headers
    [/HTML]

    Next I’d recommend adding this to your htaccess file:

    [HTML]

    order allow,deny
    deny from all

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ – [F,L]
    [/HTML]

    To save adding a blank html/php page to every directory, you can use this to prevent anyone seeing what’s in a directory. Bare in mind this can cause a 500 error as it doesn’t work on all hosting. So it’s a add it and check thing.:

    [HTML]
    Options All -Indexes
    [/HTML]

    #832071
    MissM
    Member

    You are right about that… Thanks!

    So just copy and paste, that’s all?

    #832072
    gokken
    Member

    @byebyebaby 249800 wrote:

    So just copy and paste, that’s all?

    Yep, that’s it :D

    I also use GEO IP blocking to stop places like China etc etc gaining access. Of course someone can use a VPN or proxy but 9 times out 10 spammers, script kiddies and misbehaving bots don’t bother using these so it does stop a % of undesirables accessing your site(s).

    #832077
    cuddlypaws
    Member

    @AussieDave 249790 wrote:

    Every plugin will degrade performance a little.

    However given you’ve already been hacked, I’d be more concerned about taking steps to stop being hacked again and less concerned about a few seconds of extra load time, which can be reduced by implementing gzip compression for example.

    This is not html!
    Add it to your first line in your .htacess file.

    [HTML]
    # BEGIN Compress text files

    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript application/x-httpd-php

    # END Compress text files

    # BEGIN Expire headers

    ExpiresActive On
    ExpiresDefault “access plus 5 seconds”
    ExpiresByType image/x-icon “access plus 2592000 seconds”
    ExpiresByType image/jpeg “access plus 2592000 seconds”
    ExpiresByType image/png “access plus 2592000 seconds”
    ExpiresByType image/gif “access plus 2592000 seconds”
    ExpiresByType application/x-shockwave-flash “access plus 2592000 seconds”
    ExpiresByType text/css “access plus 6048000 seconds”
    ExpiresByType text/javascript “access plus 2160000 seconds”
    ExpiresByType application/javascript “access plus 2160000 seconds”
    ExpiresByType application/x-javascript “access plus 2160000 seconds”
    ExpiresByType text/html “access plus 600 seconds”
    ExpiresByType application/xhtml+xml “access plus 600 seconds”

    # END Expire headers

    # BEGIN Cache-Control Headers

    Header set Cache-Control “public”

    Header set Cache-Control “public”

    Header set Cache-Control “private”

    Header set Cache-Control “private, must-revalidate”

    # END Cache-Control Headers
    [/HTML]

    Next I’d recommend adding this to your htaccess file:

    [HTML]

    order allow,deny
    deny from all

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ – [F,L]
    [/HTML]

    To save adding a blank html/php page to every directory, you can use this to prevent anyone seeing what’s in a directory. Bare in mind this can cause a 500 error as it doesn’t work on all hosting. So it’s a add it and check thing.:

    [HTML]
    Options All -Indexes
    [/HTML]

    Looks good, I would also recommend to add somehing like this, to prevent using of scripts eg. regarding mysql injections, globals, base64_encode data and request variables:
    [HTML]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (../|..) [OR]
    RewriteCond %{QUERY_STRING} ftp: [NC,OR]
    RewriteCond %{QUERY_STRING} http: [NC,OR]
    RewriteCond %{QUERY_STRING} https: [NC,OR]
    RewriteCond %{QUERY_STRING} =|w| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (./|../|…/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|’|”|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ – [F,L]
    [/HTML]
    Prevent config files access:

    [HTML]


    Order allow,deny
    Deny from all


    [/HTML]

Viewing 15 posts - 1 through 15 (of 15 total)