Level 11
Are you able to get into the WP Admin?
If so, try enabling the default WP Twenty Twenty theme or most current default WP theme you have available and also disable all plugins.
Dec 28, 2020
6
Level 8
WordPress Compromised Redirect
I'm hosting a WordPress site using Forge as a dev site for a team at work. Things have been fine until recently the site loads a text view of our site for just a moment then redirects to some other weird site. I'm pretty sure its been compromised at this point.
I'm hosting on DO which requires 2 factor and the server it setup with SSH keys, so my only thought would be maybe a plugin they installed.
Does anyone have any ideas on stopping the redirect or getting the site back to normal?
Level 8
So far I've not been able to access the admin page, it seems to also redirect....so frustrating. I can SSH into the server, but that even seems to be disconnecting me after a few minutes. Make I can find where to change the theme via config files and change it there if I can do it quick enough.
Level 8
This is what it redirects to when trying to access the admin page...
/wp-admin/https;//port.transandfiestas.ga/det.php?id=tm77734-33-2451%2Fwp-login.php&redirect_to=http%3A%2F%2F161.35.54.84%2Fwp-admin%2F&reauth=1
No input file specified.
Level 33
It seems like they modified the website url settings on your database, since the spammers URL is everywhere on your template.
From the WP forums:
Go to your phpmyadmin, select your database and then select table wp_options. Change value, option_value and home with your website url.
You can also do it by connecting via SSH and executing mysql:
USE database;
SELECT * FROM wp_options WHERE option_name IN ('siteurl', 'home');
UPDATE TABLE wp_options SET option_value = "http://your-ip" WHERE option_name IN ("siteurl", "home");
After that you should determine how the attackers got access to your site and remedy it. There are guides on the WP site explaining how to secure an installation.
Level 8
This took care of the issue and was able to get the site back, thank you. I'll look for a better way to secure the site. Any ideas on how to determine how they got in? The host server requires SSH keys to get direct access, so unless the keys were hacked it would have to be the WP install or plugins, right?
1 like
Level 33
Glad you could fix it. I guess they could've gotten in thru the wp-admin (using a brute-force attack or default password), or by exploiting a WP or plugin vulnerability or an incorrectly secured file or folder.
I have little to no experience with Wordpress, but I would start by updating the WP install, then updating the WP plugins and finally installing a WP plugin to secure the site (such as https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/).
Then I would rename the wp-admin folder, change the WP and DB passwords (to a secure 40 character) and check all file and folder permissions, specially the ones that contain sensitive data (also check that directory listing is turned off for folders).
If you want to be thorough, you can check the WP FAQ: https://wordpress.org/support/article/faq-my-site-was-hacked/
And then proceed to the guide on hardening WP: https://wordpress.org/support/article/hardening-wordpress/
Good luck!
Please or to participate in this conversation.