Hacked, locked out of WordPress now I have have disabled security

OK, I’m back in and I’ve changed passwords and run a wordfence scan, which didn’t find much. except a bunch of changes it detected in readme.txt files in my plugins folders. I looked at a few and didn’t see anything suspicious.

So I’m wondering how did they get in? One though is my theme (purchased and actually works as a child of the Klasik theme). It doesn’t appear the theme is being supported anymore, so probably time to change it. But how quickly do I need to do this? And is it possible there’s a hole in this theme that I need to worry about?

Hi @jgold723,

Can you link me (or name) the outdated theme you are using?

It is possible that an attacker gained access to your host via FTP or SSH. Are you using a certificate to login to your host or a username/password combo?

I would recommend contacting your host to see if there has been any suspicious logins to your host.

Alternatively, you can use the lastlog command if you have access to SSH commands to see if anyone besides you has accessed you host.

Dave

Hi Dave:

No link as the theme developer appears to have gone walkabout. The theme is Good Simple Business Theme by templatesquare.com, which is actually meant to be a child of the Klasik theme.

I know someone else got in to the host because they changed my password and also placed a folder of something in the plugins directory.

Hi again!

I would do the following steps:

1. Completely wipe your host system and reinstall WordPress (the attacker might have placed a backdoor either in WordPress, or somewhere else)

2. Once you have WordPress reinstalled, install Wordfence

3. You’ll want to setup your host so that you connect to it via a certificate, and not with a username/password. ( I’d recommend learning how to do that https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server )