Preventing Blog Hacks

Take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

@xtiana,

Logan from SiteLock here. The “Hacked by General” campaign as far as we’ve observed was related only to the REST API vulnerability you mentioned. Upon updating WordPress you have patched the hole that was most likely used to execute the defacement. Keep in mind that this particular campaign was known to edit *existing* posts, so if you go to posts and view the defaced pages (unless all are completely deleted and out of your trash), review your previous revisions to see if any of the previous content is recoverable. Fortunately, there has not been a documented link between the “Hacked by General” campaign and data outside of posts being compromised. The bottom line is that you’re most likely in the clear regarding that particular incursion, but continuing to run malware scans on an ongoing basis is your best way to be certain. Please let me know if you have any questions!

Thanks! Fortunately we don’t really use the blog anymore – I didn’t think those were existing posts but maybe so. I deleted them all and that was no big deal. Any idea why it would have taken until today (we updated WP back on 3/13 and have been on SiteLock for a few weeks now, I believe) to notice the page defacement? We assumed it was a new hack just because we didn’t know about it until today.

@xtiana,

There are a number of reasons why that could have happened, ranging from configuration issues to signing up for a subscription designed for a smaller site. I would be happy to look into the matter for you, but to do so I would need to validate into your account in order to see any account-specific information. Give us a call using the phone number on the SiteLock website to review your account. You’re welcome to ask for me by name if you’d like to speak with me directly.

@logankipp – I tried to ask for you when I called, but it sounds like they couldn’t find you at the time. The rep I spoke with checked the site in question and said there are only 95 pages. Do you think it’s an issue with SiteLock not noticing it, or is it more likely that this more recent hack cropped up as a result of some other vulnerability (a plugin, theme, something else)?

I can try calling and asking for you again so you can check out our account, or you can reach me [redacted]. We’ll most likely want to add on several other domains to this account and possibly upgrade. Thanks for your help!

• This reply was modified 7 years, 7 months ago by Steven Stern (sterndata).

Just following-up to close-out this thread as resolved. @xtiana and I were able to connect, however the remainder of the conversation concerned only account-specific information relating to her SiteLock subscription. Thanks all!