ragnartm
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Issues with LunarPages hosting and usernames being alteredIf you suddenly have a user renamed doomtimy, you have been hacked.
I had the same issue, and didn’t take necessary precautions, even after seeing this post I just imagined somehow it was a bug and changed the password and lazily got on with my life. Big mistake. A few days later, my website got defaced. By this time I had installed Sucuri, so I have the IP the hacker logged in from: 36.71.232.109. It’s an Indonesian IP and the site that got plastered over my website was something about Indonesian liberation or something(in the rush to get it taken down, I forgot to take a screenshot… lol). It’s probably still a VPN, but might be worth adding to an IP ban list, not sure.
All plugins that were active at the time of first breach:
A2 Optimized 1.7.2 premium active
Akismet 3.0.4 free active
All-in-One WP Migration 2.0.4 free active
All in one Favicon 4.3 free active
BJ Lazy Load 0.7.5 free active
CommentLuv 2.93.8 free not active
Contact Form 3.85 free active
Digg Digg 5.3.6 free active
EWWW Image Optimizer 2.2.2 free active
Google Author Link 1.5.2 free active
Growmap Anti Spambot Plugin 1.5.6 free active
Imsanity 2.3.2 free active
Jetpack by WordPress.com 3.3.1 free active
Limit Login Attempts 1.7.1 free active
Magic Action Box 2.15.5 free active
Pinterest Image Pinner From Collect… 1.93 free not active
Popular Posts Tabbed Widget for Jet… 1.3 free active
Q2W3 Fixed Widget 4.0.6 free not active
SEO Friendly Images 3.0.5 free active
Theme Authenticity Checker (TAC) 1.5.2 free active
W3 Total Cache 0.9.4.1 free active
WordPress Editorial Calendar 3.4 free active
WordPress SEO 1.7.3 free active
WP-Ban 1.65 free not active
WP Maintenance Mode 2.0.3 free not active
WP Smush.it
It might also be worth noting that I had migrated the site with all-in-one-wp-migrate to a new host recently, and it seems like it might have changed the prefix for all my tables, the prefix is different from my original database, but not sure if that’s why they’re different. Also not sure if that makes the site more vulnerable and if it’s something I should fix.Precautions taken now:
-
Reinstalled all plugins
reinstalled WordPress
scanned entire website including image files and non-WP related files for malware using WordFence(only known malware would be found, so this is a possible weakness with this method.)
Reset the security keys. Manually deleted the user in phpmyadmin, and created a new one with a different username from the original one.
Deactivated contact form plugin in case that somehow allowed the hacker to run a PHP script.
I’ve changed my Mysql user password and manually updated my wp-config file.
I have changed the login url, and stopped access to theme editor/plugin editor from within the dashboard.Is there anything more I can, and should do?