About two weeks ago I’ve discovered (completely by mistake) that this site’s been hacked since June 2019. I don’t know how, unfortunately. I assume a WordPress plugin vulnerability. Here’s what happened. Unfortunately I don’t have many screenshots because I got the idea of writing this after I sorted it out (with SOME help from the hosting provider).
Symptoms:
– 2 articles in an Indian dialect that had links to gambling sites
– the articles were put in a new category called “Uncategorizable” (almost similar to the initial default category, “Uncategorized”). It’s almost similar to that initial category that you don’t really notice (I surely didn’t).
– the above category is made Default Category. This doesn’t allow you to delete the category from the Posts > Categories main menu in the dashboard.
– the articles were dated to 2016, a full year before any of the articles on the site (and the start of the site to begin with)
– the articles were written by a user with the ID “wordpress”, made administrator, that wasn’t visible in the WordPress Users dashboard, even though the Administrator count was correct (see image below)
How I found the hack:
– by mistake. I’m looking at some issues with how archives look on The CEO Library and I went to see the first books ever entered on the site. That’s when I noticed the two articles that were definitely not books :)
What I did:
– I first Drafted the two articles. I could’ve deleted them, but I wanted to see if I could do anything else. I couldn’t and, in the end, I deleted them.
– I contacted the WPXhosting support team. After about 10 days of badgering them every 2 days (I don’t know wtf happened there, because they normally answer super quickly), they confirmed the hack and told me the hack is from plugins using an outdated version of the Adminer plugin.They repaired the files and told me a list of other plugins that might have issues. I prefer not to put the list of files and plugins here since I feel I expose this site more than I’m comfortable with. If it happens to you, a WordPress antivirus program should find it.
–
Leave a Reply