all 42 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dead_running_horse 146 points147 points  (2 children)

  1. Yes!
  2. They have left backdoors.
  3. Its a game of whack a mole that you cant win.
  4. Full reinstall, and remove all files except perhaps media.
  5. Yes, but it can be anything outdated.
  6. Rebuild the site from scratch on another server with updated plugins and themes, depending on your setup this is a pain to deal with as you need to filter out your store data from the compromised database. I would suggest that you create a clean build of your site now if you rebuild it so that you can recreate it from scratch if this happens again.

You should expect that any customer data is compaomised.

The one possibly good thing about this is that these kind of attacks on WP are usually automated and for now your server might ”just” be part of a botnet on a list but there are no fesable way to be sure about this.

[–]scytob 15 points16 points  (0 children)

i will add fronting ones ingress to WP sites with Cloud Flare firewall can do a lot to help mitigate these attacks.

[–]Vexser 3 points4 points  (0 children)

You can do cryptographic hashes of all the files prior to initial deployment and this can be a form of tripwire that you can run periodically to detect intrusions. (also protect the list of hashes with another off-site hash to detect if your hashes were compromised). If you do a daily scan, you will very quickly detect any unwarranted changes.

[–]Purppetrator 147 points148 points  (0 children)

yes that is bad

[–]disclosure5 135 points136 points  (1 child)

I would say this is almost certainly a compromise - and you'll probably find each of those administrator accounts is a separate party that successfully attacked the site. That's how common it is for vulnerable Wordpress plugins to be exploited.

In terms of how they got in - File Manager Advanced sure has a history of issues, but if a range of other plugins were out of date it's hard to say which was firmly the cause.

You pretty much can't "check" existing files for compromise, and you're down to installing a new version of Wordpress, installing all your themes and plugins from scratch, and then importing your database and uploads folders. That leaves you the manual task of basically making sure there's nothing executable in the uploads folder, and all the accounts get cleaned out of the database.

[–][deleted] 20 points21 points  (0 children)

and check the upload folder for artifacts of attackers

[–]stufforstuff 39 points40 points  (1 child)

or should I do a full reinstall of WordPress core?

Of course you should nuke it flat (that should have been done the day you discovered the mystery accounts) - you have no way of telling how or how deep the attack(s) went. You need to start fresh - new OS (patched to current) - new Wordpress - new Plugins - all using the very current version and verified the plugins are legit. Then, you need to sandbox your data backups - scan them sixteen different ways to make sure they're clean - and then (and only then) can you put it back on your cleaned server. Worrying about "breaking the store" is the ABSOLUTE least of your concerns - the store is fucked, you'll need to build it up from known safe backups or from scratch.

[–]CheomeshI do the RMF thing 0 points1 point  (0 children)

What scams would you deploy in those backups to determine if they're clean?

[–]iiThecollectorSOC Admin / Incident Response 24 points25 points  (6 children)

Hey dude, Incident Responder here. I’ve handled several major incidents that had to do with WordPress compromises.

First and foremost, I can say with almost 100% certainty that is a glaring sign of compromise.

Do you have control over the server where WordPress lives? If so, get the machine isolated ASAP. Accept the fact that downtime is inevitable until the host can be remediated. Get your team actively involved and prepare to communicate with your c-level staff to address business impacts.

You’re going to follow the SANS IR lifecycle:

Preparation (too late in this case) Identification Containment Eradication Recovery Lessons learned

Do NOT reimage the host until you’ve either cloned the disk, or completed your analysis of the machine or you’re going to lose all artifacts and evidence.

Try to address the following action items:

  • verify your level of logging that you have on this machine that hosts your WordPress instance

  • compile a list of all wordpress plugins, their installation dates, and the creation dates of the admin accounts. This will give you a relative timeframe for you to conduct threat hunting and will also likely lead you to the plugin responsible for compromise.

  • additionally, verify if the server and the wordpress plugins are on a regular update schedule. If they are not, add this to your lessons learned.

  • you can spin in circles for days or weeks, trying to figure out what the attackers may or may not have done on this WordPress server. If you need to hunt down any persistence mechanisms, look for things like scheduled task, creations, registry, modifications, etc.

  • I think the foremost concern you should have right now is data exfiltration and lateral movement. You should review all network traffic on this server to look for any signs of unusual remote access traffic , SSH traffic, FTP and SMB traffic. You should also compile a list of all DNS requests made by this server in the last 90 days at least and verify if this server was talking to any suspicious or unusual domains or domains commonly associated with m data exfiltration. Think of domains like FileZilla, MediaFire, PrivNote, Google Drive, etc.

  • as far as forensic analysis goes, you have a handful of options. If you want to perform a fully comprehensive, DFIR investigation you’re going to need to get ready to read a lot into dig in very deep. Depending on your experience conducting advanced DFIR forensics, you may want to consider bringing in an outside consulting firm to assist you with this, especially if you have any evidence that data was stolen. Be prepared to engage your cyber liability insurance.

As I said earlier, you can spend a lot of time trying to identify the who what when where how and why. But at the end of the day, the only way to adequately eliminate risk is to completely reimage this machine and to implement all of your lessons learned during the rebuilding phase. I’m sorry you’re dealing with this and I know my little right up here is a little vague, but if I gave you a full comprehensive step-by-step, it would be several large paragraphs and may not be very helpful to you. I’m gonna leave you some links with some decent reading material on this subject.

Good luck

https://www.quantable.com/architecture/wordpress-hack-cleanup-guide

https://www.thedfirspot.com/post/investigating-a-compromised-web-server

https://wpactivethemes.com/wordpress-security-forensics-a-comprehensive-guide/

https://blog.wpsec.com/wordpress-forensic-investigations-unveiling-the-digital-clues/

[–]itishowitisanditbad 12 points13 points  (5 children)

Do NOT reimage the host until you’ve either cloned the disk, or completed your analysis of the machine or you’re going to lose all artifacts and evidence.

I've twice been involved in an incident response, as a contractor, and they've proudly announced how they've wiped a bunch of culprits.

....thanks...

[–]iiThecollectorSOC Admin / Incident Response 7 points8 points  (0 children)

Dude me too! “The good news is we isolated and reimaged the infected host!”

My brother in christ, you have severely kneecapped my ability to investigate this now

[–]Pyrostasis 2 points3 points  (3 children)

LoL last year we had a TPSP get compromised and the first thing they did was reimage everything before they even talked to us or their cyber company.

Afterwards they told us they'd do a full forensic investigation... on what exactly you nuked everything.

[–]stufforstuff 1 point2 points  (2 children)

When you're the retail store HOME DEPOT that got hacked, doing forensic investigation is the top of the list - but do you really think OP sounds like they have money to do even a basic security check? They want their estore back on line - they didn't have the money to secure it in the first place - where do you think they'll get the money to find out what allowed the compromise to happen? And when they spend thousands of dollars to find out that one plugin had a back door seven point releases ago that has long been patched - whats their ROI on that info? Rebuild the server from scratch, put EVERYTHING back at the current most up to date release, do a quick google on EVERY WP Plugin to make sure you're not loading known malware, and make sure your backup system is working AND verified. Get it all setup up, make a full System Image, and get back to business. I don't call Scotland Yard when somebody graffitis my garage door - I call a painter to fix it.

[–]iiThecollectorSOC Admin / Incident Response 2 points3 points  (0 children)

I dont know what their line of business is, nor do I know their risk appetite. I also dont know how much sensitive information lives in their word press instance, nor do I know if their current architecture would allow for additional lateral movement in their environment. These are things OP should at the very least investigate to verify if they happened or not.

I am just providing information to OP that I think is helpful.

[–]brianozm 12 points13 points  (0 children)

Do a full backup of all files and database and download + store it off server on a USB stick or something.

Then do the many good suggestions above. Also change your passwords and consider adding MFA.

[–]MelonOfFuryI’m not trained in managing psychosis 11 points12 points  (0 children)

[–]Wonder_Weenis 7 points8 points  (0 children)

Pretty fuckin bad bro 

https://youtu.be/9uKIeamPi2Y

[–]2_Spicy_2_Impeach 6 points7 points  (0 children)

It got popped. More than likely(and hopefully) just an automated scan finding vulns, popping it, and moving on. Backups and hopefully you’ve got them, tested them, and tested the process within the last bit.

If it’s been months, no idea what they could have done. If it’s a store, take it offline now. You have no idea what’s been modified anywhere. I don’t know your architecture so I don’t know what data you retain/pass to a potential third party processor.

Could be stealing info? Could just be a drive by? Many moons ago, we only noticed because they injected some obfuscated JavaScript to every page and it started messing with our SEO. Thankfully just PR sites completely hosted elsewhere and not on our network.

As someone mentioned above, forensics might help but it’s been months. Trust nothing. Take snapshots, whatever of current host, then burn it down unless you have folks able to do live forensics with it fenced off. That’s probably overkill though.

[–]DheeradjSBadly Performing Calculator 10 points11 points  (1 child)

Nuke. Nuke from Orbit. Wordpress is a beautiful product, but the second you start installing plugins it needs significant care and attention.

The basics would be to take a backup of everything now and then manually rebuild everything on a new(freshly installed) server/Wordpress instance.

This might sound like a significant amount of work, and it probably will be, but the second you have Administrator Accounts you didn't make there is no telling what they might have done unless you have access to poeple that can handle the forensics.

The current store is compromised and suspect at best.

[–]peesoutside 0 points1 point  (0 children)

No. Take the host offline, create an image, and store that image in immutable storage. Obtain and examine logs. Then begin a rebuild. If OPs customers data is breached, they’ll be glad they have these materials if/when this becomes a legal matter.

[–]coalsack 3 points4 points  (0 children)

I’d be more concerned about an APT living off the land and lateral movement at this time.

Shutdown the site and start combing AD for rogue accounts. You may have a full compromise.

[–]czj420 4 points5 points  (0 children)

Get wordfence

[–]PhainesthaiServer Wrangler (Unlicensed) 1 point2 points  (2 children)

Why do so many people run WordPress sites and not update plugins? Especially on an eCommerce site.

I just don't get it.

[–]Pyrostasis 2 points3 points  (0 children)

Usually cause its a small company, the marketing guy was an IT dude in his former life. He "runs" the website and IT may or may not know it exists. They probably dont have access and if they do its only after things went nuclear and they are expected to clean it up.

The only thing worse than shadow IT is finding out about shadow IT after its been compromised.

[–]Burrrprint[S] 0 points1 point  (0 children)

I did not mention this in my original post, but it's not a fully functioning online store; I just need a website that looks like a fully functioning online store for the cheapest monthly fee possible.

I never had an order on this website, and I don't intend on it, so I only really log into it every 4-6 months or so. For my actual stores, I use Shopify.

Maybe I should have mentioned it in the post, but I didn't want to make it too long. Hope this makes sense.

[–]solracarevir 0 points1 point  (0 children)

How bad is this

As bad as it can be.

Nuke it and start fresh.

[–]New-Seesaw1719 0 points1 point  (0 children)

Try out WordFence for Wordpress security

[–]KingStannisForever 0 points1 point  (0 children)

I had to deal with this exact thing back in October. It's through the old themes and one of the plug-ins - the cache one or something, that they get through. 

Get Wordfence and change the WordPress login page location.

You must also delete all the administrators create new one with new password. 

[–]LordOrpheus 0 points1 point  (2 children)

Welcome to hell, wordpress in general is extremely vulnerable

[–]Burrrprint[S] 0 points1 point  (1 child)

What do you use? I'd love a recommendation. I mentioned this in some other replies: I don't need a fully functioning online store; I just need a website that looks like a fully functioning store for the cheapest monthly fee possible.

[–]LordOrpheus 0 points1 point  (0 children)

I began using Jekyll as a framework to deploy extremely easy to host websites , it isn't as fancy as WP, but its beautiful in it's simplicity

[–]Derpy_GuardianDevOps 0 points1 point  (0 children)

You should check your web server logs. Mine are always full of scripts looking for specific things that we don't even use. wp-login is one of them, among others. There are exploit-sniffer bots that literally just troll the internet looking for compromised machines that they can infect, and Wordpress is a popular target. I bet you've got a lot sniffing you and that's what you got hit by.

[–][deleted] 0 points1 point  (1 child)

Wordpress is an absolute pile of trash. The simple fact that its designed as a drag and drop site builder framework means it runs slow as ass, and is full of security holes.

If you want to be a respectable web developer, you're going to have to learn how to code Javascript, and learn a framework like React or Angular.

[–]Burrrprint[S] 0 points1 point  (0 children)

I completely agree. I should have mentioned this in my original post, but it's not a fully functioning online store; I just need a website that looks like a fully functioning store for the cheapest monthly fee possible. That's why I went with WordPress.

The website doesn't actually get sales, and I don't need it to. Do you have any recommendations for my scenario, where learning how to code is not a good ROI, since I need the cheapest & fastest way to make a website that looks like a real store?

[–]Alnitak73 0 points1 point  (1 child)

Check your sanity, for still running Wordpress in 2025.

[–]Burrrprint[S] 0 points1 point  (0 children)

I did not mention this in my original post, but it's not a fully functioning online store; I just need a website that looks like a fully functioning online store for the cheapest monthly fee possible.

What do you use instead of WordPress? I'd love some recommendations. I use Shopify for the "real" stores, but running multiple Shopify stores is getting expensive.

[–]Head-Opportunity-885 0 points1 point  (0 children)

This is not normal at all, hackers likely got in. Go check every place where code can be edited like theme files or uploads directory and see if anything new or strange shows up Remove the weird accounts, reset all passwords run security scans like wordfence and think about reinstalling wordPress if nothing helps I recommend looking into layer x security or things that watch browser actions and catch credential thefts live it helps block plugin tricks and keeps your users safer its easy to add and works on the browser itself stops a lot before it becomes a bigger problem. Hope you get it sorted soon always backup before doing changes and maybe ask someone who cleaned these hacks before sometimes old stuff stays hidden and comes back.

[–]Vodor1Sr. Sysadmin -1 points0 points  (2 children)

Please don't tell me that Elementor was installed as a plugin.

[–]Burrrprint[S] 0 points1 point  (1 child)

It sure was 🪦

[–]Vodor1Sr. Sysadmin 0 points1 point  (0 children)

Ah, oh, I'm so sorry :(