Recently I saw my WordPress blog swamped with alien posts which I haven’t posted or published. Of course it blew my mind as it would have done to any other WordPress blog owner. Panic, Panic and Panic. Even after deleting those posts, new ones keep appearing and I kept deleting. I started looking for the hacked files, changed my ftp passwords, wp-admin password and everything I could do to stop these posts being published. I also found some unwanted folders with 1000s of html files in them in my website root, I deleted those too but they kept coming back.
It was a hell of a hack!!!
To my surprise I finally found 3 unknown admin users created too in my WordPress. So I did what I was doing… Deleted them too and changed all passwords. Now the unknown posts stopped publishing… Phew!!…Good and I sat back relaxed.
Now while posting a blog article after 3 days I found my WordPress admin giving 500 INTERNAL SERVER ERROR. Now my troubleshooting began, checked .htaccess, it was good. Disabled all plugins via ftp and activated them one by one but of no use, I even created a php.ini file to increase upload limit as suggested by some experts but all in vain, Finally I decided to try a fresh WordPress Install as I was sure now that it is the same hacker who was posting his mind in my blog.
So my first recommendation for WordPress hack victims is to install fresh WordPress and copy your themes, plugins and uploads folders into new wp-content.
It worked for me as then I could see the hacking code on the footer of my website. So I went in the editor and deleted that.
Finally I got my website hack-free but it wasn’t hack-proof yet
I have to harden my WordPress to avoid this sheer waste of my time and ‘time is money’ but question was how?
I already follow best practices like updating WordPress and plugins regularly., change my passwords religiously and reset password with strong passwords guidelines.
So what do I miss? This started my research. Within first 10 minutes of reading I found that I haven’t done anything for my WordPress website security as the so called best practices are not enough. I have learned now, not to compromise on WordPress websites security as the hackers out there are tech vultures ready to prey on dead security websites especially WordPress , as it is best when it comes to Search Engine Optimization.
Lets start now..
OR I guess I have threatened my fellow WordPress beginners too much today, so I will share my experience with WordPress website security in my next post, meanwhile you can chill and visit my entertainment blockbuster.. Click here