Stopping WordPress XXX-Hacker

Many of my WordPress sites have been attacked by this xxx-hacker. The first thing this hacker does is try to login as admin using multiple tries. Once it succeeds, the user name is changed to xxx-hacker and the password is also changed. So, now you cannot login to your site and you can’t even reset your password.

If by chance you are still able to login as admin then you are in luck, as the attack hasn’t happened yet. But, prevention is better than cure. So, immediately (as in NOW), update your WordPress installation, and install/enable the Limit Login Attempts plugin. This is the most important thing you need to do to stop this hacker, because this is somehow related to the hacker gaining access to your server files. Also, immediately after this change your server passwords – especially, ftp and mysql.

At this stage I don’t know if the ftp password is being deciphered, but I have seen strange folders and files turning up in the sites’ public/html documents area. There are at least 3 different type of actions performed by these files. (1) Phish for email passwords (2) Phish for financial passwords (3) run a script that logs in to some site(s) using series of passwords. One common thing I have noticed is that the plugins folder in all hacked installations has one new folder – helo – which contains script to send the phished data to the hacker’s mother computer. Change permissions of this “helo” folder to 777 and then delete it.

Things to do in your MySql database

If not yet attacked: stop user registration or updation using triggers. This is like a chastity belt. The filthy sucker of a hacker can tear your WP-clothes, but can’t penetrate your DB-bastion, thereby preventing spawning of further filth. Contact me for modus operandi.

If attacked: rename admin user to a word other than “admin” and change password to a 16 character word in MD5 format, then stop user registration or updation as above using triggers. Contact me for help.

If your site needs user registrations, handle them yourself, manually. If you don’t have time for that and are a very big site, then you should enlist service of someone who can provide proper security.

To be cont’d…